译 - Bitcoin: A Peer-to-Peer Electronic Cash System

《Bitcoin: A Peer-to-Peer Electronic Cash System》 翻译过来是《 比特币：一种点对点的电子现金系统》 ，这篇文章是比特币的发明人中本聪于 2008 年发表的比特币白皮书。这篇文章介绍了比特币的设计背景，讲述了比特币的工作原理，是加密货币，区块链领域必读的一篇文章，其中讲述了很多巧妙的构思。作者翻译水平有限，翻译的语句可能会有一些出入，建议有能力的读者还是去阅读一下原文。

0、摘要

A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution. Digital signatures provide part of the solution, but the main benefits are lost if a trusted third party is still required to prevent double-spending. We propose a solution to the double-spending problem using a peer-to-peer network. The network timestamps transactions by hashing them into an ongoing chain of hash-based proof-of-work, forming a record that cannot be changed without redoing the proof-of-work. The longest chain not only serves as proof of the sequence of events witnessed, but proof that it came from the largest pool of CPU power. As long as a majority of CPU power is controlled by nodes that are not cooperating to attack the network, they’ll generate the longest chain and outpace attackers. The network itself requires minimal structure. Messages are broadcast on a best effort basis, and nodes can leave and rejoin the network at will, accepting the longest proof-of-work chain as proof of what happened while they were gone.

本文提出了一种完全通过点对点（对等）技术实现的电子现金系统，它使得在线支付能够直接由一方发起并支付给另外一方，中间不需要通过任何的金融机构。数字签名提供了部分解决方案，但是如果仍然需要第三方的支持才能防止双重支付的话，那么这种系统也就失去了存在的价值。 我们提出了一种使用对等网络来解决双重支付问题的方法。该网络通过随机散列对全部交易加上时间戳， 将它们合并入一个不断延伸的基于随机散列的工作量证明的链条上作为交易记录，除非重新完成全部的工作量证明，否则已经形成的交易记录将不可更改。最长的链不仅可以证明所见证的事件顺序，还可以证明它来自最大的 CPU 算力池。只要大部分的 CPU 计算能力没有打算合作起来对全网进行攻击，那么它们就会生成最长的链并超过攻击者。这个网络本身需要的结构非常少。信息尽最大努力在全网广播，节点可以随意离开和重新加入网络，并接受最长的工作量证明链作为他们离开时发生的事情的证明。

1、介绍

Commerce on the Internet has come to rely almost exclusively on financial institutions serving as trusted third parties to process electronic payments. While the system works well enough for most transactions, it still suffers from the inherent weaknesses of the trust based model. Completely non-reversible transactions are not really possible, since financial institutions cannot avoid mediating disputes. The cost of mediation increases transaction costs, limiting the minimum practical transaction size and cutting off the possibility for small casual transactions, and there is a broader cost in the loss of ability to make non-reversible payments for nonreversible services. With the possibility of reversal, the need for trust spreads. Merchants must be wary of their customers, hassling them for more information than they would otherwise need. A certain percentage of fraud is accepted as unavoidable. These costs and payment uncertainties can be avoided in person by using physical currency, but no mechanism exists to make payments over a communications channel without a trusted party.

互联网上的贸易几乎完全依赖于可信赖的第三方金融机构来处理电子支付信息。尽管该系统在大多数交易情况下都运行良好，但它仍然受限于基于信任的模型的固有弱点的约束。我们无法实现完全不可逆的交易，因为金融机构总是不可避免地会出面协调争端。调解开销增加了交易的成本，并限制了最小实际交易规模，也限制了小额临时交易的可能性，更大的问题在于失去了为不可逆服务进行不可逆支付的能力。因为有潜在的退款的可能性，因此需要提高交易双方的信任度。而商家就必须时刻提防着自己的客户，因此就会向客户索取他们本来不需要的个人信息。商业行为中一定比例的欺诈通常是不可避免的。这些成本和支付的不确定性可以通过使用实物货币来避免，但是不存在在没有可信方的情况下使用通信渠道进行支付的机制。

What is needed is an electronic payment system based on cryptographic proof instead of trust, allowing any two willing parties to transact directly with each other without the need for a trusted third party. Transactions that are computationally impractical to reverse would protect sellers from fraud, and routine escrow mechanisms could easily be implemented to protect buyers. In this paper, we propose a solution to the double-spending problem using a peer-to-peer distributed timestamp server to generate computational proof of the chronological order of transactions. The system is secure as long as honest nodes collectively control more CPU power than any cooperating group of attacker nodes.

