4. 工作量证明-Proof-of-Work
To implement a distributed timestamp server on a peer-to-peer basis, we will need to use a proofof-work system similar to Adam Back's Hashcash [6], rather than newspaper or Usenet posts. The proof-of-work involves scanning for a value that when hashed, such as with SHA-256, the hash begins with a number of zero bits. The average work required is exponential in the number of zero bits required and can be verified by executing a single hash. 为了在点对点的基础上实现分布式时间戳服务器,我们需要使用类似于Adam Back的Hashc.[6]的校验系统,而不是报纸或Usenet帖子。工作证明包括扫描一个值,当进行散列时,例如使用SHA-256,散列以零位数开始。所需的平均功在所需零位的数量上是指数的,并且可以通过执行单个散列来验证。
For our timestamp network, we implement the proof-of-work by incrementing a nonce in the block until a value is found that gives the block's hash the required zero bits. Once the CPU effort has been expended to make it satisfy the proof-of-work, the block cannot be changed without redoing the work. As later blocks are chained after it, the work to change the block would include redoing all the blocks after it. 对于我们的时间戳网络,我们通过在块中增加一个nonce来实现工作证明,直到找到使块的哈希值达到所需的零位为止。一旦CPU工作耗费了使其满足工作的证明,块就不能被改变而不重做工作。当后面的块被链接后,改变块的工作将包括重做之后的所有块。
The proof-of-work also solves the problem of determining representation in majority decision making. If the majority were based on one-IP-address-one-vote, it could be subverted by anyone able to allocate many IPs. Proof-of-work is essentially one-CPU-one-vote. The majority decision is represented by the longest chain, which has the greatest proof-of-work effort invested in it. If a majority of CPU power is controlled by honest nodes, the honest chain will grow the fastest and outpace any competing chains. To modify a past block, an attacker would have to redo the proof-of-work of the block and all blocks after it and then catch up with and surpass the work of the honest nodes. We will show later that the probability of a slower attacker catching up diminishes exponentially as subsequent blocks are added. 工作证明也解决了在多数决策中确定表示的问题。如果大多数是基于一个IP地址一次投票,它可以被任何能够分配许多IPS的人所颠覆。工作证明基本上是一个CPU一个表决。多数决策由最长链表示,它具有最大的工作投入证明。如果大部分CPU功率由诚实的节点控制,诚实链将增长最快,并超过任何竞争链。要修改过去的块,攻击者必须重做块及其后的所有块的工作证明,然后追赶并超过诚实节点的工作。稍后我们将显示,较慢的攻击者追赶的概率随着后续块的增加而指数降低。
To compensate for increasing hardware speed and varying interest in running nodes over time, the proof-of-work difficulty is determined by a moving average targeting an average number of blocks per hour. If they're generated too fast, the difficulty increases. 为了补偿硬件速度的提高和对运行节点随时间变化的兴趣,工作证明难度通过以平均每小时块数为目标的移动平均数来确定。如果它们生成得太快,难度就会增加。
为了在点对点的基础上构建一组分散化的时间戳服务器,仅仅像报纸或世界性新闻网络组一样工作是不够的,我们还需要一个类似于亚当•柏克(Adam Back)提出的哈希现金(Hashcash)[6] 。在进行随机散列运算时,工作量证明机制引入了对某一个特定值的扫描工作,比方说SHA-256下,随机散列值以一个或多个0开始。那么随着0的数目的上升, 找到这个解所需要的工作量将呈指数增长,而对结果进行检验则仅需要一次随机散列运算。
