作者:Samehada
时间:2023/01/07
文章: 《Bitcoin: A Peer-to-Peer Electronic Cash System》
版权声明:文章采用 BY-NC-SA 许可协议,转载请注明出处!
2008年11月1日,比特币白皮书—《比特币:一种点对点的电子现金系统》横空出世。该文章向世人介绍了全新的货币系统-比特币。15年过去了,如今白皮书有了些被神话的味道,它成了许多人心中圣经般的存在,仿佛天不生比特币,加密货币领域万古如长夜。如此认知对于我们了解比特币是不利的,比特币白皮书更像是一种科学文献或是产品的说明文档,仅此而已,只是未曾料到它的出现影响了世界的走向。
在中本聪之前,对于点对点通信的信任问题,人们在密码学、时间戳、哈希现金等技术层面不断推陈出新,彼时科研人员也发表了一些带有相应技术特点的电子货币。2008年,中本聪站到了前人的肩膀上,提取了前人的智慧,做出了关键性的突破,打造出了自己心目中理想的电子现金系统。其发布时间恰逢美国政府滥发钞票造成了全国通胀。比特币生不逢时,却也来得刚刚好。
在摘要中,中本聪开门见山,道出设计比特币系统的目的:
A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution.
比特币的目标是通过构建点对点的技术,实现一种电子现金系统,达到无需金融中介,也无需双方信任的情况下实现在线电子化支付。
紧接着中本聪提出了比特币系统要解决的核心问题—双重支付,此处由于篇幅问题不予展开:
Digital signatures provide part of the solution, but the main benefits are lost if a trusted third party is still required to prevent double-spending.
这里文章说数字签名技术为双花交易提供了部分解决方案,而比特币系统是也采用数字签名这一方法,但是如此还是需要第三方机构介入,那系统的设计就有些无趣了。事实上,日常的数字资产常依赖于第三方信任机构进行,如银行、支付宝、微信,这些机构通过中心化管理,并通过实时修改账户余额的方法来防止双重支付的出现。
现实世界中,人们需要为交易中的第三方验证支付巨额的费用,全球总共超过75亿人,每天的交易量更高达万亿级别,中心化机构管理的费用在交易中被提取出来。这也是文章中说的 the main benefits are lost。
We propose a solution to the double-spending problem using a peer-to-peer network.
所以比特币系统要做的就是去中心化和解决双重支付,在不需要第三方信任机构的情况下,点对点转移数字资产,中本聪提出了基于点对点的网络解决方案。
The network timestamps transactions by hashing them into an ongoing chain of hash-based proof-of-work, forming a record that cannot be changed without redoing the proof-of-work.
中本聪设计的点对点网络为交易打上了时间戳,通过取这些交易的哈希值,将它们编入一条持续增长的工作量证明链,这样的一条链除非重做已经做的大量工作否则将无法改变,这里的主要工作量是计算一个符合条件的哈希值。
The longest chain not only serves as proof of the sequence of events witnessed, but proof that it came from the largest pool of CPU power.
由于设计的工作量证明机制,比特币系统最长的链不仅仅是交易执行的事件序列,而且也代表着这条链占有者最大的CPU计算资源。
As long as a majority of CPU power is controllerd by nodes that are not cooperating to attack the network, they'll generate the longest chain and outpace attackers.
因为系统最长链是最大CPU计算资源工作形成的,所以只要大部分的CPU算力不被恶意节点所控制,那么这些诚实的节点就能一直生成最长的合法链并且延长链的速度会超过恶意节点所工作的另一条链,从而使得攻击失效,这里即是后面大名鼎鼎51%攻击的雏形,但是引起笔者反思“多数人即正义”在有些突发事件下真的合理吗?
The network itself requires minimal structure. Messages are broadcast on a best effort basis, and nodes can leave and rejoin the network at will, accepting the longest proof-of-work chain as proof of what happened while they were gone.