所以我们需要的是一种基于密码证明而非信任的电子支付系统，它允许任何的双方自愿与对方进行交易，而无需受信任的第三方。在计算上无法逆转（无法回退）的交易将保护卖家免受欺诈，并且使用常规的合约机制也可以来保护买家。在本文中，我们提出了一种通过使用点对点分布式时间戳服务器生成有序时间的电子交易证明来解决双重支出问题的方法。只要诚实的节点所控制的计算能力的总和，大于任何合作的攻击者计算能力的总和，该系统就是安全的。

2、交易

We define an electronic coin as a chain of digital signatures. Each owner transfers the coin to the next by digitally signing a hash of the previous transaction and the public key of the next owner and adding these to the end of the coin. A payee can verify the signatures to verify the chain of ownership.

我们定义一枚电子硬币就是一个数字签名链。每个所有者通过对先前交易的哈希值和下一个所有者的公钥进行数字签名并将它们添加到硬币的末尾来将硬币转移到下一位所有者。收款者可以校验签名从而验证链的所有权。

The problem of course is the payee can’t verify that one of the owners did not double-spend the coin. A common solution is to introduce a trusted central authority, or mint, that checks every transaction for double spending. After each transaction, the coin must be returned to the mint to issue a new coin, and only coins issued directly from the mint are trusted not to be double-spent. The problem with this solution is that the fate of the entire money system depends on the company running the mint, with every transaction having to go through them, just like a bank.

该问题的关键在于，收款人很难校验之前的某位所有者是否对这枚电子货币进行了双重支付。通常的解决方案是引入信得过的类似于造币厂的第三方权威机构，它会检查每笔交易是否存在双重支付。每次交易后，必须将币返还给造币厂并发行新币，只有造币厂直接发行的币才可信，这样能够防止双重支付。这个解决方案的问题在于，整个货币系统的命运依赖于运作造币厂的公司，因为每一笔交易都要经过它们，（造币厂）就像银行一样。

We need a way for the payee to know that the previous owners did not sign any earlier transactions. For our purposes, the earliest transaction is the one that counts, so we don’t care about later attempts to double-spend. The only way to confirm the absence of a transaction is to be aware of all transactions. In the mint based model, the mint was aware of all transactions and decided which arrived first. To accomplish this without a trusted party, transactions must be publicly announced [1], and we need a system for participants to agree on a single history of the order in which they were received. The payee needs proof that at the time of each transaction, the majority of nodes agreed it was the first received.

我们需要一种方法让收款人知道以前的所有者没有签署任何早期的交易。就我们的目的而言，最早的交易才是最重要的，因此我们不关心之后的操作是否存在双重支付。确认一个不存在的交易的唯一方法是了解所有的交易。在造币厂模型中，造币厂知道所有的交易，并且决定交易的先后顺序。为了在没有受信任的第三方的情况下实现这一点，交易必须公开宣布 [1] ，我们需要一个系统让参与者就收到交易的顺序的单一历史达成一致。收款人需要证明在每次交易时，大多数的节点都同意它是第一个收到的。

3、时间戳服务器

The solution we propose begins with a timestamp server. A timestamp server works by taking a hash of a block of items to be timestamped and widely publishing the hash, such as in a newspaper or Usenet post [2-5]. The timestamp proves that the data must have existed at the time, obviously, in order to get into the hash. Each timestamp includes the previous timestamp in its hash, forming a chain, with each additional timestamp reinforcing the ones before it.

