比特幣 (Bit Coin) 的運作原理

2013/12/16 | | 標籤：

前言

2008 年日本的「中本聰」（Satoshi Nakamoto，化名）提出了一種數位貨幣，有興趣者請參考「中本聰」的原始論文：

2009年1月3日，中本聰開創了比特幣P2P開源使用者群節點和雜湊函式系統，從此，其對等網路和它的第一個區塊鏈開始執行， 他發行了有史以來的第一組50個比特幣。

2013 年 11 月 18 日，在東京的 MT.GOX 市場交易的比特幣對美元匯率飆升至一對九百美元。

比特幣的運作方法

Multibit（雲端資料區塊功能） http://multibit.org/ MIT
Bitcoin-Qt（中本聰使用者端） http://sourceforge.net/projects/bitcoin/ MIT
My Wallet（線上錢包，獨立式） https://blockchain.info/wallet 專有軟體
Coinbase（線上錢包，混合式） http://coinbase.com 專有軟體
Electrum http://electrum.ecdsa.org/ GPL
Armory（具有離線儲存功能） http://bitcoinarmory.com AGPL

中本聰的論文

The problem of course is the payee can’t verify that one of the owners did not double-spend the coin. A common solution is to introduce a trusted central authority, or mint, that checks every transaction for double spending. After each transaction, the coin must be returned to the mint to issue a new coin, and only coins issued directly from the mint are trusted not to be double-spent. The problem with this solution is that the fate of the entire money system depends on the company running the mint, with every transaction having to go through them, just like a bank

We need a way for the payee to know that the previous owners did not sign any earlier transactions. For our purposes, the earliest transaction is the one that counts, so we don’t care about later attempts to double-spend. The only way to confirm the absence of a transaction is to be aware of all transactions. In the mint based model, the mint was aware of all transactions and decided which arrived first. To accomplish this without a trusted party, transactions must be publicly announced, and we need a system for participants to agree on a single history of the order in which they were received. The payee needs proof that at the time of each transaction, the majority of nodes agreed it was the first received.

The solution we propose begins with a timestamp server. A timestamp server works by taking a hash of a block of items to be timestamped and widely publishing the hash, such as in a newspaper or Usenet post. The timestamp proves that the data must have existed at the time, obviously, in order to get into the hash. Each timestamp includes the previous timestamp in its hash, forming a chain, with each additional timestamp reinforcing the ones before it.

雜湊現金系統

To implement a distributed timestamp server on a peer-to-peer basis, we will need to use a proof-of-work system similar to Adam Back’s Hashcash, rather than newspaper or Usenet posts.

• 註 1：上述 Adam Back 的論文並非第一篇，而是 Adam Back 在 1997 年提出 hashcash stamp 五年後的一個總結版本，後來 Adam Back 為此成立了 http://www.hashcash.org/ 這個網站：
• 註 2：學術論文往往都是這樣，看一篇論文時，最麻煩的是一層一層往上追，追出與該技術相關的重要論文，以便串出整個故事的脈絡。

成本函數 (Cost-Functions)

A cost-function should be efﬁciently veriﬁable, but parameterisably expensive to compute. We use the following notation to deﬁne a cost-function.

hashcash 提出質詢的方式是，當通過安全散列算法（Secure Hash Algorithm）進行散列時，要求 “minters” 生成一個字符串（戳記，stamps），在它們的散列中有很多前導零。所找到的前導零的數目就是特定戳記的比特值。 給定 SHA-1 的一致性與加密強度，找出給定比特值的 hashcash 戳記的惟一已知途徑是平均  次運行 SHA-1。

• 註 3：必須注意的是，比特幣採用的算法是 SHA-2 族群的 SHA-256 算法，而非上述防止垃圾郵件文章中所使用的 SHA-1 演算法，SHA-256 比 SHA-1 更加安全，更難破解。
• 註 4：SHA-2 一族的算法針對 SHA-1 進行了安全改良，SHA-2 其實是 SHA-224, SHA-256, SHA-384, SHA-512 的統稱。