比特币网络结构很简单,因为没有中心化服务器,所以它的结构非常小巧。每个节点只管尽可能广泛的打包并向最长合法链传播交易信息即可。每个节点也可以随时离开系统,因为有其他节点同时也在打包这些交易并试图传播到链上,而且可以随时回到系统,只需要继续接受最长链继续工作即可。
总结:中本聪通过数字签名,随机散列,哈希算法,工作量证明,动态链式存储等技术,设计了一系列的机制,使比特币能够不依附于第三方信任机构,解决了电子支付中的双花、记录篡改等问题,并证明该系统安全有效、稳定可行。
文章第一章概述,中本聪在文章中描述了传统线上交易模式的弊病,并正式提出本文的比特币系统。
Commerce on the Internet has come to rely almost exclusively on financial institutions serving as trusted third parties to process electronic payments. While the system works well enough for most transactions, it still suffers from the inherent weaknesses of the trust based model.
中本聪指出当前的线上交易往往非常依赖于金融机构充当可信任的第三方。但这种交易模式有着先天性的缺点,那就是下面要说的交易成本高和交易可逆性。
Completely non-reversible transactions are not really possible, since financial institutions cannot avoid mediating disputes.
文章这里谈到,由于金融机构不可避免地需要调节买卖双方的争端,所以现有的模式下实现完全不可逆的交易是不可能的。这里如何理解呢,交易双方往往由于没有充足的信任,交易完成后如果一方不满意,此时金融机构就要承担仲裁的角色,来平息买卖双方的争议,买家退货商家退款,这样的线上交易时可逆的。但是有些服务业和餐饮业的交易是需要一种不可逆性的,享用了服务再退款难免会出现扯皮的现象。
With the possibility of reversal, the need for trust spreads. Merchants must be wary of their customers, hassling them for more information than they would otherwise need. A certain percentage of fraud is accepted as unavoidable.
由于买卖双方不够信任,恶意退货这种行为使得交易存在被撤销的可能性。因此,商家有着很强的不安感,所以他们向客户索要大量的信息来建立脆弱的信任,降低交易撤回的可能性。这里说明了传统线上交易的第一个弊病——交易可逆性。
These costs and payment uncertainties can be avoided in person by using physical currency, but no mechanism exists to make payments over a communications channel without a trusted party.
文章紧接着说,这些协调争端的成本和支付的不确定性提高了整体交易的成本,而且目前不存在不引入第三方信任机构就能进行支付的机制,除非当面一手交钱一手交货,这就是传统交易的第二个弊病——交易成本高。
What is needed is an electronic payment system based on cryptographic proof instead of trust, allowing any two willing parties to transact directly with each other without the need for a trusted third party.
传统线上交易的两个弊病根源都在于互不信任,因此需要的一个电子支付系统,基于密码学来建立一种共识,这种具有公信力的共识可以允许双方互不信任并直接交易,而不需要第三方。
Transactions that are computationally impractical to reverse would protect sellers from fraud, and routine escrow mechanisms could easily be implemented to protect buyers.
从计算上的不可逆转性可以保护卖家的利益,而常规的托管机制也很容易实现来保护买家的利益。
In this paper, we propose a solution to the double-spending problem using a peer-to-peer distributed timestamp server to generate computational proof of the chronological order of transactions.
下面文章又将矛头转向了多次提及的双重支付问题,中本聪提出的是一种点对点的分布式时间戳服务器,生成按交易顺序先后顺序排列的可计算的证明。
The system is secure as long as honest nodes collectively control more CPU power than any cooperating group of attacker nodes.
只要节点和算力足够分散,诚实节点算力大于恶意节点算力,系统总是安全的。
总结:目前的电子交易机制存在两点弊端:
基于第三方机构的交易提高了交易成本。
由于不存在不可逆的交易,交易对信用要求高,买方会收集过多的信息。
所以,文章提出的电子交易系统,建立在密码学共识而非新人之上,这让交易在不需要第三方机构的前提下可以完成。
文章第二章,中本聪提出了比特币系统中非常重要的概念,交易和记账。对任何一个电子货币系统来说,如何完成收付款以及存储交易记录,是头等大事。
We define an electronic coin as a chain of digital signatures. Each owner transfers the coin to the next by digitally signing a hash of the previous transaction and the public key of the next owner and adding these to the end of the coin. A payee can verify the signatures to verify the chain of ownership.
