解读 A Peer-to-Peer Electronic Cash System

Posted on Edited on In Views: Word count in article: 5k Reading time ≈ 18 mins.

[toc]

在 2008 年,比特币创始人 中本聪 (Satoshi Nakamoto) 发表了这篇可以载入史册的论文 - 比特币:一种点对点的电子现金系统 (Bitcoin: A Peer-to-Peer Electronic Cash System),讲述了比特币是如何产生和工作的。

官网下载链接是 white paper,其中有多种语言的翻译版。建议有英文阅读能力的同学,优先选择英文原版阅读。

比特币涉及到计算机原理、密码学、概率学等复杂的知识。如果想彻底搞懂比特币原理,光看这一篇论文显然是不够的,还需要大量的衍生阅读。这篇文章的起点门槛比较高,但是这篇文章是学习比特币原理,最权威、第一手的资料,能让你对比特币的设计原理有大体的了解,体会 中本聪 设计比特币的初衷。

如果你想参与比特币等数字货币的交易,那么欢迎移步阅读我的另一篇教程文章 - 购买自己的第一枚数字货币

Abstract

中本聪设计比特币的目的:通过构建完全点对点技术,实现一种电子货币,达到无需金融中介无需双方信任的情况下,实现在线的电子化支付。

A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution.

论文的主要成就:使用点对点的技术,在不依赖第三方交易平台 (financial institution, a trusted third party) 的情况下,利用区块链技术,实现了去中心化的目的,解决了双重支付 (double-spending) 问题。

Digital signatures provide part of the solution, but the main benefits are lost if a trusted third party is still required to prevent double-spending. We propose a solution to the double-spending problem using a peer-to-peer network.

中本聪通过数字签名 (digital signatures),随机散列,哈希算法 (hash),工作量证明 (proof-of-work, POW),动态链式存储 (ongoing chain) 等技术,设计了一系列的机制,使比特币能够解决电子支付中的双花难题 (double-spending),记录篡改等问题,并最终通过严密的数学论证,证明该系统安全有效,稳定可行。

Introduction

目前互联网贸易越来越依赖金融机构作为可信任的第三方,那么完全的不可撤销交易实际上是不存在的;那么对不可撤销服务进行支付将需要更大的成本,比如索取付款方更多的个人信息,我们迫切需要在不引入一个可信任方而能在通信通道上进行支付的机制。

本文提出一个基于密码学原理,而不是信任的电子支付系统,该系统允许任何有意愿的双方能直接交易而不需要一个可信任第三方。

What is needed is an electronic payment system based on cryptographic proof instead of trust, allowing any two willing parties to transact directly with each other without the need for a trusted third party.

本文提出的比特币系统,具有以下三个优点:

  • 基于密码学原理,而不是信任来建立支付系统。
    • based on cryptogtaphic proof instead of trust
  • 不需要引入第三方金融机构。
    • without third party financial institutions
  • 交易不可逆。
    • no reverse transactions

Transactions

我们定义一枚电子货币就是一条数字签名链。

We define an electronic coin as a chain of digital signatures.

每个拥有者都通过将上一次交易和下一个拥有者的公钥的哈希值的数字签名添加到此货币末尾的方式将这枚货币转移给下一个拥有者。收款人可以通过验证数字签名来证实其为该链的所有者。

Each owner transfers the coin to the next by digitally signing a hash of the previous transaction and the public key of the next owner and adding these to the end of the coin. A payee can verify the signatures to verify the chain of ownership.

知识点:哈希(Hash)是将目标文本转换成具有相同长度的、不可逆的杂凑字符串(或叫做消息摘要),而加密(Encrypt)是将目标文本转换成具有不同长度的、可逆的密文。

到目前为止,有一个问题需要解决,那就是 "收款人不能证实拥有者之一没有对此货币进行双重支付",也就是一份钱付给了两个人,这也是后面文章中要解决的主要问题。

The problem of course is the payee can’t verify that one of the owners did not double-spend the coin.

Timestamp Server

时间戳服务器计算包含多个需要被打时间戳的数据项的区块的哈希值,并广泛地发布公开这个哈希值。

A timestamp server works by taking a hash of a block of items to be timestamped and widely publishing the hash.