我们提出的解决方案开始于时间戳服务器。时间戳的工作原理是获取要加盖时间戳的项目块的散列值，并广泛发布该散列值，例如在报纸或者 Usenet 中发帖 [2-5]。时间戳证明了数据在对应时刻是一定存在的，因此才能获取到对应的随机散列值。每个时间戳都在其哈希值中包含前一个时间戳，之后每一个时间戳都会加强它之前的时间戳，这就形成了一个链条。

4、工作证明

To implement a distributed timestamp server on a peer-to-peer basis, we will need to use a proof-of-work system similar to Adam Back’s Hashcash [6], rather than newspaper or Usenet posts. The proof-of-work involves scanning for a value that when hashed, such as with SHA-256, the hash begins with a number of zero bits. The average work required is exponential in the number of zero bits required and can be verified by executing a single hash.

为了在点对点（对等）的基础上构建分布式的时间戳服务器，我们需要使用类似于 Adam Back 的 哈希现金（Hashcash） [6] 的工作证明系统，而不是像报纸或 Usenet 的帖子。工作量证明涉及到扫描一个散列后的值，该值在散列时（例如使用 SHA-256 ）以多个零位开始。所需的平均工作量与所需的零位数量成指数关系，并且可以通过执行单个散列来进行验证。

For our timestamp network, we implement the proof-of-work by incrementing a nonce in the block until a value is found that gives the block’s hash the required zero bits. Once the CPU effort has been expended to make it satisfy the proof-of-work, the block cannot be changed without redoing the work. As later blocks are chained after it, the work to change the block would include redoing all the blocks after it.

对于我们的时间戳网络，我们能通过在块中随机增加一个随机数并且直到找到对应块散列所需要的零位的方式来实现了工作证明。只要该 CPU 耗费的工作量能够满足该工作量证明机制，那么除非重新完成相当的工作量，该区块的信息就不可更改。由于之后的块是被链接在该区块之后的，因此想要更改该区块中的信息就还需要重做之后所有区块的全部工作量。

The proof-of-work also solves the problem of determining representation in majority decision making. If the majority were based on one-IP-address-one-vote, it could be subverted by anyone able to allocate many IPs. Proof-of-work is essentially one-CPU-one-vote. The majority decision is represented by the longest chain, which has the greatest proof-of-work effort invested in it. If a majority of CPU power is controlled by honest nodes, the honest chain will grow the fastest and outpace any competing chains. To modify a past block, an attacker would have to redo the proof-of-work of the block and all blocks after it and then catch up with and surpass the work of the honest nodes. We will show later that the probability of a slower attacker catching up diminishes exponentially as subsequent blocks are added.

工作量证明还解决了在决策中确定大多数的问题。如果决定大多数的方式是基于 IP 地址的，一个 IP 地址一票，那么如果有人拥有分配大量 IP地址的权利，则该机制就会被破坏了。工作量证明本质上是一个 CPU 一票。多数决定由最长的链来确定，因为最长的链中包含了最大的工作量。如果大多数 CPU 能力由诚实的节点控制，那么诚实链将增长的最快并超过任何的竞争链。要修改过去的区块，攻击者必须重做该区块及后所有区块的工作量证明，然后赶上并超越诚实节点的工作量。稍后我们将展示，随着后续块的添加，较慢的攻击者能够赶上的概率将呈指数下降。

To compensate for increasing hardware speed and varying interest in running nodes over time, the proof-of-work difficulty is determined by a moving average targeting an average number of blocks per hour. If they’re generated too fast, the difficulty increases.

为了补偿不断增加的硬件速度和参与网络计算节点的数量波动，工作量证明的难度将由移动的平均线决定，其目标是每小时的平均块数。如果区块生成的速度过快，那么难度就会提高。

5、网络

The steps to run the network are as follows:

运行该网络的步骤如下：

1. New transactions are broadcast to all nodes.
2. Each node collects new transactions into a block.
3. Each node works on finding a difficult proof-of-work for its block.
4. When a node finds a proof-of-work, it broadcasts the block to all nodes.
5. Nodes accept the block only if all transactions in it are valid and not already spent.
6. Nodes express their acceptance of the block by working on creating the next block in the chain, using the hash of the accepted block as the previous hash.

