Bitcoin: A Peer-to-Peer

Electronic Cash System

Satoshi Nakamoto

satoshin@gmx.com

www.bitcoin.org

2008.10.31

Abstract

摘要

1

A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution.

纯点对点的电子现金将允许在线支付直接从一方发送到另一方，而无需通过金融机构。

2

Digitalsignatures provide part of the solution, but the main benefits are lost if atrusted third party is still required to prevent double-spending.

数字签名提供了部分解决方案，但是如果仍然需要可信的第三方来防止双重支出，那么（电子支付）的主要优势就会丧失。

double-spending  指一笔订单中可能会出现的重复支付一笔订单的现象

3

Wepropose a solution to the double-spending problem using a peer-to-peer network.

我们提出使用一种点对点网络的方案去解决双重支出问题

4

Thenetwork timestamps transactions by hashing them into an ongoing chain ofhash-based proof-of-work, forming a record that cannot be changed withoutredoing the proof-of-work.

点对点网络将为每笔交易标记时间戳，方法是：把交易的散列数据录入一个不断延展的、以散列为基础的工作证明链上，形成一个如非完全重做就不可能改变的记录

hash     n.剁碎的食物；混杂，拼凑；重新表述;vt. 搞糟，把…弄乱；切细；推敲; 散列

ongoing   adj.仍在进行的；不断前进的；持续存在的

类似于购物，就是这个网络会把交易时间记录下来，然后把订单信息放到一个不断刷新的全体用户的购物列表之后，想要改变订单就得重新修改购物车内的订单

5

Thelongest chain not only serves as proof of the sequence of events witnessed, butproof that it came from the largest pool of CPU power.

最长的链，一方面用来证明已被见证的事件及其顺序，同时，也用来证明它来自于最大的CPU算力池     

6

Aslong as a majority of CPU power is controlled by nodes that are not cooperatingto attack the network, they'll generate the longest chain and outpaceattackers.

只要多数CPU算力被节点控制没有合作去攻击网络，网络就会再生这个最长的链并超过攻击者

7

Thenetwork itself requires minimal structure. Messages are broadcast on a besteffort basis, and nodes can leave and rejoin the network at will, accepting thelongest proof-of-work chain as proof of what happened while they were gone

这个网络本身需要最小化的结构。信息将以最大努力为基本去传播，节点来去自由；但，加入之时总是需要接受最长的工作证明链作为他们未参与期间所发生一切的证明。

Minimal   adj.最低的；最小限度的

Broadcast    v.播送（电视或无线电节目）；参加（无线电或电视）节目；传播；播撒（种子）;n. （无线电、电视）节目；播送；撒播；广播播放时段;adj. 广播节目的；撒播的；无线电广播的;adv. 撒播地

at will   随意；任意

1.Introduction

简介

8

Commerce on the Internethas come to rely almost exclusively on financial institutions serving as

trusted third parties toprocess electronic payments.

互联网上的商业几乎完全依赖金融机构作为可信的第三方来处理电子支付。

Exclusively   adv.唯一地，专有地，排外地；作为唯一的（消息）来源

Come to   v.想起；共计

9

While the system workswell enough for most transactions, it still suffers from the inherentweaknesses of the trust based model.

虽然该系统在大多数事务中运行良好，但它仍然存在基于信任的模型的固有弱点。

Inherent   adj.固有的；内在的；与生俱来的，遗传的

Inherit  继承

10

Completelynon-reversible transactions are not really possible, since financialinstitutions cannot

avoid mediatingdisputes.

完全不可逆转的交易实际上是不可能的，因为金融机构无法避免仲裁争议。

Meditate   vi.调解；斡旋；居中;vt.调停；传达;adj. 间接的；居间的

Since在这里是因为的意思

11

The cost of mediationincreases transaction costs, limiting the minimum practical transaction sizeand cutting off the possibility for small casual transactions,and there is abroader cost in the loss of ability to make non-reversible payments for non-reversibleservices.

调解纠纷的成本增加了交易的成本，这样限制了最小实际交易规模，以及削减了小额随机交易的可能性，此外，为不可逆转的服务制作的不可逆转的支付的这种能力的缺失又是一笔大的成本

transition  n.过渡；转变；[分子生物] 转换；变调

transaction    n.交易；事务；办理；会报，学报

12

With the possibility ofreversal, the need for trust spreads. Merchants must be wary of theircustomers, hassling them for more information than they would otherwise need.

逆转的可能性，造成了信任的需求无所不在。商人必须谨慎对待客户，麻烦客户提供最小必要信息

Merchants   n.商人，批发商；店主；adj.商业的，商人的

Wary    adj.谨慎的；机警的；惟恐的；考虑周到的

Hassle    n.困难；分歧；起哄;v.烦扰；与……争辩

最后一句有点绕，这里所说客户要提供的信息，就是为了证明自己的身份，比如身份证号等等

13

A certain percentage offraud is accepted as unavoidable. These costs and payment uncertainties

can be avoided in personby using physical currency, but no mechanism exists to make payments

over a communicationschannel without a trusted party.

