BlockChain:【中本聪】历史之做《Bitcoin: A Peer-to-Peer Electronic Cash System》 《比特币:一种点对点的电子现金系统》—九页中英文对照翻译

BlockChain:【中本聪】历史之做《Bitcoin: A Peer-to-Peer Electronic Cash System》 《比特币:一种点对点的电子现金系统》—九页中英文对照翻译node

导读
一、了解区块链底层原理技术,仍是要看原汁原味的白皮书,对的,就是《Bitcoin: A Peer-to-Peer Electronic Cash System》
二、有些术语翻译或许不太准确,欢迎前来提错误!! 2017-12-30最近一次修改git

警告:禁止粘贴复制,请尊重博主知识分享!感谢!算法

 

 

目录express

背景安全

比特币的创世区块服务器

百家观点网络

论文app

摘要框架

1. 简介-Introductionless

2. 交易-Transactions

3. 时间戳服务器-Timestamp Server

4. 工做量证实-Proof-of-Work

5. 网络-Network

6. 激励-Incentive

7. 回收硬盘空间-Reclaiming Disk Space

8. 简化的支付确认-Simplified Payment Verification

9. 价值的组合与分割-Combining and Splitting Value

10. 隐私-Privacy

11. 计算-Calculations

12.结论-Conclusion

参考文献-References


 

 

 

 

 

 

背景

      在2008年11月1日,一位自称中本聪(Satoshi Nakamoto)的人在一个隐蔽的密码学讨论组上发布了一篇研究论文,这篇论文描述了他对一种新的数字货币的设计,名叫比特币(bitcoin)。
      比特币利用公开分布总帐的方法废除了第三方管理,中本聪将其称之为“区块链”(block chain)。用户乐于奉献本身电脑的CPU力量,运行一款特殊的软件进行“挖矿”,并造成一个网络来共同维持区块链。
      2009年,他发布了首个比特币软件,并正式启动了比特币金融系统。
      2010年,他逐渐淡出并将项目移交给比特币社区的其余成员。中本聪据信持有约一百万个比特币。这些比特币在2013年末时的价值超过十亿美圆。

       他在网上留下的我的资料不多,几乎没有人据说过他。虽然中本聪自己可能个是一个迷,可是他的设计解决了几十年来密码破译界的大难题。这种数字货币方便并且难以追踪,脱离了政府和银行的掌控,这样的理念一直是互联网有史以来的热门话题。(摘自网络收集)

       望月新一?尼克·萨博?多利安·中本?克雷格·史蒂芬·怀特?无论是谁,世界都欠他个诺贝尔奖!!!!!做为区块链研究学者,很期待这一天的到来,????

比特币的创世区块

      中本聪在创世块的coinbase写下的英文,正是泰晤士报当天的头版文章标题:
      The Times 03/Jan/2009 Chancellor on brink of second bailout for banks.
      2009年1月3日,财政大臣正处于实施第二轮银行紧急援助的边缘。

百家观点

    从发表论文以来,中本聪的真实身份长期不为外界所知,维基解密创始人朱利安·阿桑奇(Julian Assange)宣称中本聪是一位密码朋克(Cypherpunk)。另外,有人称“中本聪是一名无政府主义者,他的初衷并不但愿数字加密货币被某国政府或中央银行控制,而是但愿其成为全球自由流动、不受政府监管和控制的货币。”

      2008年11月1日,中本聪在“metzdowd.com”网站的密码学邮件列表中发表了一篇论文,题为《比特币:一种点对点式的电子现金系统》。论文中详细描述了如何建立一套去中心化的电子交易体系,且这种体系不须要建立在交易双方相互信任的基础之上。很快,2009年1月3日,他开发出首个实现了比特币算法的客户端程序并进行了首次“采矿”(mining),得到了第一批的50个比特币。这也标志着比特币金融体系的正式诞生。
      2010年12月5日,在维基解密泄露美国外交电报事件期间,比特币社区呼吁维基解密接受比特币捐款以打破金融封锁。中本表示坚定反对,认为比特币还在摇篮中,经不起冲突和争议。七天后的12月12日,他在比特币论坛中发表了最后一篇文章,说起了最新版本软件中的一些小问题,随后再也不露面,电子邮件通信也逐渐终止。(摘自百度)

V神评论:V神发布推文称,若CSW真是中本聪,那么就要质疑中本聪本人了。他说:“若是有证实CSW就是是Satoshi的确凿证据,那么我不会改变对CSW的见解,而是要改变对中本聪的见解了。
曾鸣:我认为中本聪很是了不得,是个天才,真正开创了一个时代。
继续……

 

论文

中本聪原文地址:《Bitcoin: A Peer-to-Peer Electronic Cash System》https://bitcoin.org/bitcoin.pdf

摘要

Abstract. A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution. Digital signatures provide part of the solution, but the main benefits are lost if a trusted third party is still required to prevent double-spending. We propose a solution to the double-spending problem using a peer-to-peer network. The network timestamps transactions by hashing them into an ongoing chain of hash-based proof-of-work, forming a record that cannot be changed without redoing the proof-of-work. The longest chain not only serves as proof of the sequence of events witnessed, but proof that it came from the largest pool of CPU power. As long as a majority of CPU power is controlled by nodes that are not cooperating to attack the network, they'll generate the longest chain and outpace attackers. The network itself requires minimal structure. Messages are broadcast on a best effort basis, and nodes can leave and rejoin the network at will, accepting the longest proof-of-work chain as proof of what happened while they were gone. 摘要:本文提出了一种彻底经过点对点技术实现的电子现金系统,它使得在线支付可以直接由一方发起并支付给另一方,中间不须要经过任何的金融机构。虽然数字签名提供了解决方案的一部分,但若是仍然须要可信任的第三方来防止双花(double-spending),则主要好处将丧失。咱们在此提出一种解决方案,使现金系统在点对点的环境下运行,并防止双花问题。该网络经过随机散列(hashing)对所有交易加上时间戳(timestamps),将它们合并入一个不断延伸的基于随机散列的工做量证实(proof-of-work)的链条做为交易记录,除非从新完成所有的工做量证实,造成的交易记录将不可更改。 最长的链条不只将做为被观察到的事件序列(sequence)的证实,并且被看作是来自CPU计算能力最大的池(pool)。只要大部分CPU功率由不合做攻击网络的节点控制,那么诚实的节点将会生成最长的、超过攻击者的链条。这个系统自己须要的基础设施很是少。信息尽最大努力在全网传播便可,节点(nodes)能够随时离开和从新加入网络,并将最长的工做量证实链条做为在该节点离线期间发生的交易的证实。

1. 简介-Introduction

         Commerce on the Internet has come to rely almost exclusively on financial institutions serving as trusted third parties to process electronic payments. While the system works well enough for most transactions, it still suffers from the inherent weaknesses of the trust based model. Completely non-reversible transactions are not really possible, since financial institutions cannot avoid mediating disputes. The cost of mediation increases transaction costs, limiting the minimum practical transaction size and cutting off the possibility for small casual transactions, and there is a broader cost in the loss of ability to make non-reversible payments for nonreversible services. With the possibility of reversal, the need for trust spreads. Merchants must be wary of their customers, hassling them for more information than they would otherwise need. A certain percentage of fraud is accepted as unavoidable. These costs and payment uncertainties can be avoided in person by using physical currency, but no mechanism exists to make payments over a communications channel without a trusted party.