时间服务器,类似于一个交易编年史,把一次次交易按时间顺序记录下来,形成一个个区块链,并为公众所知晓。

Proof-Of-Work

工作量证明要解决的问题:采取搜索一个数,使得被哈希时 (如使用 SHA-256),得到的哈希值以数个 0 比特开始。

平均所需工作量将随所需 0 比特呈指数级增长,而验证却只需执行一次哈希。一般情况下,10 min 求解出一次答案,也就是挖矿的过程。

The proof-of-work involves scanning for a value that when hashed, such as with SHA-256, the hash begins with a number of zero bits. The average work required is exponential in the number of zero bits required and can be verified by executing a single hash.

POW 约束:当前区块包含了上一区块的 hash 值,从而形成带时间戳、可验证的链式结构;一旦消耗了 CPU 算力使区块满足了工作量证明,那么除非重做这个工作否则就无法更改区块。由于后面的区块是链接在这个区块后面的,改变这个区块将需要重做所有后面的区块。

Once the CPU effort has been expended to make it satisfy the proof-of-work, the block cannot be changed without redoing the work. As later blocks are chained after it, the work to change the block would include redoing all the blocks after it.

POW 特点:按 CPU 投票,解决了多数决定中的确定方式问题 (the problem of determining representation in majority decision making)。最长的链代表了多数决定,因为有最大的计算工作量证明的精力投入到这条链上。

Proof-of-work is essentially one-CPU-one-vote. The majority decision is represented by the longest chain, which has the greatest proof-of-work effort invested in it.

POW 算力限制:为了抵消硬件运算速度的增加 (摩尔定律) 及平衡不同时期运行节点的利益,工作量证明的难度将由移动平均数法来确定每小时生成区块的平均数。如果区块生成得过快,那么生成的难度就会增加。

MC:BTC 是一个复杂系统,在设计之初,就详细考虑了方方面面。

To compensate for increasing hardware speed and varying interest in running nodes over time, the proof-of-work difficulty is determined by a moving average targeting an average number of blocks per hour. If they’re generated too fast, the difficulty increases.

Network

分布式网络的运行步骤

  1. 新交易向所有节点广播。
  1. 每个节点将新交易收集到一个区块。
  2. 每个节点为它的区块寻找工作量证明。
  3. 当一个节点找到了工作量证明,就向所有节点广播这个区块。
  4. 节点只有在区块内所有交易都是有效的且之前没有被支付的情况下接收这个区块。
  1. 节点通过使用这个区块的哈希值作为上一个哈希值,在链中创建下一个区块的方式表示对这个区块的接受。

根据规定,节点总是认为最长的链为正确的并持续致力于延长它。

Nodes always consider the longest chain to be the correct one and will keep working on extending it.

网络的鲁棒性

  1. 新交易的广播不必到达所有的节点。
  • 只要到达一些节点,不久就会进入到一个区块。
  1. 区块广播也是能容忍消息丢失的。
  • 如果一个节点没有收到某个区块,它将在收到下一个区块时发现它丢失了一个区块然后去请求这个区块。

New transaction broadcasts do not necessarily need to reach all nodes. As long as they reach many nodes, they will get into a block before long. Block broadcasts are also tolerant of dropped messages. If a node does not receive a block, it will request it when it receives the next block and realizes it missed one.

Incentive

激励组成

我们约定,区块中的第一笔交易是特殊的交易,奖励区块创建者一枚属于 TA 的新货币 (挖矿收益)。这就增加了对支持网络的节点的激励,并提供了一种分发货币到流通领域的方法。

  • BTC 消耗 CPU 计算时间和电力 (CPU time and electricity) 资源来稳定地增加新货币,替代了中心发币机构。

By convention, the first transaction in a block is a special transaction that starts a new coin owned by the creator of the block. This adds an incentive for nodes to support the network, and provides a way to initially distribute coins into circulation, since there is no central authority to issue them.

激励也可以由交易费充当。如果交易的输出值小于其输入值,差价就作为交易费被加到包含此交易的区块的激励中。一旦预定量的货币进入了流通领域,激励将变为只含有交易费,这样可以完全避免通货膨胀。

所以,区块奖励 = 区块新货币奖励 (若有,奖励逐渐减少) + 区块包含交易中的手续费奖励。

The incentive can also be funded with transaction fees. If the output value of a transaction is less than its input value, the difference is a transaction fee that is added to the incentive value of the block containing the transaction.