一定比例的欺骗是无可避免要接受的。这些成本和支付不确定性可以通过人们使用物理货币避免，但是当没有信任机构的时候，不存在一个机制通过沟通渠道来完成支付。

14

What is needed is anelectronic payment system based on cryptographic proof instead of trust, allowing any two willingparties to transact directly with each other without the need for a trusted third party.

我们所需要的是一个基于密码学证明而不是信用的电子支付系统，让任何两个有意愿的机构在二者之间直接交易而不需要一个第三方信任机构

15

Transactionsthat are computationally impractical to reverse would protect sellers fromfraud, and routine escrow mechanisms could easily be implemented to protectbuyers.

交易从计算上面不能逆转，将能保护卖家免受欺骗，而日常的担保机制能够轻松被执行去保护买家

Computationally  从计算方面上讲

Impractical    adj.不切实际的，不现实的；不能实行的

Escrow   n.暂由第三者保存的契据；暂交第三方保管的保证金（或款项）；暂由第三方保管;v. 把……交由第三方保管以待条件实现

16

In thispaper, we propose a solution to the double-spending problem using apeer-to-peer distributed timestamp server to generate computational proof ofthe chronological order of transactions.

在本论文中，我们将提出一种使用点对点分布式的时间戳服务器去生成按时间顺序的交易的计算证明来解决双重支付问题

Chronological   adj.按发生时间顺序排列的；按时间计算的；按先后顺序的

Distributed   分布式的

Sever  服务器

17

The systemis secure as long as honest nodes collectively control more CPU power than any

cooperatinggroup of attacker nodes.

只要诚实的节点聚集在一起比任何一个攻击者合作组织的节点CPU算力更多，这个系统就是安全的

2.Transactions

交易

18

We definean electronic coin as a chain of digital signatures. Each owner transfers thecoin to the next by digitally signing a hash of the previous transaction andthe public key of the next owner and adding these to the end of the coin. Apayee can verify the signatures to verify the chain of ownership.

我们将一个电子硬币定义为数字签名链。一位所有者将一枚硬币交给另一个人的时候，要在这个数字签名链的末尾加上上一笔交易的哈希数字签名，以及新所有者的公钥。收款人可以通过验证签名去验证数字签名链的所有权。

Payee 收款人

Ps:钱，在这篇文章里面，真的就是一串数字啦

Verify   vt.核实；查证

19

Theproblem of course is the payee can't verify that one of the owners did notdouble-spend the coin.

问题当然就是付款人不能证实曾经的拥有者有没有重复支付这个硬币

20

A commonsolution is to introduce a trusted central authority, or mint, that checksevery transactionfor double spending.

一个通用的解决办法就是引入一个可信任的中心权力机构，或者叫做造币厂，为双重支付去核查每一笔交易

Mint    n.薄荷；[金融] 造币厂，巨款;vt.铸造，铸币;adj. 完美的

21

After eachtransaction, the coin must be returned to the mint to issue a new coin, andonly coins issued directly from the mint are trusted not to be double-spent.

每一笔交易之后，这个硬币必须被回收到铸币厂然后发行一个新币，而只有是直接被造币厂发行的币才是可信的，没有被双重支付过的

22

Theproblem with this solution is that the fate of the entire money system dependson the

companyrunning the mint, with every transaction having to go through them, just like abank.

这个解决方案的问题是，所有货币系统的命运取决于运营这个造币厂的公司的状况，每一笔交易必须经过他们，就像是个银行

23

We need a way for the payee to know that the previous owners didnot sign any earlier transactions. For our purposes, the earliest transactionis the one that counts, so we don't care about later attempts to double-spend.

我们需要使得收款人能够获知先前的硬币拥有者没有在任何更早的交易上签名。就我们的目的而言，只有最早的交易会作数，所以我们不在意之后的双重支付尝试

24

The only way to confirm the absence of a transaction is to beaware of all transactions. In the mint based model, the mint was aware of alltransactions and decided which arrived first.

唯一确定交易不存在的方式是获知所有的交易。在基于造币厂的模式下，造币厂知道所有的交易，并且确定哪个最先到达（能确定先后顺序）

25

To accomplish this without a trusted party, transactions must bepublicly announced [1], and we need a system for participants to agree on asingle history of the order in which they were received.

在没有信任机构的情况下，为了解决双重支付，交易必须被公开宣布，我们需要一个系统，参与者在这里能够认同一个他们所接收的顺序的唯一的交易历史

Ps:这里的意思是，需要一个系统记录他俩的交易共识

26

The payee needs proof that at the time of each transaction, the majorityof nodes agreed it was the first received.