     互联网上的贸易已经几乎彻底依赖于做为可信第三方的金融机构来处理电子支付。尽管该系统在大多数交易中运行良好,但它仍然受到基于信任模型的固有弱点的影响。彻底不可逆的交易是不可能的,由于金融机构不能避免调解争端。调解成本增长了交易成本,限制了最小实际交易规模并切断了小型临时交易的可能性,而且不可逆服务的不可逆支付能力的损失具备更普遍的成本。随着(交易)反转的可能性,信任的需求也在蔓延。商家必须警戒他们的顾客,不断烦扰他们获取更多的信息,而不是他们须要的信息。必定比例的欺诈被认为是不可避免的。这些成本和支付不肯定性能够经过使用实物货币亲自避免,可是没有机制在没有可信任方的状况下经过通讯信道进行支付。

        What is needed is an electronic payment system based on cryptographic proof instead of trust, allowing any two willing parties to transact directly with each other without the need for a trusted third party. Transactions that are computationally impractical to reverse would protect sellers from fraud, and routine escrow mechanisms could easily be implemented to protect buyers. In this paper, we propose a solution to the double-spending problem using a peer-to-peer distributed timestamp server to generate computational proof of the chronological order of transactions. The system is secure as long as honest nodes collectively control more CPU power than any cooperating group of attacker nodes.       (因此),(咱们)须要的是基于密码(学原理)证实而不是(基于)信任的电子支付系统,容许任何两个愿意的当事方直接彼此交易,而不须要可信任的第三方。在计算上不切实际的反向交易将保护卖方免受欺诈,而且常规托管机制能够容易地实现以保护买方。本文提出了一种利用点对点分布式时间戳服务器生成事务时间顺序的计算证实来解决双花问题的方法。只要诚实节点共同控制比任何协做组的攻击者节点更多的CPU功率,系统是安全的。

         互联网上的贸易,几乎都须要借助金融机构做为可资信赖的第三方来处理电子支付信息。虽然这类系统在绝大多数状况下都运做良好,可是这类系统仍然内生性地受制于“基于信用的模式”(trust based model)的弱点。咱们没法实现彻底不可逆的交易,由于金融机构老是不可避免地会出面协调争端。而金融中介的存在,也会增长交易的成本,而且限制了实际可行的最小交易规模,也限制了平常的小额支付交易。而且潜在的损失还在于,不少商品和服务自己是没法退货的,若是缺少不可逆的支付手段,互联网的贸易就大大受限。由于有潜在的退款的可能,就须要交易双方拥有信任。而商家也必须提防本身的客户,所以会向客户索取彻底没必要要的我的信息。而实际的商业行为中,必定比例的欺诈性客户也被认为是不可避免的,相关损失视做销售费用处理。而在使用物理现金的状况下,这些销售费用和支付问题上的不肯定性倒是能够避免的,由于此时没有第三方信用中介的存在。

      因此,咱们很是须要这样一种电子支付系统,它基于密码学原理而不基于信用,使得任何达成一致的双方,可以直接进行支付,从而不须要第三方中介的参与。杜绝回滚(reverse)支付交易的可能,这就能够保护特定的卖家免于欺诈;而对于想要保护买家的人来讲,在此环境下设立一般的第三方担保机制也可谓轻松加愉快。在这篇论文中,咱们(we)将提出一种经过点对点分布式的时间戳服务器来生成依照时间先后排列并加以记录的电子交易证实,从而解决双重支付问题。只要诚实的节点所控制的计算能力的总和,大于有合做关系的(cooperating)攻击者的计算能力的总和,该系统就是安全的。

2. 交易-Transactions

     We define an electronic coin as a chain of digital signatures. Each owner transfers the coin to the next by digitally signing a hash of the previous transaction and the public key of the next owner and adding these to the end of the coin. A payee can verify the signatures to verify the chain of ownership      咱们将电子货币定义为一系列数字签名。每一个拥有者经过数字签署上一次交易的散列和下一个拥有者的公钥,并将它们添加到(这枚)硬币的结尾,来将硬币转移到下一个(拥有者)。收款人能够验证签名以验证该链的拥有者。
 
      The problem of course is the payee can't verify that one of the owners did not double-spend the coin. A common solution is to introduce a trusted central authority, or mint, that checks every transaction for double spending. After each transaction, the coin must be returned to the mint to issue a new coin, and only coins issued directly from the mint are trusted not to be double-spent. The problem with this solution is that the fate of the entire money system depends on the company running the mint, with every transaction having to go through them, just like a bank.      固然,问题是收款人没法核实其中一个全部者(有)没有重复使用电子货币。一个常见的解决方案是引入一个信任的中央机构,或相似于造币厂的机构,检查每一笔交易的双重支出。每次交易后,(该枚)电子货币必须返回铸币厂发行新的电子货币,而且只有直接从铸币厂发行的电子货币才可信不会重复使用。这个解决方案的问题是,整个货币系统的命运取决于经营铸币厂的公司,每一个交易都必须通过它们,就像银行同样。
 
      We need a way for the payee to know that the previous owners did not sign any earlier transactions. For our purposes, the earliest transaction is the one that counts, so we don't care about later attempts to double-spend. The only way to confirm the absence of a transaction is to be aware of all transactions. In the mint based model, the mint was aware of all transactions and decided which arrived first. To accomplish this without a trusted party, transactions must be publicly announced [1], and we need a system for participants to agree on a single history of the order in which they were received. The payee needs proof that at the time of each transaction, the majority of nodes agreed it was the first received.      咱们须要一种方式让收款人知道之前的全部者没有签署任何早期的交易。为了咱们的目的,最先的交易是最重要的,因此咱们不在意之后的重复花费。确认交易不存在的惟一方法是了解全部交易。在基于铸币的模型中,铸币局知道全部的交易并决定最早到达的交易。为了在没有受信方的状况下完成这项工做,交易必须公开宣布[1],咱们须要一个系统,供参与者就收到交易的顺序的单一历史达成一致。收款人须要证实,在每次交易时,大多数节点赞成它是第一次收到。