1. 新的交易向全部节点进行广播；
2. 每一个节点都将收到的交易信息纳入一个区块中；
3. 每个节点都尝试在自己的区块中找到一个具有足够难度的工作量证明；
4. 当一个节点找到了一个工作量证明，它就会广播给全部节点；
5. 当且仅当包含在该区块中的所有交易都是有效的并且之前没有存在过，其他节点才会认同该区块的有效性；
6. 其他节点表示它们接受该区块，并在跟随该区块的末尾制造出新的区块来延长该链条，使用已经接收到的散列值作为新区块的上一个散列值。

Nodes always consider the longest chain to be the correct one and will keep working on extending it. If two nodes broadcast different versions of the next block simultaneously, some nodes may receive one or the other first. In that case, they work on the first one they received, but save the other branch in case it becomes longer. The tie will be broken when the next proofof-work is found and one branch becomes longer; the nodes that were working on the other branch will then switch to the longer one.

节点始终认为最长的链是正确的链，并将继续努力扩展它。 如果两个节点同时广播不同版本的新区块，其他节点在接收到该区块的时间上可能有先后的区别。 在这种情况下，它们将会处理收到的第一个区块，但也会保存另一个区块以防止它后续成为最长的链。该僵局的打破要等到下一个工作量证明被发现，而其中的一条链条被证实为较长的一条，那么在另一条分支链条上工作的节点将转换阵营，开始在较长的链条上工作。

New transaction broadcasts do not necessarily need to reach all nodes. As long as they reach many nodes, they will get into a block before long. Block broadcasts are also tolerant of dropped messages. If a node does not receive a block, it will request it when it receives the next block and realizes it missed one.

新的交易广播不一定需要到达所有节点。 只要它们到达很多节点，它们很快就会进入一个区块。 块广播也可以容忍丢失消息。 如果一个节点没有收到一个块，它会在收到下一个块时意识到它错过了一个块并请求获取它。

6、激励

By convention, the first transaction in a block is a special transaction that starts a new coin owned by the creator of the block. This adds an incentive for nodes to support the network, and provides a way to initially distribute coins into circulation, since there is no central authority to issue them. The steady addition of a constant of amount of new coins is analogous to gold miners expending resources to add gold to circulation. In our case, it is CPU time and electricity that is expended.

按照惯例，区块中的第一笔交易是一项特殊交易，它产生了一枚由该区块创建者拥有的新的电子货币。这样就增加了节点支持该网络的激励，并在没有中央机构来发行他们的情况下，提供了一种将电子货币分配到流通领域的一种方法。这种将一定数量的新货币持续增添到货币系统中的方法，类似于黄金矿工消耗资源挖掘金矿来增加黄金的流通量。在这歌场景中，我们消耗的是 CPU 时间和电力。

The incentive can also be funded with transaction fees. If the output value of a transaction is less than its input value, the difference is a transaction fee that is added to the incentive value of the block containing the transaction. Once a predetermined number of coins have entered circulation, the incentive can transition entirely to transaction fees and be completely inflation free.

另一个激励的来源则是交易费用。 如果某笔交易的输出值小于其输入值，则差额就是交易费用，该费用会添加到包含该交易的区块的激励值中。 一旦预定数量的代币开始流通，那么激励机制就可以逐渐转换为完全依靠交易费，以至于能够避免出现通货膨胀。

The incentive may help encourage nodes to stay honest. If a greedy attacker is able to assemble more CPU power than all the honest nodes, he would have to choose between using it to defraud people by stealing back his payments, or using it to generate new coins. He ought to find it more profitable to play by the rules, such rules that favour him with more new coins than everyone else combined, than to undermine the system and the validity of his own wealth.