收款人需要证明每一次交易的时候，大多数节点能够认同它是第一个被接收的

Ps:就是收款方在收款的时候，节点能够证明对方是第一次付款，没有双重支付

3. Timestamp Server

时间戳服务器

27

The solution we propose begins with a timestamp server. Atimestamp server works by taking a

hash of a block of items to be timestamped and widely publishingthe hash, such as in a newspaper or Usenet post [2-5].

我们所建议的解决方案起始于一个时间戳服务器。时间戳服务器方式是，为一组交易记录的哈希运算打上时间戳，然后将这次哈希运算发布出去，就像一份报纸或者是世界性新闻组里的一个帖子那样

Usenet    n.世界性新闻组网络

A block of   一块，一大块…

28

Thetimestamp proves that the data must have existed at the time, obviously, inorder to get into the hash. Each timestamp includes the previous timestamp in itshash, forming a chain, with each additional timestamp reinforcing the onesbefore it.

显然，为了得到一个哈希值，时间戳要能够证明这个数据在这个时间存在。每个时间戳包含这个哈希值之前的时间戳，然后形成一个链，每一个新附加的时间戳会填补到之前的时间戳之后

4. Proof-of-Work

工作量证明

29

Toimplement a distributed timestamp server on a peer-to-peer basis, we will needto use a proof-of-work system similar to Adam Back's Hashcash [6], rather thannewspaper or Usenet posts.

为了在一个点对点的基础上执行一个分布式时间戳服务器，我们将需要使用工作量证明系统，这个系统类似于亚当·伯克的哈希现金，而不是报纸或者全球新闻帖子

30

Theproof-of-work involves scanning for a value that when hashed, such as withSHA-256, the

hashbegins with a number of zero bits.

工作量证明，就是寻找一个数值， 当为这个数进行哈希运算后，比如使用SHA-256这个方法后，这个哈希数值必须以一定数量的0开头

31

Theaverage work required is exponential in the number of zero bits required andcan be verified by executing a single hash.

开头0的数量的不同，工作量会有指数级的变化，而这个工作量可以通过执行单一的哈希值进行验证

32

Forour timestamp network, we implement the proof-of-work by incrementing a noncein the

blockuntil a value is found that gives the block's hash the required zero bits.

对于我们的时间戳网络，我们执行工作量证明的方法是，在区块中增加一个随机数直到一个数值被发现，这个数值满足这个区块的哈希值以指定数量的0开头的要求

Increment   n. [数]增量；增加；增额；盈余

Nonce  adj.（词、表达）临时杜撰的；特定场合的;n. 目前；特定场合；亵童犯（非正式）

33

Oncethe CPU effort has been expended to make it satisfy the proof-of-work, theblock cannot be changed without redoing the work.

一旦CPU算力的所获得的结果满足工作量证明的要求，区块就不能篡改，除非重做

34

Aslater blocks are chained after it, the work to change the block would includeredoing all the blocks after it.

在之后的区块链接到上一个区块之后，改变区块的工作将要包含重做这个区块之后的所有工作。

（这里的意思就是，想要篡改，就把你要篡改的那次交易后面的所有交易重做一遍）

35

Theproof-of-work also solves the problem of determining representation in majoritydecision

making.

工作量证明也解决了谁能代表大多数做决定的问题

Representation   n.代表；表现；表示法；陈述

Determine    v.（使）下决心，（使）做出决定

36

Ifthe majority were based on one-IP-address-one-vote, it could be subverted byanyone able to allocate many IPs. Proof-of-work is essentiallyone-CPU-one-vote.

如果大多数群体是基于一个IP地址一个投票的方式，他就能被搞定了许多IP地址的人取代。工作量本质上是一个CPU一个投票

Subvert    vt.颠覆；推翻；破坏

Allocate    vt.分配；拨出；使坐落于;vi.分配；指定

Essentially   adv.本质上；本来

37

Themajority decision is represented by the longest chain, which has the greatestproof-of-work effort invested in it.

“大多数”被最长的链代表，因为最长的链拥有最多的工作量证明

38

Ifa majority of CPU power is controlled by honest nodes, the honest chain willgrow the fastest and outpace any competing chains.

如果大多数的CPU算力被诚实节点控制，最诚实的链将以最快速度成长然后超越所有的竞争链

39

Tomodify a past block, an attacker would have to redo the proof-of-work of theblock and all blocks after it and then catch up with and surpass the work ofthe honest nodes.

修改一个过去的区块，攻击者必须重做这个区块及其之后所有区块的工作量证明，然后赶上并超越诚实节点的工作（进度）

Modify   vt.修改，修饰；更改;vi.修改

40

Wewill show later that the probability of a slower attacker catching up diminishesexponentially as subsequent blocks are added.

我们稍后会展示一个关于随着区块的增加，一个被拖延了的攻击者追赶上的概率呈指数级减少的情况

Diminish   vt.使减少；使变小;vi.减少，缩小；变小

Subsequent   adj.随后的

Subsequence    n.随后；接着（尤指结果、效果）；（数学）子序列，部分序列

41

Tocompensate for increasing hardware speed and varying interest in running nodesover time,

theproof-of-work difficulty is determined by a moving average targeting an averagenumber of

blocksper hour.