中本聪说,我们定义电子货币是一条数字签名链,每个拥有者通过将上一次交易和下一个拥有者的公钥的哈希值的数字签名添加到货币末尾的方式,将货币转移给下一个拥有者。这样收款人就可以通过验证数字签名来证实该链的拥有者。
在上一笔交易的Hash值上进行数字签名,表明拥有者确实收到过这些货币,这些收到的货币是可溯源的。在下一位拥有者的公钥Hash上进行数字签名,表示是当前所有者转给下一位拥有者的。
下面将注意力放到中间的这笔交易上,这是Owner 1向Owner 2转账的一笔交易。从上向下看,首先这笔交易包含了上一笔交易的Hash,同时包含了Owner 2公钥的Hash,实际上就是Owner 2 的收款地址,最后在使用Owner 1的私钥对这笔转账进行签名。而Owner 2可以使用Owner 1的公钥来验证Owner 1的签名是否是其本人。
The problem of course is the payee can't verify that one of the owners did not double-spend the coin. A common solution is to introduce a trusted central authority, or mint, that checks every transaction for double spending. After each transaction, the coin must be returned to the mint to issue a new coin, and only coins issued directly from the mint are trusted not to be double-spent. The problem with this solution is that the fate of the entire money system depends on the company running the mint, with every transaction having to go through them, just like a bank.
通过数字签名技术,收款方已经能够验证付款方身份的真实性,但是它还不能验证付款方是否进行了双重支付,也就是付款方是否是否给其他人支付了这些电子货币。通常情况会引入可靠的第三方机构,比如央行或铸币厂,由他们负责发行、结算和审核交易。
We need a way for the payee to know that the previous owners did not sign any earlier transactions. For our purposes, the earliest transaction is the one that counts, so we don't care about later attempts to double-spend. The only way to confirm the absence of a transaction is to be aware of all transactions.
这样可以解决双花问题,但是比特币的使命就是不再依赖第三方金融中介,所以另一种方案就是不如让收款人洞悉到付款人在此次交易之前的其他交易。这样可以判断在这笔交易之前,付款人有没有会造成双重支付的其他可疑交易。
To accomplish this without a trusted party, transactions must be publicly announced , and we need a system for participants to agree on a single history of the order in which they were received.
如果系统不依赖任何第三方来审核账本,那么就需要公开所有的交易数据。所有的节点都来监督和维护一个共同的账本,并达成一种对交易收到顺序的单一历史性共识,最终只有一个有效的、带时间顺序的记账数据并公之于众,这就是比特币的分布式记账系统。
总结:数字签名技术可以验证付款人身份,但无法验证双花问题。对于双重支付,去中心化的解决方案时靠公开数据并全网广播,所有人维护同一个有效账本。
第三章,时间戳服务器,这一章只有短短一段话和一幅图。
The solution we propose begins with a timestamp server. A timestamp server works by taking a hash of a block of items to be timestamped and widely publishing the hash, such as in a newspaper or Usenet post. The timestamp proves that the data must have existed at the time, obviously, in order to get into the hash.
文章说时间戳服务器对包含交易数据的区块的哈希值打上时间戳,将时间信息纳入区块信息中,然后将这些哈希值广播到网络中。
Each timestamp includes the previous timestamp in its hash, forming a chain, with each additional timestamp reinforcing the ones before it.
同时文章提到,而每一个打上时间戳的区块Hash中包含着前一个打赏时间戳的区块的信息,即每打上一个时间戳就会加强前一个时间戳的真实存在性。
总结:时间见证一切,所有的区块像编年史一样,按照时序紧密连接,并且同步到全部的节点。因此,历史区块信息几乎无法篡改。因为。如果要修改区块数据,就需要修改其后所有已生成区块的哈希数据,还要让大多数节点形成共识 。
第四章,来到了Proof-of-Work工作量证明。前面提到账本是由全体分布式节点共同维护的,接下来就面临谁拥有记账权的问题。
To implement a distributed timestamp server on a peer-to-peer basis, we will need to use a proof-of-work system similar to Adam Back's Hashcash , rather than newspaper or Usenet posts.
POW的理念早在1997年Adam Back发明的哈希现金(hashcash)中就提到过,原型本来是用于解决互联网的垃圾信息问题。
The proof-of-work involves scanning for a value that when hashed, such as with SHA-256, the hash begins with a number of zero bits. The average work required is exponential in the number of zero bits required and can be verified by executing a single hash.