激励系统也有助于鼓励节点保持诚实。 如果一个贪婪的攻击者能够聚集比所有诚实节点更多的 CPU 能力，那么他就面临一个选择：要么将其用于诚实工作产生新的电子货币，或者将其用于进行二次支付攻击。那么他就会发现，遵守规则更有利可图，这些规则有利于他获得比其他人加起来更多的新硬币，而不是破坏系统使其自身财富的有效性受损。

7、回收硬盘空间

Once the latest transaction in a coin is buried under enough blocks, the spent transactions before it can be discarded to save disk space. To facilitate this without breaking the block’s hash, transactions are hashed in a Merkle Tree [7] [2] [5], with only the root included in the block’s hash. Old blocks can then be compacted by stubbing off branches of the tree. The interior hashes do not need to be stored.

如果最近的交易已经被纳入了足够多的区块之中，那么就可以丢弃该交易之前的数据以回收硬盘空间。为了同时确保不损害区块的随机散列值，交易信息被随机散列后构建成一 种 Merkle 树 [7] [2] [5] 的形态，只有根包含在区块的哈希中。 然后可以通过砍掉树的分支来压缩旧块。 不需要存储内部散列。

A block header with no transactions would be about 80 bytes. If we suppose blocks are generated every 10 minutes, 80 bytes * 6 * 24 * 365 = 4.2MB per year. With computer systems typically selling with 2GB of RAM as of 2008, and Moore’s Law predicting current growth of 1.2GB per year, storage should not be a problem even if the block headers must be kept in memory.

一个没有交易的区块头大约有 80 个字节。 如果我们假设每 10 分钟生成一次块，则每年 80 字节 * 6 * 24 * 365 = 4.2MB。 截至 2008 年，计算机系统通常配备 2GB RAM，并且摩尔定律预测当前每年增长 1.2GB，因此即使块头必须保存在内存中，存储也应该不是问题。

8、简化付款验证

It is possible to verify payments without running a full network node. A user only needs to keep a copy of the block headers of the longest proof-of-work chain, which he can get by querying network nodes until he’s convinced he has the longest chain, and obtain the Merkle branch linking the transaction to the block it’s timestamped in. He can’t check the transaction for himself, but by linking it to a place in the chain, he can see that a network node has accepted it, and blocks added after it further confirm the network has accepted it.

可以在不运行完整网络节点的情况下验证支付。 用户只需要保留一份最长工作量证明链的区块头副本，它就可以不断通过查询网络节点，直到它确信它拥有最长的链，并能够通过 Merkle 的分支通向它被加上时间戳并纳入区块的那次交易。节点想要自行检验该交易的有效性是不可能的，但是通过追溯到链条的某个位置，它就能看到某个节点曾经接受过它，并在进一步确认网络已接受后续添加的区块。

As such, the verification is reliable as long as honest nodes control the network, but is more vulnerable if the network is overpowered by an attacker. While network nodes can verify transactions for themselves, the simplified method can be fooled by an attacker’s fabricated transactions for as long as the attacker can continue to overpower the network. One strategy to protect against this would be to accept alerts from network nodes when they detect an invalid block, prompting the user’s software to download the full block and alerted transactions to confirm the inconsistency. Businesses that receive frequent payments will probably still want to run their own nodes for more independent security and quicker verification.

因此，只要诚实节点控制网络，校验机制就是可靠的，如果网络被攻击者制伏则更容易受到攻击。 虽然网络节点可以自己验证交易，但只要攻击者可以继续压倒网络，简化的方法就可以被攻击者伪造的交易所愚弄。 防止这种情况的一种策略是在网络节点检测到无效块时接受来自网络节点的警报，提示用户的软件下载完整块和警报交易以确认不一致。 经常收到付款的企业可能仍希望运行自己的节点以获得更独立的安全性和更快的验证。

9、合并和拆分值

Although it would be possible to handle coins individually, it would be unwieldy to make a separate transaction for every cent in a transfer. To allow value to be split and combined, transactions contain multiple inputs and outputs. Normally there will be either a single input from a larger previous transaction or multiple inputs combining smaller amounts, and at most two outputs: one for the payment, and one returning the change, if any, back to the sender.