为了应对硬件算力的不断增加，以及随着时间推进可能产生的节点参与数量变化，工作量的难度由此确定：基于每小时产生的区块数量的一个移动平均值（

Compensate  v.补偿，赔偿（或赔款）；抵消

（这里工作量获取的难度定义很巧妙，不是每小时的产生数量，而是增长速率的平均值，这可以直接跟上科技的发展速度，而不会被利用系统漏洞，打一个信息不对称的时差攫取暴利）

42

Ifthey're generated too fast, the difficulty increases.

如果他们产生得太快，难度就会增加

5. Network

网络

43

Thesteps to run the network are as follows:

1)New transactions are broadcast to all nodes.

2)Each node collects new transactions into a block.

3)Each node works on finding a difficult proof-of-work for its block.

4)When a node finds a proof-of-work, it broadcasts the block to all nodes.

5)Nodes accept the block only if all transactions in it are valid and not alreadyspent.

6)Nodes express their acceptance of the block by working on creating the nextblock in the

chain,using the hash of the accepted block as the previous hash.

运行网络的步骤如下：

1)新的交易会被广播给所有的节点

2)每一个节点将新的交易打包成一个区块

3)每一个节点致力于为此区块找到一个有难度的工作量证明

4) 当一个节点找到一个工作量证明，他会给所有节点广播这个区块

5) 只有当一个区块里面所有的交易都有戏且没有双重支付，节点才可以接受这个区块

6)众多节点向网络表示自己接受这个区块的方法是，在创建下一个区块的时候，把被接受区块的哈希值当作新区块之前的哈希值

44

Nodesalways consider the longest chain to be the correct one and will keep workingon

extendingit.

节点总是考虑最长的链作为正确的链，并保持扩张它的工作

45

Iftwo nodes broadcast different versions of the next block simultaneously, some nodesmay receive one or the other first.

如果两个节点同时广播了不同版本的下个区块，一些节点可能会首先接受一个，而另一些节点会先接受另一个

Simultaneously   adv.同时地

46

Inthat case, they work on the first one they received, but save the other branchin case it becomes longer.

在这种情况，他们会在他们接收到的区块上继续工作，但是会保存另一个分支，以防它变长为最长链

47

Thetie will be broken when the next proof-of-work is found and one branch becomeslonger; the nodes that were working on the other branch will then switch to thelonger one.

当下一个工作量证明被发现并且一个分支边长，这个尴尬境地就会被打破，工作在另一个分支的节点就会换到这个更长的链上

48

Newtransaction broadcasts do not necessarily need to reach all nodes. As long asthey reach many nodes, they will get into a block before long.

新的教研广播并不必须被传到所有的节点，只要他们到达了足够多的节点，不久后这些交易就会被打包进一个区块

Before long  不久以后

49

Blockbroadcasts are also tolerant of dropped messages. If a node does not receive ablock, it will request it when it receives the next block and realizes itmissed one.

区块广播也容许丢弃的信息， 如果一个节点并未接收到某个区块，那么这个节点将会在它接收到下一个区块的时候意识到自己错失了之前的区块，因此会发出补充那个遗失区块的请求

6. Incentive

激励

50

By convention, the firsttransaction in a block is a special transaction that starts a new coin owned

by the creator of theblock.

按照约定，在一个区块中的第一笔交易是一个特殊的交易，因为它创造了一个由这个区块创造者所拥有的币

Convention    n.大会；[法] 惯例；[计] 约定；[法] 协定；习俗

51

This adds an incentivefor nodes to support the network, and provides a way to initially distributecoins into circulation, since there is no central authority to issue them.

这种方式使节点支持网络奖励，也提供了一种将硬币发行到流通之中的方式，在这个系统中，也没有一个中心化的权威方去发行那些币

52

The steady addition of aconstant of amount of new coins is analogous to gold miners expending

resources to add gold tocirculation. In our case, it is CPU time and electricity that is expended.

这种稳定、不断增加新币数量的方式，就好像黄金矿工不断消耗资源挖更多的金子进入流通。在这篇论文的内容中，就是CPU计算时间和电力的扩张

Analogous    adj.类似的；[昆] 同功的；可比拟的

53

The incentive can alsobe funded with transaction fees. If the output value of a transaction is

less than its inputvalue, the difference is a transaction fee that is added to the incentive valueof

the block containing thetransaction.

激励也能从交易费用中获取。如果一个交易的输出价值少于输入价值，其中的差额就是交易费用，而该交易费就是奖励节点把该交易打包进此区块的

(Difference在这里是差额、差价的意思，妙啊)

54

Once a predeterminednumber of coins have entered circulation, the incentive can transition entirelyto transaction fees and be completely inflation free.