           咱们定义,一枚电子货币(an electronic coin)是这样的一串数字签名:每一位全部者经过对前一次交易和下一位拥有者的公钥(Public key) 签署一个随机散列的数字签名,并将这个签名附加在这枚电子货币的末尾,电子货币就发送给了下一位全部者。而收款人经过对签名进行检验,就可以验证该链条的全部者。

      

 

          该过程的问题在于,收款人将难以检验,以前的某位全部者,是否对这枚电子货币进行了双重支付。一般的解决方案,就是引入信得过的第三方权威,或者相似于造币厂(mint)的机构,来对每一笔交易进行检验,以防止双重支付。在每一笔交易结束后,这枚电子货币就要被造币厂回收,而造币厂将发行一枚新的电子货币;而只有造币厂直接发行的电子货币,才算做有效,这样就可以防止双重支付。但是该解决方案的问题在于,整个货币系统的命运彻底依赖于运做造币厂的公司,由于每一笔交易都要通过该造币厂的确认,而该造币厂就比如是一家银行。
         咱们须要收款人有某种方法,可以确保以前的全部者没有对更早发生的交易实施签名。从逻辑上看,为了达到目的,实际上咱们须要关注的只是于本交易以前发生的交易,而不须要关注这笔交易发生以后是否会有双重支付的尝试。为了确保某一次交易是不存在的,那么惟一的方法就是获悉以前发生过的全部交易。在造币厂模型里面,造币厂获悉全部的交易,而且决定了交易完成的前后顺序。若是想要在电子系统中排除第三方中介机构,那么交易信息就应当被公开宣布(publicly announced)[1] ,咱们须要整个系统内的全部参与者,都有惟一公认的历史交易序列。收款人须要确保在交易期间绝大多数的节点都认同该交易是首次出现。

3. 时间戳服务器-Timestamp Server

      The solution we propose begins with a timestamp server. A timestamp server works by taking a hash of a block of items to be timestamped and widely publishing the hash, such as in a newspaper or Usenet post [2-5]. The timestamp proves that the data must have existed at the time, obviously, in order to get into the hash. Each timestamp includes the previous timestamp in its hash, forming a chain, with each additional timestamp reinforcing the ones before it.      咱们提出的解决方案从一个时间戳服务器开始。时间戳服务器经过获取要加时间戳的项目块的散列并普遍发布散列来工做,例如在报纸或Usenet帖子[2-5]中。时间戳证实,数据必须在当时存在,很明显,为了进入哈希。每一个时间戳在其散列中包括前一个时间戳,造成一个链,每一个额外的时间戳增强它以前的时间戳。

         本解决方案首先提出一个“时间戳服务器”。时间戳服务器经过对以区块(block)形式存在的一组数据实施随机散列而加上时间戳,并将该随机散列进行广播,就像在新闻或世界性新闻组网络(Usenet)的发帖同样[2][3][4][5] 。显然,该时间戳可以证明特定数据必然于某特定时间是的确存在的,由于只有在该时刻存在了才能获取相应的随机散列值。每一个时间戳应当将前一个时间戳归入其随机散列值中,每个随后的时间戳都对以前的一个时间戳进行加强(reinforcing),这样就造成了一个链条(Chain)。

         

4. 工做量证实-Proof-of-Work

   To implement a distributed timestamp server on a peer-to-peer basis, we will need to use a proofof-work system similar to Adam Back's Hashcash [6], rather than newspaper or Usenet posts. The proof-of-work involves scanning for a value that when hashed, such as with SHA-256, the hash begins with a number of zero bits. The average work required is exponential in the number of zero bits required and can be verified by executing a single hash.      为了在点对点的基础上实现分布式时间戳服务器,咱们须要使用相似于Adam Back的Hashc.[6]的校验系统,而不是报纸或Usenet帖子。工做证实包括扫描一个值,当进行散列时,例如使用SHA-256,散列以零位数开始。所需的平均功在所需零位的数量上是指数的,而且能够经过执行单个散列来验证。
    For our timestamp network, we implement the proof-of-work by incrementing a nonce in the block until a value is found that gives the block's hash the required zero bits. Once the CPU effort has been expended to make it satisfy the proof-of-work, the block cannot be changed without redoing the work. As later blocks are chained after it, the work to change the block would include redoing all the blocks after it.     对于咱们的时间戳网络,咱们经过在块中增长一个nonce来实现工做证实,直到找到使块的哈希值达到所需的零位为止。一旦CPU工做耗费了使其知足工做的证实,块就不能被改变而不重作工做。当后面的块被连接后,改变块的工做将包括重作以后的全部块。
     The proof-of-work also solves the problem of determining representation in majority decision making. If the majority were based on one-IP-address-one-vote, it could be subverted by anyone able to allocate many IPs. Proof-of-work is essentially one-CPU-one-vote. The majority decision is represented by the longest chain, which has the greatest proof-of-work effort invested in it. If a majority of CPU power is controlled by honest nodes, the honest chain will grow the fastest and outpace any competing chains. To modify a past block, an attacker would have to redo the proof-of-work of the block and all blocks after it and then catch up with and surpass the work of the honest nodes. We will show later that the probability of a slower attacker catching up diminishes exponentially as subsequent blocks are added.      工做证实也解决了在多数决策中肯定表示的问题。若是大多数是基于一个IP地址一次投票,它能够被任何可以分配许多IPS的人所颠覆。工做证实基本上是一个CPU一个表决。多数决策由最长链表示,它具备最大的工做投入证实。若是大部分CPU功率由诚实的节点控制,诚实链将增加最快,并超过任何竞争链。要修改过去的块,攻击者必须重作块及其后的全部块的工做证实,而后追赶并超过诚实节点的工做。稍后咱们将显示,较慢的攻击者追赶的几率随着后续块的增长而指数下降。
     To compensate for increasing hardware speed and varying interest in running nodes over time, the proof-of-work difficulty is determined by a moving average targeting an average number of blocks per hour. If they're generated too fast, the difficulty increases.     为了补偿硬件速度的提升和对运行节点随时间变化的兴趣,工做证实难度经过以平均每小时块数为目标的移动平均数来肯定。若是它们生成得太快,难度就会增长。