尽管可以单独处理硬币，但为转账中的每一分钱都进行单独交易会很笨拙。 为了允许拆分和组合价值，交易包含多个输入和输出。 通常会有来自先前较大交易的单个输入或组合较小金额的多个输入，并且最多有两个输出：一个用于支付，另一个将找零（如果有）返回给发送者。

It should be noted that fan-out, where a transaction depends on several transactions, and those transactions depend on many more, is not a problem here. There is never the need to extract a complete standalone copy of a transaction’s history.

应该注意的是，扇出（一个事务依赖于多个事务，而这些事务又依赖于更多事务）在这里不是问题。 永远不需要获取交易历史的完整独立副本。

10、隐私

The traditional banking model achieves a level of privacy by limiting access to information to the parties involved and the trusted third party. The necessity to announce all transactions publicly precludes this method, but privacy can still be maintained by breaking the flow of information in another place: by keeping public keys anonymous. The public can see that someone is sending an amount to someone else, but without information linking the transaction to anyone. This is similar to the level of information released by stock exchanges, where the time and size of individual trades, the “tape”, is made public, but without telling who the parties were.

传统的银行业务模型通过限制相关方和受信任的第三方对信息的访问来实现一定程度的隐私。但是如果将交易信息向全网进行广播，就意味着这样的方法失效了，但是隐私依然可以得到保护：将公钥保持为匿名。公众可以看到有人正在向其他人汇款，但是很难将交易同特定的人联系在一起。这类似于证券交易所发布的信息级别，其中公开了个人交易的时间和大小，即 “录音带” ，但没有说明当事人是谁。

As an additional firewall, a new key pair should be used for each transaction to keep them from being linked to a common owner. Some linking is still unavoidable with multi-input transactions, which necessarily reveal that their inputs were owned by the same owner. The risk is that if the owner of a key is revealed, linking could reveal other transactions that belonged to the same owner.

作为额外的防火墙，每个交易都应该使用一个新的密钥对，以防止它们被链接到一个共同的所有者。 对于多输入交易，一定程度的追溯仍然是不可避免的，这必然表明它们的输入属于同一所有者。 风险在于，如果所有者的密钥被泄露，那么就可以追溯出此人的其它很多交易。

11、计算

We consider the scenario of an attacker trying to generate an alternate chain faster than the honest chain. Even if this is accomplished, it does not throw the system open to arbitrary changes, such as creating value out of thin air or taking money that never belonged to the attacker. Nodes are not going to accept an invalid transaction as payment, and honest nodes will never accept a block containing them. An attacker can only try to change one of his own transactions to take back money he recently spent.

我们考虑攻击者试图生成比诚实链更快的替代链的场景。 即使做到了这一点，这也不会使系统能够接受任意的更改，例如凭空创造价值或拿走不属于攻击者的钱。 这是因为节点不会接受无效的交易，而诚实的节点永远不会接受一个包含了无效信息的区块。一个攻击者能做的，最多是更改他自己的交易信息，并试图拿回他刚刚付给别人的钱。

The race between the honest chain and an attacker chain can be characterized as a Binomial Random Walk. The success event is the honest chain being extended by one block, increasing its lead by +1, and the failure event is the attacker’s chain being extended by one block, reducing the gap by -1.

诚实链和攻击者链之间的竞争可以被描述为二叉树随机漫步（Binomial Random Walk）。 成功事件是诚实链被延长一个区块，领先优势增加一，失败事件是攻击者的链被延长一个区块，差距减少一。

The probability of an attacker catching up from a given deficit is analogous to a Gambler’s Ruin problem. Suppose a gambler with unlimited credit starts at a deficit and plays potentially an infinite number of trials to try to reach breakeven. We can calculate the probability he ever reaches breakeven, or that an attacker ever catches up with the honest chain, as follows [8]:

攻击者成功填补某一既定差距的可能性，可以近似地看做赌徒破产问题（Gambler’s Ruin problem）。假定一个赌徒拥有无限的透支信用，然后开始进行潜在次数为无穷的赌博，试图填补上自己的亏空。那么我们可以计算他填补上亏空的概率，也就是该攻击者赶上诚实链条， 如下所示 [8] ：