一旦一笔预先数量的币进入流通，激励就能完全转移到交易费上，并能避免通货膨胀

Predetermined     v.预先决定；命中注定；（使）预先有意向（predetermine 的过去式及过去分词）;adj.预先确定的

55

The incentive may helpencourage nodes to stay honest. If a greedy attacker is able to assemble moreCPU power than all the honest nodes, he would have to choose between using it todefraud people by stealing back his payments, or using it to generate new coins.

激励会鼓励节点保持诚实。如果一个贪婪的攻击者能够组织更多的CPU算力，比所有诚实节点都多，他将有两种选择：使用这些算力偷回自己的支付款去欺骗人们；或使用这些算力生成新的币

Defraud    vt.欺骗;vi.进行诈骗

Fraud      n.欺骗；骗子；诡计

56

He ought to find it moreprofitable to play by the rules, such rules that favour him with more new coinsthan everyone else combined, than to undermine the system and the validity ofhis own wealth.

他应该发现遵守规则更有利可图，这样的规则相对他破坏系统并使自己的财富化为虚无，更喜欢他比其他所有人联合起来拥有的币更多

Undermine   vt.破坏，渐渐破坏；挖掘地基

validity   n. [计]有效性；正确；正确性

7. Reclaiming Disk Space

回收硬盘空间

Reclaim   vt.开拓；回收再利用；改造某人，使某人悔改;vi. 抗议，喊叫;n. 改造，感化；再生胶

Disk    n. [计]磁盘，磁碟片；圆盘，盘状物；唱片

57

Once the latesttransaction in a coin is buried under enough blocks, the spent transactionsbefore

it can be discarded tosave disk space.

如果一枚硬币最近发生的交易发生在足够多的区块之前，那么，这笔交易之前该硬币的花销记录可以被丢弃，这样可以节省磁盘空间

Discard    vt.抛弃；放弃；丢弃;vi.放弃;n. 抛弃；被丢弃的东西或人

58

To facilitate thiswithout breaking the block's hash, transactions are hashed in a Merkle Tree[7][2][5], with only the root included in the block's hash.

为了在不破坏区块哈希运算的情况下实现这一点，交易记录的哈希值将被纳入到一个Merkle树中，只有树根被纳入到该区块的哈希值中

Facilitate    vt.促进；帮助；使容易

59

Old blocks can then becompacted by stubbing off branches of the tree. The interior hashes do

not need to be stored.

通过砍掉树枝的方法，旧的区块可以被压缩，内部的哈希值并不需要被保存

compact    adj.袖珍的；紧凑的；坚实的；矮小而健壮的；简洁的

                   n. 小汽车；带镜小粉盒；契约

                   v. 把……压实；使简洁；使紧密，压缩；订立（协定）

stub   n.存根；烟蒂；树桩；断株;vt.踩熄；连根拔除

60

A block header with no transactionswould be about 80 bytes.

一个没有交易信息的区块头需要大约80字节

61

If we suppose blocks aregenerated every 10 minutes, 80 bytes * 6 * 24 * 365 = 4.2MB per year.

我们假设每10分钟产生一个区块，一年就需要80 *6*24*365=4.2MB

62

With computer systems typicallyselling with 2GB of RAM as of 2008, and Moore's Law predicting current growthof 1.2GB per year, storage should not be a problem even if the block headersmust be kept in memory.

2008年电脑系统基本上卖有2GB的内存，摩尔定律预测现在的增长速度是1.2GB每年，存储不应该是个问题，即使区块头必须被保存在内存之中也不会是什么问题

8. Simplified Payment Verification

简化支付认证

63

Itis possible to verify payments without running a full network node.

在没有运行全部网络节点的情况下也是能够确认支付的

64

Auser only needs to keep a copy of the block headers of the longestproof-of-work chain, which he can get by querying network nodes until he'sconvinced he has the longest chain, and obtain the Merkle branch linking thetransaction to the block it's timestamped in.

用户只需复制保存最长工作量证明链的区块头，用户可以查询网络节点直到他确信他拥有最长的链，而后获取Merkle树的树枝节点，进而连接到这个区块被打上时间戳时的交易

Query   n.疑问，质问；疑问号；[计] 查询;vt.询问；对……表示疑问

65

Hecan't check the transaction for himself, but by linking it to a place in thechain, he can see that a network node has accepted it, and blocks added afterit further confirm the network has accepted it.

用户不能自己检查交易，但是通过连接到链上的某个地方，他可以看到某个网络节点已经接受了这个交易，而此后加进来的区块进一步确认了网络已经接受了此笔交易

66

Assuch, the verification is reliable as long as honest nodes control the network,but is more

vulnerableif the network is overpowered by an attacker.

就像这样，只要诚实节点控制着网络，验证就是可信赖的，但是如果系统被攻击者控制了，这种信任就变得很脆弱了

Vulnerable    adj.易受攻击的，易受…的攻击；易受伤害的；有弱点的

67

Whilenetwork nodes can verify transactions for themselves, the simplified method canbe fooled by an attacker's fabricated transactions for as long as the attackercan continue to overpower the network.