         为了在点对点的基础上构建一组分散化的时间戳服务器,仅仅像报纸或世界性新闻网络组同样工做是不够的,咱们还须要一个相似于亚当•柏克(Adam Back)提出的哈希现金(Hashcash)[6] 。在进行随机散列运算时,工做量证实机制引入了对某一个特定值的扫描工做,比方说SHA-256下,随机散列值以一个或多个0开始。那么随着0的数目的上升, 找到这个解所须要的工做量将呈指数增加,而对结果进行检验则仅须要一次随机散列运算。

         咱们在区块中补增一个随机数(Nonce),这个随机数要使得该给定区块的随机散列值出现了所需的那么多个0。咱们经过反复尝试来找到这个随机数,直到找到为止,这样咱们就构建了一个工做量证实机制。只要该CPU耗费的工做量可以知足该工做量证实机制,那么除非从新完成至关的工做量,该区块的信息就不可更改。因为以后的区块是连接在该区块以后的,因此想要更改该区块中的信息,就还须要从新完成以后全部区块的所有工做量。
          

           同时,该工做量证实机制还解决了在集体投票表决时,谁是大多数的问题。若是决定大多数的方式是基于IP地址的,一IP地址一票,那么若是有人拥有分配大量IP地址的权力,则该机制就被破坏了。而工做量证实机制的本质则是一CPU一票。“大多数”的决定表达为最长的链,由于最长的链包含了最大的工做量。若是大多数的CPU为诚实的节点控制,那么诚实的链条将以最快的速度延长,并超越其余的竞争链条。若是想要对业已出现的区块进行修改,攻击者必须从新完成该区块的工做量外加该区块以后全部区块的工做量,并最终遇上和超越诚实节点的工做量。咱们将在后文证实,设想一个较慢的攻击者试图遇上随后的区块,那么其成功几率将呈指数化递减。
         另外一个问题是,硬件的运算速度在高速增加,而节点参与网络的程度则会有所起伏。为了解决这个问题,工做量证实的难度(the proof-of-work difficulty)将采用移动平均目标的方法来肯定,即令难度指向令每小时生成区块的速度为某一个预约的平均数。若是区块生成的速度过快,那么难度就会提升。

5. 网络-Network

    The steps to run the network are as follows:
1) New transactions are broadcast to all nodes.
2) Each node collects new transactions into a block.
3) Each node works on finding a difficult proof-of-work for its block.
4) When a node finds a proof-of-work, it broadcasts the block to all nodes.
5) Nodes accept the block only if all transactions in it are valid and not already spent.
6) Nodes express their acceptance of the block by working on creating the next block in the chain, using the hash of the accepted block as the previous hash.
   运行网络的步骤以下:
1)新的事务被广播到全部节点。
2)每一个节点将新的事务收集到一个块中。
3)每一个节点都在为其块找到一个困难的工做证实。
4)当节点找到工做证实时,它将该块广播到全部节点。
5)只有当全部的事务都是有效的而不是已经使用的时候,节点才接受块。
6)节点经过建立链中的下一个块,使用所接受块的散列做为前一散列,来表达它们对块的接受。
 
    Nodes always consider the longest chain to be the correct one and will keep working on extending it. If two nodes broadcast different versions of the next block simultaneously, some nodes may receive one or the other first. In that case, they work on the first one they received, but save the other branch in case it becomes longer. The tie will be broken when the next proofof-work is found and one branch becomes longer; the nodes that were working on the other branch will then switch to the longer one.     节点老是把最长的链看做正确的链,并不断地进行扩展。若是两个节点同时广播下一个块的不一样版本,则一些节点能够首先接收一个或另外一个。在这种状况下,他们工做的第一个他们收到,但保存另外一个分支,以使其更长的时间。当发现下一个校验工做而且一个分支变长时,绑定将被打破;在另外一个分支上工做的节点将随后切换到更长的一个。
 
    New transaction broadcasts do not necessarily need to reach all nodes. As long as they reach many nodes, they will get into a block before long. Block broadcasts are also tolerant of dropped messages. If a node does not receive a block, it will request it when it receives the next block and realizes it missed one.     新的交易广播不必定须要到达全部节点。只要它们到达许多节点,它们不久就会进入一个块。块广播也容忍丢弃的消息。若是一个节点没有接收到一个块,它将在接收下一个块时请求它,并意识到它丢失了一个块。

运行该网络的步骤以下:

  • 1) 新的交易向全网进行广播;
  • 2) 每个节点都将收到的交易信息归入一个区块中;
  • 3) 每一个节点都尝试在本身的区块中找到一个具备足够难度的工做量证实;
  • 4) 当一个节点找到了一个工做量证实,它就向全网进行广播;
  • 5) 当且仅当包含在该区块中的全部交易都是有效的且以前未存在过的,其余节点才认同该区块的有效性;
  • 6) 其余节点表示他们接受该区块,而表示接受的方法,则是在跟随该区块的末尾,制造新的区块以延长该链条,而将被接受区块的随机散列值视为先于新区快的随机散列值。

         节点始终都将最长的链条视为正确的链条,并持续工做和延长它。若是有两个节点同时广播不一样版本的新区块,那么其余节点在接收到该区块的时间上将存在前后差异。当此情形,他们将在率先收到的区块基础上进行工做,但也会保留另一个链条,以防后者变成最长的链条。该僵局(tie)的打破要等到下一个工做量证实被发现,而其中的一条链条被证明为是较长的一条,那么在另外一条分支链条上工做的节点将转换阵营,开始在较长的链条上工做。
         所谓“新的交易要广播”,实际上不须要抵达所有的节点。只要交易信息可以抵达足够多的节点,那么他们将很快被整合进一个区块中。而区块的广播对被丢弃的信息是具备容错能力的。若是一个节点没有收到某特定区块,那么该节点将会发现本身缺失了某个区块,也就能够提出本身下载该区块的请求。

6. 激励-Incentive

    By convention, the first transaction in a block is a special transaction that starts a new coin owned by the creator of the block. This adds an incentive for nodes to support the network, and provides a way to initially distribute coins into circulation, since there is no central authority to issue them. The steady addition of a constant of amount of new coins is analogous to gold miners expending resources to add gold to circulation. In our case, it is CPU time and electricity that is expended.     按照惯例,块中的第一个事务是启动块建立者所拥有的新硬币的特殊事务。这增长了节点支持网络的动机,而且提供了一种最初将硬币分发到流通中的方法,由于没有中央机构发行硬币。新硬币数量不变的稳定增长,相似于黄金开采者耗费资源增长黄金流通。在咱们的例子中,是CPU时间和耗电量。
 