• p = probability an honest node finds the next block
• q = probability the attacker finds the next block
• qz = probability the attacker will ever catch up from z blocks behind

• p = 诚实节点制造出下一个节点的概率
• q = 攻击者制造出下一个节点的概率
• qz = 攻击者最终消弭了z个区块的落后差距

Given our assumption that p > q, the probability drops exponentially as the number of blocks the attacker has to catch up with increases. With the odds against him, if he doesn’t make a lucky lunge forward early on, his chances become vanishingly small as he falls further behind.

假定 p > q，那么攻击成功的概率就因为区块数的增长而呈现指数化下降。由于概率是攻击者的敌人，如果他不能幸运且快速地获得成功，那么他获得成功的机会随着时间的流逝就变得愈发渺茫。

We now consider how long the recipient of a new transaction needs to wait before being sufficiently certain the sender can’t change the transaction. We assume the sender is an attacker who wants to make the recipient believe he paid him for a while, then switch it to pay back to himself after some time has passed. The receiver will be alerted when that happens, but the sender hopes it will be too late.

那么我们考虑一个收款人需要等待多长时间，才能足够确信付款人已经难以更改交易了。我们假设付款人是一个支付攻击者，希望让收款人在一段时间内相信他已经付过款了， 然后立即将支付的款项重新支付给自己。虽然收款人届时会发现这一点，但为时已晚。

The receiver generates a new key pair and gives the public key to the sender shortly before signing. This prevents the sender from preparing a chain of blocks ahead of time by working on it continuously until he is lucky enough to get far enough ahead, then executing the transaction at that moment. Once the transaction is sent, the dishonest sender starts working in secret on a parallel chain containing an alternate version of his transaction.

收款人生成了新的一对密钥组合，然后只预留一个较短的时间将公钥发送给付款人。这将可以防止以下情况：付款人预先准备好一个区块链然后持续地对此区块进行运算，直到运气让他的区块链超越了诚实链条，方才立即执行支付。当此情形，只要交易一旦发出，攻击者就开始秘密地准备一条包含了该交易替代版本的平行链条。

The recipient waits until the transaction has been added to a block and z blocks have been linked after it. He doesn’t know the exact amount of progress the attacker has made, but assuming the honest blocks took the average expected time per block, the attacker’s potential progress will be a Poisson distribution with expected value:

然后收款人将等待交易出现在首个区块中，然后在等到z个区块链接其后。此时，他仍然不能确切知道攻击者已经进展了多少个区块，但是假设诚实区块将耗费平均预期时间以产生一个区块，那么攻击者的潜在进展就是一个泊松分布，分布的期望值为：

To get the probability the attacker could still catch up now, we multiply the Poisson density for each amount of progress he could have made by the probability he could catch up from that point:

当此情形，为了计算攻击者追赶上的概率，我们将攻击者取得进展区块数量的泊松分布的概率密度，乘以在该数量下攻击者依然能够追赶上的概率。

Rearranging to avoid summing the infinite tail of the distribution…

化为如下形式，避免对无限数列求和：

Converting to C code…

写为如下C语言代码：

#include <math.h>
double AttackerSuccessProbability(double q, int z)
{
    double p = 1.0 - q;
    double lambda = z * (q / p);
    double sum = 1.0;
    int i, k;
    for (k = 0; k <= z; k++)
    {
        double poisson = exp(-lambda);
        for (i = 1; i <= k; i++)
            poisson *= lambda / i;
        sum -= poisson * (1 - pow(q / p, z - k));
    }
    return sum;
}

Running some results, we can see the probability drop off exponentially with z.