当网络节点能为自己确认交易的时候，而当攻击者能够一直控制网络的时候，这种简化方法就会被攻击者的虚构交易欺骗

Fabricated   v.编造；制造（fabricate 的过去式及过去分词）;adj. 虚构的

Fabricate    vt.制造；伪造；装配

68

Onestrategy to protect against this would be to accept alerts from network nodeswhen they detect an invalid block, prompting the user's software to downloadthe full block and alerted transactions to confirm the inconsistency.

一个应对欺骗的策略就是：当节点探测到一个无效的区块的时候发出警报，提示用户的软件去下载全部的区块并警示用户确认交易的一致性

Prompt    v.提示，鼓励；促进；激起；导致；（给演员）提白

                adj. 敏捷的，迅速的；立刻的，及时的；准时的；（商品）即期要送的

                n. 提示，提词；（电脑屏幕上的）提示符；鼓励；催促；付款期限

                adv. 准时地

69

Businessesthat receive frequent payments will probably still want to run their own nodesfor more independent security and quicker verification.

接收高频支付信息的商家将可能仍然希望运行自己的完整节点，以此保证更独立的安全性和更快的交易确认

9. Combining and Splitting Value

组合和分割价值

70

Althoughit would be possible to handle coins individually, it would be unwieldy to makea

separatetransaction for every cent in a transfer.

尽管逐个处理硬币是有可能的，但为每分钱设置一个单独的记录是很笨拙的

Unwieldy   adj.笨拙的；笨重的；不灵便的；难处理的

71

Toallow value to be split and combined, transactions contain multiple inputs andoutputs.

为了允许价值分割和组合，交易包含多个输入和输出

72

Normallythere will be either a single input from a larger previous transaction ormultiple inputs combining smaller amounts, and at most two outputs: one for thepayment, and one returning the change, if any, back to the sender.

通常，要么是一个单独的来自于一个相对大的之前的交易的输入，要么是很多个输入来自于更小金额的组合，与此同时，对多有两个输出：一个是支付（指向收款方），如果必要的花，另一个是找零（指向发款方）

73

It should be noted thatfan-out, where a transaction depends on several transactions, and those

transactions depend onmany more, is not a problem here.

“扇出”在这里并不是问题，而“扇出”指一笔交易依赖于数比交易，而这些交易又依赖于更多笔交易

（扇出（fan-out）是一个定义单个逻辑门能够驱动的数字信号输入最大量的专业术语。大多数的TTL逻辑门能够为10个其他数字门或驱动器提供信号。所以，一个典型的TTL逻辑门有10个扇出信号。）

扇出就好比拆解一个项目，层层拆分直到每一个小点可以被人去执行

74

There is never the needto extract a complete standalone copy of a transaction's history.

绝没有这种需求：提取一笔交易历史的完整独立拷贝

Standalone    adj.（计算机）独立运行的；（公司）独立的;n. 脱机

10. Privacy

隐私

75

The traditional bankingmodel achieves a level of privacy by limiting access to information to the

parties involved and thetrusted third party.

传统银行模型通过限制相关交易者以及可信的第三方的信息获取而达成一定程度的隐私保护

a level of     一定水平的；一定程度的

76

The necessity toannounce all transactions publicly precludes this method, but privacy can stillbe maintained by breaking the flow of information in another place: by keepingpublic keys anonymous.

所有交易公开宣布的需求排除了这种方式（信息完全对称），但是隐私依然能够在另一个地方通过中断信息流的方式被保护：让公钥匿名

Preclude     vt.排除；妨碍；阻止

Anonymous      adj.匿名的，无名的；无个性特征的

77

The public can see thatsomeone is sending an amount to someone else, but without information linkingthe transaction to anyone.

公众能够看到某人寄了一定数量的比特币给另一个人，但是不能得到与任何人有关的信息

78

This is similar to thelevel of information released by stock exchanges, where the time and size of

individual trades, the"tape", is made public, but without telling who the parties were.

这种程度的信息发布有点像股票交易，各个交易的时间和金额是公开的，但是公众不会被告知交易双方是谁

79

As an additionalfirewall, a new key pair should be used for each transaction to keep them

from being linked to acommon owner.

还有另一个防火墙，每一笔交易都应该使用一对新的公私钥，以便他人无法将这些交易追溯到同一个所有者身上

80

Some linking is stillunavoidable with multi-input transactions, which necessarily reveal that theirinputs were owned by the same owner.

当有多笔相同输入的交易的时候，一些联系是无法避免的，这些输入必然会揭秘这些输入被同一个所有者所拥有

81

The risk is that if theowner of a key is revealed, linking could reveal other transactions thatbelonged to the same owner.

危险在于当一个公钥的所有者被揭晓，与之相关的所有其它交易都会被曝光

11. Calculation

计算

82

We consider the scenarioof an attacker trying to generate an alternate chain faster than the honest

chain.