我们在区块中补增一个随机数(Nonce),这个随机数要使得该给定区块的随机散列值出现了所需的那么多个0。我们通过反复尝试来找到这个随机数,直到找到为止,这样我们就构建了一个工作量证明机制。只要该CPU耗费的工作量能够满足该工作量证明机制,那么除非重新完成相当的工作量,该区块的信息就不可更改。由于之后的区块是链接在该区块之后的,所以想要更改该区块中的信息,就还需要重新完成之后所有区块的全部工作量。
同时,该工作量证明机制还解决了在集体投票表决时,谁是大多数的问题。如果决定大多数的方式是基于IP地址的,一IP地址一票,那么如果有人拥有分配大量IP地址的权力,则该机制就被破坏了。而工作量证明机制的本质则是一CPU一票。“大多数”的决定表达为最长的链,因为最长的链包含了最大的工作量。如果大多数的CPU为诚实的节点控制,那么诚实的链条将以最快的速度延长,并超越其他的竞争链条。如果想要对业已出现的区块进行修改,攻击者必须重新完成该区块的工作量外加该区块之后所有区块的工作量,并最终赶上和超越诚实节点的工作量。我们将在后文证明,设想一个较慢的攻击者试图赶上随后的区块,那么其成功概率将呈指数化递减。
另一个问题是,硬件的运算速度在高速增长,而节点参与网络的程度则会有所起伏。为了解决这个问题,工作量证明的难度(the proof-of-work difficulty)将采用移动平均目标的方法来确定,即令难度指向令每小时生成区块的速度为某一个预定的平均数。如果区块生成的速度过快,那么难度就会提高。
5. 网络-Network
The steps to run the network are as follows:
1) New transactions are broadcast to all nodes.
2) Each node collects new transactions into a block.
3) Each node works on finding a difficult proof-of-work for its block.
4) When a node finds a proof-of-work, it broadcasts the block to all nodes.
5) Nodes accept the block only if all transactions in it are valid and not already spent.
6) Nodes express their acceptance of the block by working on creating the next block in the chain, using the hash of the accepted block as the previous hash. 运行网络的步骤如下:
1)新的事务被广播到所有节点。
2)每个节点将新的事务收集到一个块中。
3)每个节点都在为其块找到一个困难的工作证明。
4)当节点找到工作证明时,它将该块广播到所有节点。
5)只有当所有的事务都是有效的而不是已经使用的时候,节点才接受块。
6)节点通过创建链中的下一个块,使用所接受块的散列作为前一散列,来表达它们对块的接受。
Nodes always consider the longest chain to be the correct one and will keep working on extending it. If two nodes broadcast different versions of the next block simultaneously, some nodes may receive one or the other first. In that case, they work on the first one they received, but save the other branch in case it becomes longer. The tie will be broken when the next proofof-work is found and one branch becomes longer; the nodes that were working on the other branch will then switch to the longer one. 节点总是把最长的链看作正确的链,并不断地进行扩展。如果两个节点同时广播下一个块的不同版本,则一些节点可以首先接收一个或另一个。在这种情况下,他们工作的第一个他们收到,但保存另一个分支,以使其更长的时间。当发现下一个校验工作并且一个分支变长时,绑定将被打破;在另一个分支上工作的节点将随后切换到更长的一个。
New transaction broadcasts do not necessarily need to reach all nodes. As long as they reach many nodes, they will get into a block before long. Block broadcasts are also tolerant of dropped messages. If a node does not receive a block, it will request it when it receives the next block and realizes it missed one. 新的交易广播不一定需要到达所有节点。只要它们到达许多节点,它们不久就会进入一个块。块广播也容忍丢弃的消息。如果一个节点没有接收到一个块,它将在接收下一个块时请求它,并意识到它丢失了一个块。
运行该网络的步骤如下:
1) 新的交易向全网进行广播;
2) 每一个节点都将收到的交易信息纳入一个区块中;
3) 每个节点都尝试在自己的区块中找到一个具有足够难度的工作量证明;
4) 当一个节点找到了一个工作量证明,它就向全网进行广播;
5) 当且仅当包含在该区块中的所有交易都是有效的且之前未存在过的,其他节点才认同该区块的有效性;