在进行哈希运算时,工作量证明机制将扫描寻找一个符合条件的值。例如通过SHA-256,遍历这些SHA-256的哈希值将从一些0开始。寻找这个值所需的工作量随着0的增长将呈指数级增长,而验证这个值是否是正确的仅需一次哈希运算。
For our timestamp network, we implement the proof-of-work by incrementing a nonce in the block until a value is found that gives the block's hash the required zero bits.
为了保证每次工作量证明都是重新计算的,中本聪在区块中添加了一个Nonce随机数。这个随机数要使得区块的哈希值出现所需的那么多个0。通过反复运算来找到这个随机数,找这个随机数的过程就是在做工作,同时将难度动态调整,大约每10分钟出一个块。
Once the CPU effort has been expended to make it satisfy the proof-of-work, the block cannot be changed without redoing the work. As later blocks are chained after it, the work to change the block would include redoing all the blocks after it.
一旦节点使用CPU工作满足了POW机制获得了记账权,区块发布后信息就不能再更改,除非重做一遍这些工作。而一旦有新的区块内链接到了一个区块后面,要修改这个区块的信息,就需要将这个区块已经做的所有工作全部重做一遍。
文章给出的插图中可以看出,一个区块包含着上一个区块的哈希值。一旦修改某个区块的内容,其哈希值必然改变,则下一个区块就要重新寻找Nonce值,以此类推,一直追赶后面在不断延伸的链条。所以,如果没有足够强的算力,几乎不可能修改区块上的信息。
The proof-of-work also solves the problem of determining representation in majority decision making.
中本聪还提到了,POW机制解决了在多数决定中决定代表的问题。
If the majority were based on one-IP-address-one-vote, it could be subverted by anyone able to allocate many IPs. Proof-of-work is essentially one-CPU-one-vote. The majority decision is represented by the longest chain, which has the greatest proof-of-work effort invested in it.
如果是基于一个IP一票的方式,那些恶意控制众多IP的人将会代表大多数,而POW机制本质是按CPU算力投票,最长链代表了最多数的投票结果,因为这条链上有最多的算力投票。
If a majority of CPU power is controlled by honest nodes, the honest chain will grow the fastest and outpace any competing chains.
如果多数的CPU算力被诚实的节点所控制,那么诚实的链增长得会最快,并超过其他的竞争链。
To modify a past block, an attacker would have to redo the proof-of-work of the block and all blocks after it and then catch up with and surpass the work of the honest nodes.
前面已经提到,如果要修改某一个区块内容,那么其后已产生的区块信息都要修改,需要重做这些工作。攻击者需要重新一遍这个区块的工作量以及这个区块后所有区块的工作量,才能弯道超车赶上诚实节点的工作量,这个成本极高。
We will show later that the probability of a slower attacker catching up diminishes exponentially as subsequent blocks are added.
这种攻击者赶上诚实节点的概率会随着后续区块的增长而大大减小,成本也会大大增加。
To compensate for increasing hardware speed and varying interest in running nodes over time, the proof-of-work difficulty is determined by a moving average targeting an average number of blocks per hour. If they're generated too fast, the difficulty increases.
为了抵消硬件速度提升和平衡节点利益,工作量证明将使用移动平均数法来确定每小时生成区块的平均个数。如果出块过快,系统将会让出块的难度增加,最终保持在10分钟的水平。
总结:中本聪在前人基础上提出了工作量证明机制,并介绍了每个节点工作量的体现方式。同时提出工作量证明机制本质上是基于算力的投票,拥有最大工作量的最长链代表着大多数节点认可的链。
第五章,中本聪设计了有效的机制,来部署整个分布式网络。
运行整个网络分为六个步骤:
每一笔新交易都要向所有节点广播。
每个节点将新交易打包收集到一个区块中。
每个节点要为这个区块进行一定难度的工作量证明。
当一个节点找到了工作量证明,向其他节点广播这个区块。
节点需要验证区块内所有交易有效且没有双重支付的区块下接受这个区块。
节点使用这个区块的哈希值作为previous hash,记录在新区块中,表示节点已经认可这个区块。
Nodes always consider the longest chain to be the correct one and will keep working on extending it.