我们考虑了一种场景，某个攻击者正在尝试生成一种比诚实链更快的替代链

Scenario   n.方案；情节；剧本

Alternate    v.（使）交替，（使）轮流;adj.交替的，轮流的；间隔的，每隔（……天等）的；（一或多个事物）另外的，可供选择的；（两者）互不相容的；另类的，非传统的；（叶、芽）互生的

                   n. 替换物，代理人

83

Even if this isaccomplished, it does not throw the system open to arbitrary changes, such

as creating value out ofthin air or taking money that never belonged to the attacker.

即使攻击者做到这一步了，也不会使当前系统处于模棱两可的尴尬境地，即，他不可能凭空创造出价值，也无法获得从未属于他的钱

Arbitrary     adj. [数]任意的；武断的；专制的

（系统有算法保证， 不会任人摆布，即使你做了些理论上小概率的事情）

84

Nodes are not going toaccept an invalid transaction as payment, and honest nodes will never accept ablock containing them.

节点不会去接受一个无效的交易作为支付，诚实节点将绝不会接受包含这样交易的区块

85

An attacker can only tryto change one of his own transactions to take back money he recently spent.

某个攻击者只能试图更改他自己的交易进而取回已经花出去的钱

86

The race between thehonest chain and an attacker chain can be characterized as a Binomial

Random Walk.

在诚实链和攻击者链之间的竞争可以被看作是二项式随机漫步

Binomial    n.二项分布

87

The success event is thehonest chain being extended by one block, increasing its lead by +1, and thefailure event is the attacker's chain being extended by one block, reducing thegap by -1.

成功事件是诚实链被添加了一个新的区块，使得它的优势增加了1；而失败事件是攻击者的链增加了一个新的区块，使得诚实链的优势减少了1

88

The probability of anattacker catching up from a given deficit is analogous to a Gambler's

Ruin problem.

一个攻击者从落后局面追平的概率类似于赌徒破产问题

Deficit    n.赤字；不足额

Analogous    adj.类似的；[昆] 同功的；可比拟的

（粗浅的理解就是，如果攻击者每次成功的概率小于0.5，若攻击者要一直攻击下去，则成功的概率为0）

89

Suppose a gambler withunlimited credit starts at a deficit and plays potentially an infinite numberof trials to try to reach breakeven.

假设一个赌徒在亏损开始，拥有无限的筹码，然后想要无限地玩下去以达到盈亏平衡

Breakeven    n.保本，不赔不赚;adj.无盈亏的，收支平衡的

90

We can calculate theprobability he ever reaches breakeven, or that an attacker ever catches up withthe honest chain, as follows [8]:

我们能够计算它达到保本点的概率，或者是一个攻击者追赶上诚实链的概率，结果如下：

91

Given our assumptionthat p > q, the probability drops exponentially as the number of blocks the

attacker has to catch upwith increases.

既然我们假设p大于q，随着攻击者将要赶超的区块数量的增长，攻击者成功的概率呈指数型下降

92

With the odds againsthim, if he doesn't make a lucky lunge forward early on, his chances becomevanishingly small as he falls further behind.

于赢面不利时，如果攻击者没有在起初就能幸运地做一个前移猛冲，那么他的胜率将在他进一步落后的同时消弭殆尽

Odds   n.几率；胜算；不平等；差别

Lunge     v.猛冲，猛扑；刺，戳；用驯马索训练

n. 猛冲，猛扑；（击剑中）弓箭步（刺）；驯马索；北美狗鱼

vanishingly    adv.难以察觉地；消遁似地；趋于零地

93

We now consider how longthe recipient of a new transaction needs to wait before being

sufficiently certain thesender can't change the transaction.

我们现在考虑一下新交易的收款人需要等多久才能充分确认发款人不能更改这笔交易

94

We assume the sender isan attacker who wants to make the recipient believe he paid him for a while,then switch it to pay back to himself after some time has passed.

我们假设这个发款人是攻击者，他想要使得收款人相信他已经支付款项一段时间，然后将这笔钱再转回给自己

95

The receiver will bealerted when that happens, but the sender hopes it will be too late.

当这件事发生后，接收者将会收到警报，但是付款人希望这时候已经尘埃落定

96

The receiver generates anew key pair and gives the public key to the sender shortly before

signing.

收款人生成了一对新的公私钥，然后在签名之前不久就把公钥告知了发款人

97

This prevents the senderfrom preparing a chain of blocks ahead of time by working on

it continuously until heis lucky enough to get far enough ahead, then executing the transaction at

that moment.

这样可以防止一种情形：发款人提前通过连续运算去准备一条链上的区块，并且只要有足够的运气就会足够领先，直到那时再进行交易

（因为交易会去确认最长的链，而若是攻击者掌握了最长的链，便可以篡改交易追回已发送款，收款人收到发款人的公钥就可以查到他的交易链，就是不给你作案的时间）

98

Once the transaction issent, the dishonest sender starts working in secret on a parallel chaincontaining an alternate version of his transaction.