    The incentive can also be funded with transaction fees. If the output value of a transaction is less than its input value, the difference is a transaction fee that is added to the incentive value of the block containing the transaction. Once a predetermined number of coins have entered circulation, the incentive can transition entirely to transaction fees and be completely inflation free.     激励也能够用交易费用来资助。若是交易的输出值小于它的输入值,那么差额就是交易费用,它被加到包含交易的块的激励值上。一旦预约数量的硬币进入流通,刺激能够彻底转变为交易费用,彻底没有通货膨胀。
 
    The incentive may help encourage nodes to stay honest. If a greedy attacker is able to assemble more CPU power than all the honest nodes, he would have to choose between using it to defraud people by stealing back his payments, or using it to generate new coins. He ought to find it more profitable to play by the rules, such rules that favour him with more new coins than everyone else combined, than to undermine the system and the validity of his own wealth.     激励可能有助于鼓励节点保持诚实。若是一个贪婪的攻击者可以比全部诚实的节点组装更多的CPU能力,那么他必须选择使用CPU能力经过偷回他的支付来欺骗人们,或者使用它来生成新的硬币。他应该发现遵照这些规则比破坏制度和他本身财富的合法性更有利可图,这些规则比任何人合起来都更有利于他拥有更多的新硬币。

        咱们约定如此:每一个区块的第一笔交易进行特殊化处理,该交易产生一枚由该区块创造者拥有的新的电子货币。这样就增长了节点支持该网络的激励,并在没有中央集权机构发行货币的状况下,提供了一种将电子货币分配到流通领域的一种方法。这种将必定数量新货币持续增添到货币系统中的方法,很是相似于耗费资源去挖掘金矿并将黄金注入到流通领域。此时,CPU的时间和电力消耗就是消耗的资源。
        另一个激励的来源则是交易费(transaction fees)。若是某笔交易的输出值小于输入值,那么差额就是交易费,该交易费将被增长到该区块的激励中。只要既定数量的电子货币已经进入流通,那么激励机制就能够逐渐转换为彻底依靠交易费,那么本货币系统就可以免于通货膨胀。
        激励系统也有助于鼓励节点保持诚实。若是有一个贪婪的攻击者可以调集比全部诚实节点加起来还要多的CPU计算力,那么他就面临一个选择:要么将其用于诚实工做产生新的电子货币,或者将其用于进行二次支付攻击。那么他就会发现,按照规则行事、诚实工做是更有利可图的。由于该等规则使得他可以拥有更多的电子货币,而不是破坏这个系统使得其自身财富的有效性受损。

7. 回收硬盘空间-Reclaiming Disk Space

    Once the latest transaction in a coin is buried under enough blocks, the spent transactions before it can be discarded to save disk space. To facilitate this without breaking the block's hash, transactions are hashed in a Merkle Tree [7][2][5], with only the root included in the block's hash. Old blocks can then be compacted by stubbing off branches of the tree. The interior hashes do not need to be stored.     一旦硬币中的最新事务被埋入足够的块中,在能够丢弃以前的已用事务将节省磁盘空间。为了在不破坏块哈希值的状况下实现这一点,事务在Merkle Tree[7][2][5]中被哈希化,只有根包含在块的哈希值中。老街区能够经过砍掉树枝来压实。内部散列不须要存储。
 
    A block header with no transactions would be about 80 bytes. If we suppose blocks are generated every 10 minutes, 80 bytes * 6 * 24 * 365 = 4.2MB per year. With computer systems typically selling with 2GB of RAM as of 2008, and Moore's Law predicting current growth of 1.2GB per year, storage should not be a problem even if the block headers must be kept in memory.     没有交易的块头大约为80字节。若是咱们假设每10分钟产生一个块,则每一年80字节×6×24×365=4.2MB。因为计算机系统到2008年一般销售2GB的RAM,摩尔定律预测当前每一年增加1.2GB,即便块头必须保存在内存中,存储也不该该成为问题。

        若是最近的交易已经被归入了足够多的区块之中,那么就能够丢弃该交易以前的数据,以回收硬盘空间。为了同时确保不损害区块的随机散列值,交易信息被随机散列时,被构建成一种Merkle树(Merkle tree)[7] 的形态,使得只有根(root)被归入了区块的随机散列值。经过将该树(tree)的分支拔除(stubbing)的方法,老区块就能被压缩。而内部的随机散列值是没必要保存的。

  

       不含交易信息的区块头(Block header)大小仅有80字节。若是咱们设定区块生成的速率为每10分钟一个,那么每年产生的数据位4.2MB。(80 bytes * 6 * 24 * 365 = 4.2MB)。2008年,PC系统一般的内存容量为2GB,按照摩尔定律的预言,即便将所有的区块头存储于内存之中都不是问题。

8. 简化的支付确认-Simplified Payment Verification

    It is possible to verify payments without running a full network node. A user only needs to keep a copy of the block headers of the longest proof-of-work chain, which he can get by querying network nodes until he's convinced he has the longest chain, and obtain the Merkle branch linking the transaction to the block it's timestamped in. He can't check the transaction for himself, but by linking it to a place in the chain, he can see that a network node has accepted it, and blocks added after it further confirm the network has accepted it.     能够在不运行完整网络节点的状况下验证支付。用户只须要保留最长工做证实链的块头的副本,经过查询网络节点,直到他确信本身具备最长链为止,就能够得到该副本,并得到将事务连接到其时间戳所在的块的Merkle分支。他不能本身检查事务,可是经过将它连接到链中的一个位置,他能够看到网络节点已经接受它,而且在进一步确认网络已经接受它以后添加块。
 
    As such, the verification is reliable as long as honest nodes control the network, but is more vulnerable if the network is overpowered by an attacker. While network nodes can verify transactions for themselves, the simplified method can be fooled by an attacker's fabricated transactions for as long as the attacker can continue to overpower the network. One strategy to protect against this would be to accept alerts from network nodes when they detect an invalid block, prompting the user's software to download the full block and alerted transactions to confirm the inconsistency. Businesses that receive frequent payments will probably still want to run their own nodes for more independent security and quicker verification.     所以,只要诚实的节点控制网络,验证是可靠的,可是若是网络被攻击者压倒,则验证更加脆弱。虽然网络节点能够本身验证事务,可是只要攻击者能够继续覆盖网络,简化的方法就能够被攻击者伪造的事务所欺骗。防止这种状况发生的一种策略是,当网络节点检测到无效块时,接受来自它们的警报,提示用户的软件下载完整块和提醒的事务以确认不一致性。接受频繁支付的企业可能仍然但愿运行本身的节点,从而得到更独立的安全性和更快的验证。