6) 其他节点表示他们接受该区块,而表示接受的方法,则是在跟随该区块的末尾,制造新的区块以延长该链条,而将被接受区块的随机散列值视为先于新区快的随机散列值。
节点始终都将最长的链条视为正确的链条,并持续工作和延长它。如果有两个节点同时广播不同版本的新区块,那么其他节点在接收到该区块的时间上将存在先后差别。当此情形,他们将在率先收到的区块基础上进行工作,但也会保留另外一个链条,以防后者变成最长的链条。该僵局(tie)的打破要等到下一个工作量证明被发现,而其中的一条链条被证实为是较长的一条,那么在另一条分支链条上工作的节点将转换阵营,开始在较长的链条上工作。
所谓“新的交易要广播”,实际上不需要抵达全部的节点。只要交易信息能够抵达足够多的节点,那么他们将很快被整合进一个区块中。而区块的广播对被丢弃的信息是具有容错能力的。如果一个节点没有收到某特定区块,那么该节点将会发现自己缺失了某个区块,也就可以提出自己下载该区块的请求。
6. 激励-Incentive
By convention, the first transaction in a block is a special transaction that starts a new coin owned by the creator of the block. This adds an incentive for nodes to support the network, and provides a way to initially distribute coins into circulation, since there is no central authority to issue them. The steady addition of a constant of amount of new coins is analogous to gold miners expending resources to add gold to circulation. In our case, it is CPU time and electricity that is expended. 按照惯例,块中的第一个事务是启动块创建者所拥有的新硬币的特殊事务。这增加了节点支持网络的动机,并且提供了一种最初将硬币分发到流通中的方法,因为没有中央机构发行硬币。新硬币数量不变的稳定增加,类似于黄金开采者耗费资源增加黄金流通。在我们的例子中,是CPU时间和耗电量。
The incentive can also be funded with transaction fees. If the output value of a transaction is less than its input value, the difference is a transaction fee that is added to the incentive value of the block containing the transaction. Once a predetermined number of coins have entered circulation, the incentive can transition entirely to transaction fees and be completely inflation free. 激励也可以用交易费用来资助。如果交易的输出值小于它的输入值,那么差额就是交易费用,它被加到包含交易的块的激励值上。一旦预定数量的硬币进入流通,刺激可以完全转变为交易费用,完全没有通货膨胀。
The incentive may help encourage nodes to stay honest. If a greedy attacker is able to assemble more CPU power than all the honest nodes, he would have to choose between using it to defraud people by stealing back his payments, or using it to generate new coins. He ought to find it more profitable to play by the rules, such rules that favour him with more new coins than everyone else combined, than to undermine the system and the validity of his own wealth. 激励可能有助于鼓励节点保持诚实。如果一个贪婪的攻击者能够比所有诚实的节点组装更多的CPU能力,那么他必须选择使用CPU能力通过偷回他的支付来欺骗人们,或者使用它来生成新的硬币。他应该发现遵守这些规则比破坏制度和他自己财富的合法性更有利可图,这些规则比任何人合起来都更有利于他拥有更多的新硬币。
我们约定如此:每个区块的第一笔交易进行特殊化处理,该交易产生一枚由该区块创造者拥有的新的电子货币。这样就增加了节点支持该网络的激励,并在没有中央集权机构发行货币的情况下,提供了一种将电子货币分配到流通领域的一种方法。这种将一定数量新货币持续增添到货币系统中的方法,非常类似于耗费资源去挖掘金矿并将黄金注入到流通领域。此时,CPU的时间和电力消耗就是消耗的资源。
另外一个激励的来源则是交易费(transaction fees)。如果某笔交易的输出值小于输入值,那么差额就是交易费,该交易费将被增加到该区块的激励中。只要既定数量的电子货币已经进入流通,那么激励机制就可以逐渐转换为完全依靠交易费,那么本货币系统就能够免于通货膨胀。
激励系统也有助于鼓励节点保持诚实。如果有一个贪婪的攻击者能够调集比所有诚实节点加起来还要多的CPU计算力,那么他就面临一个选择:要么将其用于诚实工作产生新的电子货币,或者将其用于进行二次支付攻击。那么他就会发现,按照规则行事、诚实工作是更有利可图的。因为该等规则使得他能够拥有更多的电子货币,而不是破坏这个系统使得其自身财富的有效性受损。