驗證系統

D:\Dropbox\Public\web\codedata\code\sha1>gcc hashcash.c -o hashcash

D:\Dropbox\Public\web\codedata\code\sha1>hashcash
Current local time and date: Mon Dec 16 19:33:03 2013
msg=from:abc@gmail.com to:ccckmit@gmail.com title=hello! nonce=13973878
hash=00000016aa26951d1653fe515f112fe41d8ebd45
Current local time and date: Mon Dec 16 19:34:27 2013

from:abc@gmail.com to:ccckmit@gmail.com title=hello! nonce=13973878

The proof-of-work involves scanning for a value that when hashed, such as with SHA-256, the hash begins with a number of zero bits. The average work required is exponential in the number of zero bits required and can be verified by executing a single hash.

For our timestamp network, we implement the proof-of-work by incrementing a nonce in the block until a value is found that gives the block’s hash the required zero bits.

Once the CPU effort has been expended to make it satisfy the proof-of-work, the block cannot be changed without redoing the work. As later blocks are chained after it, the work to change the block would include redoing all the blocks after it.

The proof-of-work also solves the problem of determining representation in majority decision making. If the majority were based on one-IP-address-one-vote, it could be subverted by anyone able to allocate many IPs. Proof-of-work is essentially one-CPU-one-vote. The majority decision is represented by the longest chain, which has the greatest proof-of-work effort invested in it. If a majority of CPU power is controlled by honest nodes, the honest chain will grow the fastest and outpace any competing chains. To modify a past block, an attacker would have to redo the proof-of-work of the block and all blocks after it and then catch up with and surpass the work of the honest nodes. We will show later that the probability of a slower attacker catching up diminishes exponentially as subsequent blocks are added.

• 註 5 : 在 https://en.bitcoin.it/wiki/Nonce 這個比特幣網站中，對 Nonce 一詞進行了解釋如下，所以比特幣要求 SHA-256 要能找出可以符合 b 個前導零的簽章才能被認證，這也是為何前導零越多越難找到的原因了。

The “nonce" in a bitcoin block is a 32-bit (4-byte) field whose value is set so that the hash of the block will contain a run of zeros. The rest of the fields may not be changed, as they have a defined meaning.

Any change to the block data (such as the nonce) will make the block hash completely different. Since it is believed infeasible to predict which combination of bits will result in the right hash, many different nonce values are tried, and the hash is recomputed for each value until a hash containing the required number of zero bits is found. As this iterative calculation requires time and resources, the presentation of the block with the correct nonce value constitutes proof of work.

The nonce (rhymes with once), is a user editable 4 byte field to calculate the final hash. This will typically start at 0, and for every unsuccessful hash will be incremented and hashed again. It will continue this until 2^32 numbers are checked, and if the last one is invalid, a message will be sent to the network saying the Merkle Root extended nonce needs to be increased and the whole process starts again.

So how do you determine if the hash is valid or not? The target. The final hash needs to be less than or equal to the target.

This target is the “Bits" field, only it has to be padded. However, since getting such a low target (in most cases) is so difficult, so most miners choose the largest target value they can compare to and check to see if the hash they got meets the requirements and then sends it off.

簽章與貨幣之間的關係

By convention, the first transaction in a block is a special transaction that starts a new coin owned by the creator of the block. This adds an incentive for nodes to support the network, and provides a way to initially distribute coins into circulation, since there is no central authority to issue them. The steady addition of a constant of amount of new coins is analogous to gold miners expending resources to add gold to circulation. In our case, it is CPU time and electricity that is expended.

參考文獻

【時時科科．2020】桌曆＋線裝筆記本開始預購

🚀 泛科學院獨家線上新課募資 🚀 限量55折預購

【好好說話，做自己的口才教練！10堂一生受用的口語表達課】

「上台說話報告時腦袋一片空白嗎？與人對談尷尬癌就發作？如何清楚表達自己想說的話？怎麼說話才能抓住人心讓人印象深刻呢？」泛科學院與榮恩同樂會共同合作，從表達的心法到語言聲韻的技巧掌握，讓你找到自信，在家就可練出好口才！