激励会有助于鼓励节点保持诚实,遵守规则比破坏系统和他自己财产的有效性更有利。

The incentive may help encourage nodes to stay honest. He ought to find it more profitable to play by the rules, such rules that favour him with more new coins than everyone else combined, than to undermine the system and the validity of his own wealth.

Reclaiming Disk Space

一旦某个货币的最新交易已经被足够多的区块覆盖,这之前的支付交易就可以被丢弃以节省磁盘空间

  • 老的交易被哈希进默克尔树 (Merkle Tree) (树枝内部的哈希不需要被保存),只有根节点被纳入到区块的哈希值,那么老的区块可通过剪除树枝的方式被压缩,又不破坏区块的哈希值。

Once the latest transaction in a coin is buried under enough blocks, the spent transactions before it can be discarded to save disk space.

分布式存储可行性论证:每个不包含交易信息的区块头大约是 80 bytes。如果每 10 分钟生成一个区块,每年生成 80 bytes * 6 * 24 * 365 = 4.2 MB。

A block header with no transactions would be about 80 bytes. If we suppose blocks are generated every 10 minutes, 80 bytes * 6 * 24 * 365 = 4.2MB per year.

Simplified Payment Verification

不运行一个完整的网络节点也是可以进行支付验证的。用户只需拥有一个最长工作量证明链的区块头副本,他可以通过向其他网络节点查询以确认他拥有了最长的链,并获取链接该交易到给交易打时间戳区块的默克尔分支。

It is possible to verify payments without running a full network node. A user only needs to keep a copy of the block headers of the longest proof-of-work chain, which he can get by querying network nodes until he’s convinced he has the longest chain, and obtain the Merkle branch linking the transaction to the block it’s timestamped in.

虽然收款方自己不能核实这个交易 (零知识证明),但如果交易已经链接到链中的某个位置,就说明一个网络节点已经接受了此交易,而其后迫加的区块进一步确认网络已经接受了它。

He can’t check the transaction for himself, but by linking it to a place in the chain, he can see that a network node has accepted it, and blocks added after it further confirm the network has accepted it.

缺陷:同样地,只要诚实节点控制着网络,这种简化验证就是可靠的;如果网络被攻击者控制,简化验证 (SPV) 会变得比较脆弱。虽然网络节点可以验证他们自己的交易,但只要攻击者持续控制网络那么这种简化的方法就可能被攻击者的伪造交易欺骗。比如,SPV 钱包 (轻钱包) 存在一定的安全隐患。

As such, the verification is reliable as long as honest nodes control the network, but is more vulnerable if the network is overpowered by an attacker.

为了更加独立的安全性以及更快的支付确认,收款频繁的公司可能仍需运行他们自己的节点。

Businesses that receive frequent payments will probably still want to run their own nodes for more independent security and quicker verification.

Combining and Splitting Value

为允许交易额被分割和合并,交易将包含多个输入值和输出值。
通常是一个从之前交易而得的较大输入值或多个较小输入值的组合,以及最多两个输出值:一个作为支付,另一个作为找零,如果有的话,退还给支付发送方。

To allow value to be split and combined, transactions contain multiple inputs and outputs. Normally there will be either a single input from a larger previous transaction or multiple inputs combining smaller amounts, and at most two outputs: one for the payment, and one returning the change, if any, back to the sender.

Privacy

如何保护隐私?

如上图,不同于传统的银行模型 (通过限制参与方和可信任第三方对信息的访问来达到一定级别的隐私),BTC 交易通过保持公钥匿名 (public keys anonymous) 来保证用户信息的隐私。

  • 公众能看到有人正在发送一定量货币给其他人,但是不能将交易关联到某个人,可以类比于证券交易。

The necessity to announce all transactions publicly precludes this method, but privacy can still be maintained by breaking the flow of information in another place: by keeping public keys anonymous. The public can see that someone is sending an amount to someone else, but without information linking the transaction to anyone.