节点总是认为最长的链是正确的,并共同维护和延长它。
If two nodes broadcast different versions of the next block simultaneously, some nodes may receive one or the other first.
有这样一种情况,两个节点同时 广播了不同的区块,有些节点可能先收到其中一个,其他节点先收到另一个。
In that case, they work on the first one they received, but save the other branch in case it becomes longer. The tie will be broken when the next proof-of-work is found and one branch becomes longer; the nodes that were working on the other branch will then switch to the longer one.
这种情况下,节点基于他们先收到的区块继续工作,但也保存另一个分支,以防其变成更长的链。当下一个工作量证明被找到后,僵局就会被打破,从而其中一个分支变得更长,在另一个分支上工作的节点,将要转到更长链上工作。
New transaction broadcasts do not necessarily need to reach all nodes. As long as they reach many nodes, they will get into a block before long.
新交易的广播不必到达所有的节点,只要它们到达足够多的节点,它们很快就会被打包进入一个新区块。
Block broadcasts are also tolerant of dropped messages. If a node does not receive a block, it will request it when it receives the next block and realizes it missed one.
区块广播是容忍消息丢失的。如果一个节点没有接收到一个区块,他会请求下载这个缺失的区块信息。
总结:中本聪给出了比特币网络是如何运行的,并对网络中区块和交易的广播进行了解释。
想要完成复杂的工作量证明,显然需要大量诚实的网络节点支持,并将一个个新区块数据写入网络中。这样的过程需要很大的成本,显然各个节点不会情愿一直为爱发电。
第六章,中本聪介绍了比特币网络的激励政策。
By convention, the first transaction in a block is a special transaction that starts a new coin owned by the creator of the block.
比特币系统做了约定,每一个区块里的第一笔交易是特殊交易,是系统专门奖励给区块创造者的奖励。
This adds an incentive for nodes to support the network, and provides a way to initially distribute coins into circulation, since there is no central authority to issue them.
这样不仅增加了对网络节点的激励,也提供了一种分发新货币到流通领域的方法。
The incentive can also be funded with transaction fees. If the output value of a transaction is less than its input value, the difference is a transaction fee that is added to the incentive value of the block containing the transaction.
还有一部分激励是交易的手续费。如果一笔交易输出值小于输入值,那么差额就作为交易费,被打包到包含此交易的区块激励中。
Once a predetermined number of coins have entered circulation, the incentive can transition entirely to transaction fees and be completely inflation free.
一旦预先量的货币都进入了流通域,激励将只剩交易费,如此防止通货膨胀。
The incentive may help encourage nodes to stay honest. If a greedy attacker is able to assemble more CPU power than all the honest nodes, he would have to choose between using it to defraud people by stealing back his payments, or using it to generate new coins.
同时,激励有助于鼓励节点保持诚实。比如一个贪婪的攻击者,如果他有能力聚集比所有诚实节点更多的CPU算力,而他的目的仅仅是为了完成一次双花攻击或欺骗交易,比起诚实地做矿工拿激励,这是不值得的。
He ought to find it more profitable to play by the rules, such rules that favour him with more new coins than everyone else combined, than to undermine the system and the validity of his own wealth.
使用这些CPU算力做矿工获取稳定收益,这样做比他攻击链条、修改区块信息、盗取货币的利益更大。
总结:比特币的激励 = 挖矿奖励 + 交易手续费。
第七章,回收磁盘空间,中本聪讲了区块链交易数据的存储结构。
Once the latest transaction in a coin is buried under enough blocks, the spent transactions before it can be discarded to save disk space.
如果某个币的最新交易信息被纳入了足够多的区块,那么可以丢弃掉这笔交易之前的交易,一词节省磁盘空间。
To facilitate this without breaking the block's hash, transactions are hashed in a Merkle Tree, with only the root included in the block's hash.
区块中交易的存储结构是默克尔树,它有一个根节点、一组中间节点和一组叶节点组成。
叶节点包含存储数据或是它的哈希值,中间节点是包含两个子节点内容的哈希值,根节点也是由下面两个子节点的哈希值构成。
Old blocks can then be compacted by stubbing off branches of the tree. The interior hashes do not need to be stored.