        在不运行完整网络节点的状况下,也可以对支付进行检验。一个用户须要保留最长的工做量证实链条的区块头的拷贝,它能够不断向网络发起询问,直到它确信本身拥有最长的链条,并可以经过merkle的分支通向它被加上时间戳并归入区块的那次交易。节点想要自行检验该交易的有效性本来是不可能的,但经过追溯到链条的某个位置,它就能看到某个节点曾经接受过它,而且于其后追加的区块也进一步证实全网曾经接受了它。

         当此情形,只要诚实的节点控制了网络,检验机制就是可靠的。可是,当全网被一个计算力占优的攻击者攻击时,将变得较为脆弱。由于网络节点可以自行确认交易的有效性,只要攻击者可以持续地保持计算力优点,简化的机制会被攻击者焊接的(fabricated)交易欺骗。那么一个可行的策略就是,只要他们发现了一个无效的区块,就马上发出警报,收到警报的用户将马上开始下载被警告有问题的区块或交易的完整信息,以便对信息的不一致进行断定。对于平常会发生大量收付的商业机构,可能仍会但愿运行他们本身的完整节点,以保持较大的独立彻底性和检验的快速性。

9. 价值的组合与分割-Combining and Splitting Value

   Although it would be possible to handle coins individually, it would be unwieldy to make a separate transaction for every cent in a transfer. To allow value to be split and combined, transactions contain multiple inputs and outputs. Normally there will be either a single input from a larger previous transaction or multiple inputs combining smaller amounts, and at most two outputs: one for the payment, and one returning the change, if any, back to the sender.     虽然能够单独处理硬币,可是对转帐中的每一分钱进行单独交易是很笨重的。为了容许值被分割和合并,事务包含多个输入和输出。一般,会有来自较大先前交易的单个输入或组合较小金额的多个输入,以及最多两个输出:一个用于支付,以及一个将更改(若是有的话)返回给发送者。
 
     It should be noted that fan-out, where a transaction depends on several transactions, and those transactions depend on many more, is not a problem here. There is never the need to extract a complete standalone copy of a transaction's history.     应当指出,扇出在这里不是问题,由于一个交易取决于几个交易,而那些交易取决于更多交易。永远不须要提取一个完整的事务历史记录的独立副本。

          虽然能够单个单个地对电子货币进行处理,可是对于每一枚电子货币单独发起一次交易将是一种笨拙的办法。为了使得价值易于组合与分割,交易被设计为能够归入多个输入和输出。通常而言是某次价值较大的前次交易构成的单一输入,或者由某几个价值较小的前次交易共同构成的并行输入,可是输出最多只有两个:一个用于支付,另外一个用于找零(若有)。

                                           

 

         须要指出的是,当一笔交易依赖于以前的多笔交易时,这些交易又各自依赖于多笔交易,但这并不存在任何问题。由于这个工做机制并不须要展开检验以前发生的全部交易历史。

10. 隐私-Privacy

     The traditional banking model achieves a level of privacy by limiting access to information to the parties involved and the trusted third party. The necessity to announce all transactions publicly precludes this method, but privacy can still be maintained by breaking the flow of information in another place: by keeping public keys anonymous. The public can see that someone is sending an amount to someone else, but without information linking the transaction to anyone. This is similar to the level of information released by stock exchanges, where the time and size of individual trades, the "tape", is made public, but without telling who the parties were.      传统的银行模型经过限制对相关各方和可信第三方的信息访问来实现必定程度的隐私。公开宣布全部事务的必要性排除了这种方法,可是隐私仍然能够经过在其余地方中断信息流来维护:经过保持公钥匿名。公众能够看到有人向其余人发送金额,但没有信息将交易连接到任何人。这与证券交易所发布的信息水平相似,在证券交易所里,我的交易的时间和规模“磁带”被公开,可是没有告知当事人是谁。
 
    As an additional firewall, a new key pair should be used for each transaction to keep them from being linked to a common owner. Some linking is still unavoidable with multi-input transactions, which necessarily reveal that their inputs were owned by the same owner. The risk is that if the owner of a key is revealed, linking could reveal other transactions that belonged to the same owner.     做为附加的防火墙,应该为每一个事务使用新的密钥对,以防止它们连接到公共全部者。对于多输入事务,某些连接仍然不可避免,这必然代表它们的输入属于同一全部者。风险在于,若是一个密钥的全部者被披露,连接能够揭示属于同一全部者的其余交易。

 

       传统的造币厂模型为交易的参与者提供了必定程度的隐私保护,由于试图向可信任的第三方索取交易信息是严格受限的。可是若是将交易信息向全网进行广播,就意味着这样的方法失效了。可是隐私依然能够获得保护:将公钥保持为匿名。公众得知的信息仅仅是有某我的将必定数量的货币发所给了另一我的,可是难以将该交易同特定的人联系在一块儿,也就是说,公众难以确信,这些人到底是谁。这同股票交易所发布的信息是相似的,股票交易发生的时间、交易量是记录在案且可供查询的,可是交易双方的身份信息却不予透露。
       做为额外的预防措施,使用者可让每次交易都生成一个新的地址,以确保这些交易不被追溯到一个共同的全部者。可是因为并行输入的存在,必定程度上的追溯仍是不可避免的,由于并行输入代表这些货币都属于同一个全部者。此时的风险在于,若是某我的的某一个公钥被确认属于他,那么就能够追溯出此人的其它不少交易。

  

       传统的造币厂模型为交易的参与者提供了必定程度的隐私保护,由于试图向可信任的第三方索取交易信息是严格受限的。可是若是将交易信息向全网进行广播,就意味着这样的方法失效了。可是隐私依然能够获得保护:将公钥保持为匿名。公众得知的信息仅仅是有某我的将必定数量的货币发所给了另一我的,可是难以将该交易同特定的人联系在一块儿,也就是说,公众难以确信,这些人到底是谁。这同股票交易所发布的信息是相似的,股票交易发生的时间、交易量是记录在案且可供查询的,可是交易双方的身份信息却不予透露。
       做为额外的预防措施,使用者可让每次交易都生成一个新的地址,以确保这些交易不被追溯到一个共同的全部者。可是因为并行输入的存在,必定程度上的追溯仍是不可避免的,由于并行输入代表这些货币都属于同一个全部者。此时的风险在于,若是某我的的某一个公钥被确认属于他,那么就能够追溯出此人的其它不少交易。