对其进行运算，我们可以得到如下的概率结果，发现概率对 z 值呈指数下降。

q=0.1
z=0 P=1.0000000
z=1 P=0.2045873
z=2 P=0.0509779
z=3 P=0.0131722
z=4 P=0.0034552
z=5 P=0.0009137
z=6 P=0.0002428
z=7 P=0.0000647
z=8 P=0.0000173
z=9 P=0.0000046
z=10 P=0.0000012
q=0.3
z=0 P=1.0000000
z=5 P=0.1773523
z=10 P=0.0416605
z=15 P=0.0101008
z=20 P=0.0024804
z=25 P=0.0006132
z=30 P=0.0001522
z=35 P=0.0000379
z=40 P=0.0000095
z=45 P=0.0000024
z=50 P=0.0000006

Solving for P less than 0.1%…

求解令 P 小于 0.1% 的 z 值：

P < 0.001
q=0.10 z=5
q=0.15 z=8
q=0.20 z=11
q=0.25 z=15
q=0.30 z=24
q=0.35 z=41
q=0.40 z=89
q=0.45 z=340

12、结论

We have proposed a system for electronic transactions without relying on trust. We started with the usual framework of coins made from digital signatures, which provides strong control of ownership, but is incomplete without a way to prevent double-spending. To solve this, we proposed a peer-to-peer network using proof-of-work to record a public history of transactions that quickly becomes computationally impractical for an attacker to change if honest nodes control a majority of CPU power. The network is robust in its unstructured simplicity. Nodes work all at once with little coordination. They do not need to be identified, since messages are not routed to any particular place and only need to be delivered on a best effort basis. Nodes can leave and rejoin the network at will, accepting the proof-of-work chain as proof of what happened while they were gone. They vote with their CPU power, expressing their acceptance of valid blocks by working on extending them and rejecting invalid blocks by refusing to work on them. Any needed rules and incentives can be enforced with this consensus mechanism.

我们在此提出了一种不需要信用中介的电子支付系统。我们首先讨论了通常的电子货币的电子签名原理，虽然这种系统为所有权提供了强有力的控制，但是不足以防止双重支付。为了解决这个问题，我们提出了一种采用工作量证明机制的点对点网络来记录交易的公开信息，只要诚实的节点能够控制绝大多数的 CPU 计算能力，就能使得攻击者事实上难以改变交易记录。该网络的强健之处在于它结构上的简洁性。节点之间的工作大部分是彼此独立的，只需要很少的协同。每个节点都不需要明确自己的身份，由于交易信息的流动路径并无任何要求，所以只需要尽其最大努力传播即可。节点可以随时离开网络，而想重新加入网络也非常容易，因为只需要补充接收离开期间的工作量证明链条即可。节点通过自己的 CPU 计算力进行投票，表决他们对有效区块的确认，他们不断延长有效的区块链来表达自己的确认，并拒绝在无效的区块之后延长区块以表示拒绝。本框架包含了一个 P2P 电子货币系统所需要的全部规则和激励措施。

13、参考

[1] W. Dai, “b-money,” http://www.weidai.com/bmoney.txt, 1998
[2] H. Massias, X.S. Avila, and J.-J. Quisquater, “Design of a secure timestamping service with minimal trust requirements,” In 20th Symposium on Information Theory in the Benelux, May 1999.
[3] S. Haber, W.S. Stornetta, “How to time-stamp a digital document,” In Journal of Cryptology, vol 3, no 2, pages 99-111, 1991.
[4] D. Bayer, S. Haber, W.S. Stornetta, “Improving the efficiency and reliability of digital time-stamping,” In Sequences II: Methods in Communication, Security and Computer Science, pages 329-334, 1993.
[5] S. Haber, W.S. Stornetta, “Secure names for bit-strings,” In Proceedings of the 4th ACM Conference on Computer and Communications Security, pages 28-35, April 1997.
[6] A. Back, “Hashcash - a denial of service counter-measure,” http://www.hashcash.org/papers/hashcash.pdf, 2002.
[7] R.C. Merkle, “Protocols for public key cryptosystems,” In Proc. 1980 Symposium on Security and Privacy, IEEE Computer Society, pages 122-133, April 1980.
[8] W. Feller, “An introduction to probability theory and its applications,” 1957.

参考链接

• https://nakamotoinstitute.org/static/docs/bitcoin-zh-cn.pdf