当一笔交易被足够多区块覆盖,即形成共识的时候。那么在区块中,它过去拥有者的交易数据就可以丢弃,只保留最新的数据以及之前数据根节点的哈希值,同时哈希值不会被破坏,依然可以来验证数据有效性。
如此验证,也就是零知识证明。也就是说,验证一个时间正确与否,并不需要验证者重现整个事件。默克尔树里的哈希值,即不占空间,又能提升索引效率,还能用于零知识证明。
A block header with no transactions would be about 80 bytes.
中本聪还通过距离做了一笔估算,他说每个不包含交易的区块头大概是80个字节。
If we suppose blocks are generated every 10 minutes, 80 bytes * 6 * 24 * 365 = 4.2MB per year. With computer systems typically selling with 2GB of RAM as of 2008, and Moore's Law predicting current growth of 1.2GB per year, storage should not be a problem even if the block headers must be kept in memory.
假设10分钟挖出一个区块,那么每年会生成4.2MB的数据。在2008年的计算机有2G的内存,根据摩尔定律预测,每年的内存会增长1.2GB。所以,就算区块头全部保存到内存中,存储也不是问题。
总结:使用默克尔树这种数据结构可以压缩数据,节约交易数据的存储成本。默克尔树里的哈希值,即不占空间,又能提升索引效率,还能用于零知识证明。
第八章,Simplified Payment Verification,简称SPV。
It is possible to verify payments without running a full network node.
SPV指的是不运行一个完整的网络节点,也可以进行支付验证的方式。我们经常看到的比特币钱包SPV Wallet或者轻钱包,往往运行的是SPV节点。
一个用户运行全节点需要几百G的磁盘空间,成本太高。因此,中本聪介绍了简化支付验证的可能性。
A user only needs to keep a copy of the block headers of the longest proof-of-work chain, which he can get by querying network nodes until he's convinced he has the longest chain, and obtain the Merkle branch linking the transaction to the block it's timestamped in.
实际上用户只需保存最长共识链的区块头数据就足够了,他可以通过向其他网络节点查询来确保获取到了最长链的数据,然后将需要验证的交易链接到对应的默克尔分支。
He can't check the transaction for himself, but by linking it to a place in the chain, he can see that a network node has accepted it, and blocks added after it further confirm the network has accepted it.
SPV节点原本不能自行验证交易,但是通过将交易连接到链上的某个位置,它可以看到网络节点认可了这笔交易,而在此之后增加的区块进一步确认了该交易被整个网络接受。
实际上,这种简化认证的钱包客户端抗攻击能力较差。
As such, the verification is reliable as long as honest nodes control the network, but is more vulnerable if the network is overpowered by an attacker. While network nodes can verify transactions for themselves, the simplified method can be fooled by an attacker's fabricated transactions for as long as the attacker can continue to overpower the network.
如果面临攻击,这种简化验证就会有较高的风险。这种简化的节点,也需要设计一定的机制保证安全性。
One strategy to protect against this would be to accept alerts from network nodes when they detect an invalid block, prompting the user's software to download the full block and alerted transactions to confirm the inconsistency.
一种对策是接受其他网络节点发现一个无效区块时发出的警告,提醒用户软件下载整个区块和被警告的交易来检查一致性。
Businesses that receive frequent payments will probably still want to run their own nodes for more independent security and quicker verification.
对于高频首付款的公司或者企业级服务商,中本聪还是建议维护一个自己的全节点。
总结:SPV节点可以方便地验证交易,但容易被攻击者控制。
第九章,合并和分割交易额。
Although it would be possible to handle coins individually, it would be unwieldy to make a separate transaction for every cent in a transfer. To allow value to be split and combined, transactions contain multiple inputs and outputs.
实际上每笔比特币交易可以有多个输入方和多个输出方,即多个付款方和多个收款方。同时,收款方还可以包括付款方自己,这就是找零的过程。
Normally there will be either a single input from a larger previous transaction or multiple inputs combining smaller amounts, and at most two outputs: one for the payment, and one returning the change, if any, back to the sender.
同时,收款方还可以包括付款方自己,这就是找零的过程。
第十章,论文提到了隐私问题。
The traditional banking model achieves a level of privacy by limiting access to information to the parties involved and the trusted third party.