11. 计算-Calculations

    We consider the scenario of an attacker trying to generate an alternate chain faster than the honest chain. Even if this is accomplished, it does not throw the system open to arbitrary changes, such as creating value out of thin air or taking money that never belonged to the attacker. Nodes are not going to accept an invalid transaction as payment, and honest nodes will never accept a block containing them. An attacker can only try to change one of his own transactions to take back money he recently spent.    咱们认为攻击者试图生成一个替代链比诚实链更快的场景。即便这样作了,它也不会使系统受到任意更改的影响,例如凭空创造价值或拿不属于攻击者的钱。节点不会接受做为支付的无效事务,而且诚实节点将永远不会接受包含它们的块。攻击者只能尝试改变他本身的交易,以收回他最近花的钱。
 
    The race between the honest chain and an attacker chain can be characterized as a Binomial Random Walk. The success event is the honest chain being extended by one block, increasing its lead by +1, and the failure event is the attacker's chain being extended by one block, reducing the gap by -1.    诚实链和攻击者链之间的竞争能够被刻划为二项式随机游走。成功事件是诚实链被一个块扩展,其领先优点增长+1,而失败事件是攻击者的链被一个块扩展,使差距减小-1。
 

    The probability of an attacker catching up from a given deficit is analogous to a Gambler's Ruin problem. Suppose a gambler with unlimited credit starts at a deficit and plays potentially an infinite number of trials to try to reach breakeven. We can calculate the probability he ever reaches breakeven, or that an attacker ever catches up with the honest chain, as follows [8]:

     Given our assumption that p > q, the probability drops exponentially as the number of blocks the attacker has to catch up with increases. With the odds against him, if he doesn't make a lucky lunge forward early on, his chances become vanishingly small as he falls further behind.

    攻击者从给定的赤字中追赶的几率相似于赌徒的破产问题。假设一个拥有无限信用的赌徒从赤字开始,为了达到收支平衡,可能要进行无数次尝试。咱们能够计算他达到收支平衡的几率,或者攻击者追上诚实链条的几率,以下所示[8]:
   假设p>q,随着攻击者必须追赶的块数的增长,几率呈指数降低。面对这样的机遇,若是他不早点幸运地向前冲刺,他的机会就变得眇小了,由于他落在了后面。
    We now consider how long the recipient of a new transaction needs to wait before being sufficiently certain the sender can't change the transaction. We assume the sender is an attacker who wants to make the recipient believe he paid him for a while, then switch it to pay back to himself after some time has passed.     如今咱们考虑在充分肯定发送方不能更改事务以前,新事务的接收方须要等待多长时间。咱们假设发送方是一个攻击者,他想让接收方相信他支付了他一段时间,而后在一段时间过去以后将其转换为回报本身。
 
    The receiver will be alerted when that happens, but the sender hopes it will be too late. The receiver generates a new key pair and gives the public key to the sender shortly before signing. This prevents the sender from preparing a chain of blocks ahead of time by working on it continuously until he is lucky enough to get far enough ahead, then executing the transaction at that moment. Once the transaction is sent, the dishonest sender starts working in secret on a parallel chain containing an alternate version of his transaction.    当发生这种状况时,接收器会被提醒,但发送者但愿它太晚了。接收方生成新的密钥对,并在签名以前向发送方提供公钥。这防止发送者经过连续地处理它来提早准备一连串的块,直到他足够幸运地得到足够的提早,而后此时执行事务。一旦事务被发送,不诚实的发送者就开始秘密地在包含其事务的备选版本的并行链上工做。

    The recipient waits until the transaction has been added to a block and z blocks have been linked after it. He doesn't know the exact amount of progress the attacker has made, but assuming the honest blocks took the average expected time per block, the attacker's potential progress will be a Poisson distribution with expected value:

    接收方等待,直到事务被添加到块,Z块以后才被连接。他不知道攻击者已经取得的确切的进展量,可是假设诚实的块占用每一个块的平均预期时间,攻击者的潜在进展将是具备指望值的泊松分布:
    为了获得攻击者如今仍然可以追上的几率,咱们乘以泊松密度,对于他可能已经取得的每一个进展量,乘以从那个点开始他能够追上的几率:
     从新排列以免对分布的无限尾求和…

        设想以下场景:一个攻击者试图比诚实节点产生链条更快地制造替代性区块链。即使它达到了这一目的,可是整个系统也并不是就此彻底受制于攻击者的专断意志了,比方说凭空创造价值,或者掠夺本不属于攻击者的货币。这是由于节点将不会接受无效的交易,而诚实的节点永远不会接受一个包含了无效信息的区块。一个攻击者能作的,最可能是更改他本身的交易信息,并试图拿回他刚刚付给别人的钱。
       诚实链条和攻击者链条之间的竞赛,能够用二叉树随机漫步(Binomial Random Walk)来描述。成功事件定义为诚实链条延长了一个区块,使其领先性+1,而失败事件则是攻击者的链条被延长了一个区块,使得差距-1。
攻击者成功填补某一既定差距的可能性,能够近似地看作赌徒破产问题(Gambler’s Ruin problem)。假定一个赌徒拥有无限的透支信用,而后开始进行潜在次数为无穷的赌博,试图填补上本身的亏空。那么咱们能够计算他填补上亏空的几率,也就是该攻击者遇上诚实链条,以下所示[8] :

         假定p>q,那么攻击成功的几率就由于区块数的增加而呈现指数化降低。因为几率是攻击者的敌人,若是他不能幸运且快速地得到成功,那么他得到成功的机会随着时间的流逝就变得愈发渺茫。那么咱们考虑一个收款人须要等待多长时间,才能足够确信付款人已经难以更改交易了。咱们假设付款人是一个支付攻击者,但愿让收款人在一段时间内相信他已经付过款了,而后当即将支付的款项从新支付给本身。虽然收款人届时会发现这一点,但为时已晚。
        收款人生成了新的一对密钥组合,而后只预留一个较短的时间将公钥发送给付款人。这将能够防止如下状况:付款人预先准备好一个区块链而后持续地对此区块进行运算,直到运气让他的区块链超越了诚实链条,方才当即执行支付。当此情形,只要交易一旦发出,攻击者就开始秘密地准备一条包含了该交易替代版本的平行链条。
        而后收款人将等待交易出如今首个区块中,而后在等到z个区块连接其后。此时,他仍然不能确切知道攻击者已经进展了多少个区块,可是假设诚实区块将耗费平均预期时间以产生一个区块,那么攻击者的潜在进展就是一个泊松分布,分布的指望值为:

     当此情形,为了计算攻击者追遇上的几率,咱们将攻击者取得进展区块数量的泊松分布的几率密度,乘以在该数量下攻击者依然可以追遇上的几率。

化为以下形式,避免对无限数列求和:

写为以下C语言代码:

Converting to C code...
#include <math.h>
double AttackerSuccessProbability(double q, int z)
{
 double p = 1.0 - q;
 double lambda = z * (q / p);
 double sum = 1.0;
 int i, k;
 for (k = 0; k <= z; k++)
 {
 double poisson = exp(-lambda);
 for (i = 1; i <= k; i++)
 poisson *= lambda / i;
 sum -= poisson * (1 - pow(q / p, z - k));
 }
 return sum;
}

对其进行运算,咱们能够获得以下的几率结果,发现几率对z值呈指数降低。

Running some results, we can see the probability drop off exponentially with z.
q=0.1
z=0 P=1.0000000
z=1 P=0.2045873
z=2 P=0.0509779
z=3 P=0.0131722
z=4 P=0.0034552
z=5 P=0.0009137
z=6 P=0.0002428
z=7 P=0.0000647
z=8 P=0.0000173
z=9 P=0.0000046
z=10 P=0.0000012
q=0.3
z=0 P=1.0000000
z=5 P=0.1773523
z=10 P=0.0416605
z=15 P=0.0101008
z=20 P=0.0024804
z=25 P=0.0006132
z=30 P=0.0001522
z=35 P=0.0000379
z=40 P=0.0000095
z=45 P=0.0000024
z=50 P=0.0000006
Solving for P less than 0.1%...
P < 0.001
q=0.10 z=5
q=0.15 z=8
q=0.20 z=11
q=0.25 z=15
q=0.30 z=24
q=0.35 z=41
q=0.40 z=89
q=0.45 z=340

12.结论-Conclusion

     We have proposed a system for electronic transactions without relying on trust. We started with the usual framework of coins made from digital signatures, which provides strong control of ownership, but is incomplete without a way to prevent double-spending. To solve this, we proposed a peer-to-peer network using proof-of-work to record a public history of transactions that quickly becomes computationally impractical for an attacker to change if honest nodes control a majority of CPU power. The network is robust in its unstructured simplicity. Nodes work all at once with little coordination. They do not need to be identified, since messages are not routed to any particular place and only need to be delivered on a best effort basis. Nodes can leave and rejoin the network at will, accepting the proof-of-work chain as proof of what happened while they were gone. They vote with their CPU power, expressing their acceptance of valid blocks by working on extending them and rejecting invalid blocks by refusing to work on them. Any needed rules and incentives can be enforced with this consensus mechanism.     咱们提出了一个电子交易系统,不依赖于信任。咱们从一般的数字签名硬币框架开始,它提供了对全部权的强有力控制,可是没有办法防止双重消费,它是不完整的。为了解决这个问题,咱们提出了一个对等网络,它使用工做证实来记录事务的公共历史,若是诚实的节点控制大部分CPU功率,那么对于攻击者来讲,这在计算上很快就变得不切实际。网络在其非结构化的简单性方面是健壮的。节点同时工做,几乎没有协调。它们不须要被标识,由于消息没有路由到任何特定的位置,而且只须要在尽力的基础上交付。节点能够随意离开和从新加入网络,接受工做链的证实做为他们离开时发生的事情的证据。他们用本身的CPU能力投票,经过扩展有效块来表达他们对有效块的接受,经过拒绝处理无效块来表示对无效块的拒绝。任何须要的规则和激励能够经过这种共识机制来实施。

       咱们在此提出了一种不须要信用中介的电子支付系统。咱们首先讨论了一般的电子货币的电子签名原理,虽然这种系统为全部权提供了强有力的控制,可是不足以防止双重支付。为了解决这个问题,咱们提出了一种采用工做量证实机制的点对点网络来记录交易的公开信息,只要诚实的节点可以控制绝大多数的CPU计算能力,就能使得攻击者事实上难以改变交易记录。该网络的强健之处在于它结构上的简洁性。节点之间的工做大部分是彼此独立的,只须要不多的协同。每一个节点都不须要明确本身的身份,因为交易信息的流动路径并没有任何要求,因此只须要尽其最大努力传播便可。节点能够随时离开网络,而想从新加入网络也很是容易,由于只须要补充接收离开期间的工做量证实链条便可。节点经过本身的CPU计算力进行投票,表决他们对有效区块的确认,他们不断延长有效的区块链来表达本身的确认,并拒绝在无效的区块以后延长区块以表示拒绝。本框架包含了一个P2P电子货币系统所须要的所有规则和激励措施。

参考文献-References

[1] W. Dai, "b-money," http://www.weidai.com/bmoney.txt, 1998.
a scheme for a group of untraceable digital pseudonyms to pay each other with money and to enforce contracts amongst themselves without outside help—《一种可以借助电子假名在群体内部相互支付并迫使个体遵照规则且不须要外界协助的电子现金机制
[2] H. Massias, X.S. Avila, and J.-J. Quisquater, "Design of a secure timestamping service with minimal trust requirements," In 20th Symposium on Information Theory in the Benelux, May 1999.
在最小化信任的基础上设计一种时间戳服务器
[3] S. Haber, W.S. Stornetta, "How to time-stamp a digital document," In Journal of Cryptology, vol 3, no 2, pages 99-111, 1991.
怎样为电子文件添加时间戳
[4] D. Bayer, S. Haber, W.S. Stornetta, "Improving the efficiency and reliability of digital time-stamping," In Sequences II: Methods in Communication, Security and Computer Science, pages 329-334, 1993.
提高电子时间戳的效率和可靠性
[5] S. Haber, W.S. Stornetta, "Secure names for bit-strings," In Proceedings of the 4th ACM Conference on Computer and Communications Security, pages 28-35, April 1997.
比特字串的安全命名
[6] A. Back, "Hashcash - a denial of service counter-measure," http://www.hashcash.org/papers/hashcash.pdf, 2002.
哈希现金——拒绝服务式攻击的克制方法
[7] R.C. Merkle, "Protocols for public key cryptosystems," In Proc. 1980 Symposium on Security and Privacy, IEEE Computer Society, pages 122-133, April 1980.
公钥密码系统的协议
[8] W. Feller, "An introduction to probability theory and its applications," 1957.
几率学理论与应用导论