一旦交易进行完了，这个不诚实的发送者开始秘密地在另一条平行链上开工，试图在其中加入一个反向版本的交易

（这里的alternate是“不相容的”意思）

99

The recipient waitsuntil the transaction has been added to a block and z blocks have been

linked after it.

收款人等待此笔交易被打包进区块，并且已经有z个区块随后被加入

100

He doesn't know theexact amount of progress the attacker has made, but assuming the honest blockstook the average expected time per block, the attacker's potential progresswill be a Poisson distribution with expected value:

收款人不知道攻击者确切的进展，但是可以假定诚实区块生成每个区块耗费的平均时间，攻击者的潜在进展符合泊松分布，其期望值为：

Poisson    n.泊松

101

To get the probabilitythe attacker could still catch up now, we multiply the Poisson density for

each amount of progresshe could have made by the probability he could catch up from that point:

为了得到现在攻击者依然能追上的概率，我们要把每一个攻击者已有的进展的泊松密度乘以他可以从那一点能够追上来的概率

multiply……by……    让……乘上……

102

Rearranging to avoidsumming the infinite tail of the distribution...

为了避免对密度分布的无穷级数求和重新整理

103

Converting to C code...、

转换成C语言程序

104

Running some results, wecan see the probability drop off exponentially with z

运行部分结果，我们可以发现概率随着z的增加指数型下降

105

Solving for P less than0.1%...

算一下当p小于0.1%

12. Conclusion

结论

106

We have proposed asystem for electronic transactions without relying on trust.

我们提出了一种不需要依赖信任的电子交易系统

107

We started with theusual framework of coins made from digital signatures, which provides strongcontrol of ownership, but is incomplete without a way to preventdouble-spending.

始于数字签名制作的寻常硬币框架，虽然它提供了有力的所有权控制，却无法避免双重支付

108

To solve this, we proposeda peer-to-peer network using proof-of-work to record a public history oftransactions that quickly becomes computationally impractical for an attackerto change if honest nodes control a majority of CPU power.

为了解决这个问题，我们提出了一种点对点的使用工作量证明的方法去记录一个公开的交易历史，如果诚实节点控制大部分CPU算力的话，那么很快攻击者篡改系统在算力上就变得不切实际了

109

The network is robust inits unstructured simplicity.

这个网络的健壮在于它无结构的简单

Robust    adj.强健的；健康的；粗野的；粗鲁的

110

Nodes work all at oncewith little coordination. They do not need to be identified, since messages arenot routed to any particular place and only need to be delivered on a besteffort basis.

节点们能够在很少协同的情况下瞬间同时工作，他们不需要被确认，因为消息的路径并非取决于特定的终点，消息只需要被以最大努力为基本去传播即可

Coordination   n.协调，调和；对等，同等

（只需认准最长的链）

111

Nodes can leave andrejoin the network at will, accepting the proof-of-work chain as proof of what happenedwhile they were gone.

节点可以任意离开和重新加入到网络中，节点重新加入时，只需要接受工作量证明链，作为他们离线之时所发生之一切的证明

112

They vote with their CPUpower, expressing their acceptance of valid blocks by working on extending themand rejecting invalid blocks by refusing to work on them.

节点通过CPU算力投票，通过不断为链添加新的有效区块、拒绝无效区块，去表示它们对有效交易的接受与否

113

Any needed rules andincentives can be enforced with this consensus mechanism.

所有必要的规则和奖励都能被这个共识机制强制驱动

References

参考文献

[1] W. Dai, "b-money," http://www.weidai.com/bmoney.txt,1998.

[2] H. Massias, X.S. Avila, andJ.-J. Quisquater, "Design of a secure timestamping service with minimal

trust requirements," In 20thSymposium on Information Theory in the Benelux, May 1999.

[3] S. Haber, W.S. Stornetta,"How to time-stamp a digital document," In Journal of Cryptology, vol3, no

2, pages 99-111, 1991.

[4] D. Bayer, S. Haber, W.S.Stornetta, "Improving the efficiency and reliability of digitaltime-stamping,"

In Sequences II: Methods in Communication,Security and Computer Science, pages 329-334, 1993.

[5] S. Haber, W.S. Stornetta,"Secure names for bit-strings," In Proceedings of the 4th ACMConference

on Computer and CommunicationsSecurity, pages 28-35, April 1997.

[6] A. Back, "Hashcash - adenial of service counter-measure,"

http://www.hashcash.org/papers/hashcash.pdf,2002.

[7] R.C. Merkle, "Protocolsfor public key cryptosystems," In Proc. 1980 Symposium on Security and

Privacy, IEEE Computer Society,pages 122-133, April 1980.

[8] W. Feller, "Anintroduction to probability theory and its applications," 1957.