传统的银行模式,是通过限制参与各方和第三方机构对信息的访问来达到一定的隐私保护。
也就是说,用户交易信息只有用户本人和银行可以获取和提供。
The necessity to announce all transactions publicly precludes this method, but privacy can still be maintained by breaking the flow of information in another place: by keeping public keys anonymous.
而如果需要广播全部交易就排除了这种方式,但比特币系统仍可以通过保持公钥的匿名性这种阻断信息流的方式保护用户隐私。用户无需注册和实名审核,在匿名的状态下就可以获得比特币账户,这样就打破了交易信息和真实身份之间的关联。
The public can see that someone is sending an amount to someone else, but without information linking the transaction to anyone. This is similar to the level of information released by stock exchanges, where the time and size of individual trades, the "tape", is made public, but without telling who the parties were.
公众能看到有人正在发送一定量货币给别人,但是他不能将交易关联到某个人。就像股票交易,每笔交易的时间和交易量,也就是行情是公开的,但是看不到交易双方是谁。
第十一章计算,中本聪通过公式和代码论证:在实践中,比特币网络被攻击成功的概率非常低。
We consider the scenario of an attacker trying to generate an alternate chain faster than the honest chain.
假设攻击者试图生成一条比诚实链更快的替代链,如果目的达到会怎样呢?
Even if this is accomplished, it does not throw the system open to arbitrary changes, such as creating value out of thin air or taking money that never belonged to the attacker.
即使这种情况可以实现,攻击者也不能凭空创造比特币或者拿走其他人的钱。因为,这需要破解别人的私钥,这是一个难度极高的数学问题。如果没有私钥,这就是一笔无效交易。
Nodes are not going to accept an invalid transaction as payment, and honest nodes will never accept a block containing them.
诚实的节点不会接受无效的交易作为支付,而且永远不会接受包含无效交易的区块。
An attacker can only try to change one of his own transactions to take back money he recently spent.
所以,攻击者只能试图改变他自己的某笔交易来拿回不久前已经支出的钱。
The race between the honest chain and an attacker chain can be characterized as a Binomial Random Walk.
中本聪说,诚实链于攻击者链之间的竞争,可以描述为二项随机游走模型。
The success event is the honest chain being extended by one block, increasing its lead by +1, and the failure event is the attacker's chain being extended by one block, reducing the gap by -1.
这里约定成功事件是诚实节点的链延长一个区块,也就是两条链的差距加1.失败事件是攻击者的链延长一个区块,两条链的差距减1。
The probability of an attacker catching up from a given deficit is analogous to a Gambler's Ruin problem.Suppose a gambler with unlimited credit starts at a deficit and plays potentially an infinite number of trials to try to reach breakeven.
那么攻击者从某一落后位置赶上诚实链的概率类似于赌徒破产理论。假设一个赌徒拥有无限的信任额度,从一定的亏损开始,玩潜在无限次的测试来试图弥补亏空。
We can calculate the probability he ever reaches breakeven, or that an attacker ever catches up with the honest chain, as follows :
我们要计算的是赌徒达到盈亏平衡的概率,也就是攻击者赶上诚实链的概率。
首先做出一些假设:
p = 诚实节点找到下一个区块概率
q = 攻击者找到下一个区块的概率
$q_z$ = 攻击者从落后 z 个区块赶上诚实链的概率
当 p < q,$q_z$ = 1,因为攻击者总是能够更快找到下一个区块
当 p > q,$q_z = (q/p)^Z$,因为有z个独立事件。
Given our assumption that p > q, the probability drops exponentially as the number of blocks the attacker has to catch up with increases.
假设 p > q,概率$q_z$将会随着攻击者需要赶上的区块呈指数级下降。
With the odds against him, if he doesn't make a lucky lunge forward early on, his chances become vanishingly small as he falls further behind.
因为这种形式对他非常不利,如果攻击者没有在早期快速地赶上,那么他落后越远,赶上的机会就越渺茫。
We now consider how long the recipient of a new transaction needs to wait before being sufficiently certain the sender can't change the transaction.
接下来,中本聪考虑一个新交易的收款人要等多久,才能确信付款人不能再修改交易了。
We assume the sender is an attacker who wants to make the recipient believe he paid him for a while, then switch it to pay back to himself after some time has passed. The receiver will be alerted when that happens, but the sender hopes it will be too late.