又一层隐私保障

作为额外的防火墙,对每笔交易使用新密钥 (new key pair) 对可以防止他们被关联到一个共同的拥有者。

As an additional firewall, a new key pair should be used for each transaction to keep them from being linked to a common owner.

新秘钥泄露隐私风险:由于多输入值交易存在,有些关联仍不可避免,因为多输入值交易必然暴露其多个输入是属于同一个拥有者的。风险就在于如果一个密钥的拥有者被暴露,关联性将暴露其他属于同一个拥有者的交易。所以,BTC 交易虽然是支持匿名的,但是不能杜绝通过关联性来获知用户交易信息

Some linking is still unavoidable with multi-input transactions, which necessarily reveal that their inputs were owned by the same owner. The risk is that if the owner of a key is revealed, linking could reveal other transactions that belonged to the same owner.

Calculations

攻击者的收益

假设一个攻击者生成一条比诚实链更快的替代链,那么系统也不会变得可以任意修改。这种情况下,攻击者既不能凭空创建货币,也拿不走不属于他的钱,因为网络节点将不会接受无效的交易作为支付,而且诚实节点永远不会接受一个包含无效交易的区块攻击者只可能改变他自己的某笔交易来拿回他不久前已经支出的钱

An attacker can only try to change one of his own transactions to take back money he recently spent.

攻击者从某一落后位置赶上诚实链的概率类似于赌徒破产理论 (a Gambler’s
Ruin problem),本节主要建立概率模型来估算攻击者赶上诚实链的概率。

The probability of an attacker catching up from a given deficit is analogous to a Gambler’s Ruin problem.

省略数学推导及证明…

概率证明的结论:攻击者的虚假链能赶上 z 个诚实区块的概率,随 z 的增长呈指数下降。

Conclusion

我们已经提出了一种不依赖信任的电子交易系统。我们从通用的数字签名货币体系开始,这体系提供了强有力的所有权控制,但由于缺乏防止双重支付的方法而不完善。

为解决这个问题,我们提出一种使用工作量证明来记录公共交易历史的点对点网络,只要诚实节点控制了多数的 CPU 算力,对于对攻击者,交易历史将很快变得在计算上不可更改。

网络因其结构简洁性而健壮。节点只需很少的协调就能同时工作。它们不需要被认证,因为信息不会被发送到某个特殊的位置,只需被尽力传播。节点可以随时离开和重新加入网络,只需接受最长的工作量证明链作为它们离开时发生事件的证据。

节点使用 CPU 算力来投票,通过致力于延长有效区块来表达对其接受,通过拒绝在无效区块上工作来表达对其抵制。任何需要的规则和激励都可通过这个共识机制来加强。

We have proposed a system for electronic transactions without relying on trust. We started with the usual framework of coins made from digital signatures, which provides strong control of ownership, but is incomplete without a way to prevent double-spending. To solve this, we proposed a peer-to-peer network using proof-of-work to record a public history of transactions that quickly becomes computationally impractical for an attacker to change if honest nodes control a majority of CPU power. The network is robust in its unstructured simplicity. Nodes work all at once with little coordination. They do not need to be identified, since messages are not routed to any particular place and only need to be delivered on a best effort basis. Nodes can leave and rejoin the network at will, accepting the proof-of-work chain as proof of what happened while they were gone. They vote with their CPU power, expressing their acceptance of valid blocks by working on extending them and rejecting invalid blocks by refusing to work on them. Any needed rules and incentives can be enforced with this consensus mechanism.

我的评价:BTC 系统是站在巨人的肩膀上实现,是一种去中心化,分布式的的经济学。首先,数字签名货币体系是已经通用的,但是有明显的双重支付缺陷没有被很好地解决。基于工作量证明的已有研究,作者提出 P2P 交易记账系统,根据 CPU 算力来模拟投票 和 筛选出诚实节点,并且把最长的工作量证明链作为交易账单;各个节点通过致力于延长有效区块来表达对其接受,通过拒绝在无效区块上工作来表达对其抵制;通过挖矿奖励的形式,鼓励了数字货币交易的普及,以及各节点的记账积极性。

论文构建的区块链模型,给科技界带来了一种思想变革,必将颠覆一些行业;BTC 只是区块链的一个应用,而不只是区块链的全部。

References