假设付款人是攻击者,他想让收款人相信他已经付完款好一阵了,然后他又向自己打回这笔钱。当这个事件发生后,收款人将收到竞购,但是付款人希望付款人收到警告时为时已晚。
The receiver generates a new key pair and gives the public key to the sender shortly before signing.
其实,收款人可以临时生成一对新密钥,并将公钥给付款人。这样付款人就不会提前指导收款人的常用收款地址,也就无法提前对交易进行签名。
This prevents the sender from preparing a chain of blocks ahead of time by working on it continuously until he is lucky enough to get far enough ahead, then executing the transaction at that moment.
这样能防止付款人预先准备好一条区块链,然后执行交易。
Once the transaction is sent, the dishonest sender starts working in secret on a parallel chain containing an alternate version of his transaction.
但不管怎么样,一旦交易发出,不诚实的付款人就开始秘密地在一条包含他替换版交易的链上搞动作了。
The recipient waits until the transaction has been added to a block and z blocks have been linked after it. He doesn't know the exact amount of progress the attacker has made, but assuming the honest blocks took the average expected time per block, the attacker's potential progress will be a Poisson distribution with expected value:
假设收款人等到了交易被加到区块中,而且后面追加了 z 个诚实区块。他虽然不知道攻击者的确切进度,但假设诚实的区块按平均时间生成,攻击者可能的进度将会是一个泊松分布。
期望值 λ 就是攻击者在这个平均时间内取得进展的区块数量的期望值。
To get the probability the attacker could still catch up now, we multiply the Poisson density for each amount of progress he could have made by the probability he could catch up from that point:
为了计算攻击者当前仍然能赶上的概率,就是攻击者能到达 k 个区块进度的概率,下面列出了攻击者当前达到 k 个区块时,最终还能赶上 z 个诚实区块的概率。
然后对所有事件概率积分得到总的概率值,再通过变换来避免无限尾部求和,最终得到下面公式:
后面中本聪还给出了一段C语言代码和运行结果:
#include <math.h>
double AttackerSuccessProbability(double q, int z)
{
double p = 1.0 - q;
double lambda = z * (q / p);
double sum = 1.0;
int i, k;
for (k = 0; k <= z; k++)
{
double poisson = exp(-lambda);
for (i = 1; i <= k; i++)
poisson *= lambda / i;
sum -= poisson * (1 - pow(q / p, z - k));
}
return sum;
}
结论就是当收款人被攻击的交易后面增加了z个区块后,攻击者的虚假链仍然能赶上诚实链的概率随着 z 的增长呈指数级下降。
论文最后一章,总结。
We have proposed a system for electronic transactions without relying on trust.
中本聪说我们提出了一种不依赖信任的电子交易系统。
We started with the usual framework of coins made from digital signatures, which provides strong control of ownership, but is incomplete without a way to prevent double-spending.
参考了通用的数字签名货币体系,这种体系虽然提供了强有力的所有权控制,但是由于缺乏防止双重支付的方法而不够完善。
To solve this, we proposed a peer-to-peer network using proof-of-work to record a public history of transactions that quickly becomes computationally impractical for an attacker to change if honest nodes control a majority of CPU power.
为了解决这个问题,中本聪提出了工作量证明机制,并在点对点网络中记录公开的交易数据。只要诚实的节点掌控大多数CPU算力,对于攻击者来说,交易历史在计算上几乎变得不可更改。
Nodes work all at once with little coordination. They do not need to be identified, since messages are not routed to any particular place and only need to be delivered on a best effort basis. Nodes can leave and rejoin the network at will, accepting the proof-of-work chain as proof of what happened while they were gone.
中本聪认为这是一个结构简介而健壮的网络。节点只需要很少的协同就能同时工作。它们不需要被认证,因为信息不会发送到某个中心位置,只需要广泛传播。节点可以随时离开和重新加入网络。
They vote with their CPU power, expressing their acceptance of valid blocks by working on extending them and rejecting invalid blocks by refusing to work on them. Any needed rules and incentives can be enforced with this consensus mechanism
节点使用CPU算力来投票,通过努力延长有效区块来表达接受,通过拒绝在无效区块上工作来表达抵制。任何必要的规则和激励,都可以通过这个共识机制来加强。