Finxter Bitcoin Whitepaper CheatSheet High Res
Finxter Bitcoin Whitepaper CheatSheet High Res
Finxter Bitcoin Whitepaper CheatSheet High Res
The problem of course is the payee can't verify that one of the will request it when it receives the next block and realizes it int i, k;
depends on several transactions, and those transactions
owners did not double-spend the coin. A common solution is missed one. for (k = 0; k <= z; k++) {
depend on many more, is not a problem here. There is never double poisson = exp(-lambda);
to introduce a trusted central authority, or mint, that checks the need to extract a complete standalone copy of a for (i = 1; i <= k; i++)
every transaction for double spending. After each 6. Incentive transaction's history. poisson *= lambda / i;
transaction, the coin must be returned to the mint to issue a By convention, the first transaction in a block is a special sum -= poisson * (1 - pow(q / p, z - k));
}
new coin, and only coins issued directly from the mint are transaction that starts a new coin owned by the creator of the
10. Privacy
trusted not to be double-spent. The problem with this block. This adds an incentive for nodes to support the return sum;
The traditional banking model achieves a level of privacy by }
solution is that the fate of the entire money system depends network, and provides a way to initially distribute coins into
limiting access to information to the parties involved and the
on the company running the mint, with every transaction circulation, since there is no central authority to issue them. Running some results, we can see the probability drop off
trusted third party. The necessity to announce all transactions
having to go through them, just like a bank. The steady addition of a constant of amount of new coins is exponentially with z.
publicly precludes this method, but privacy can still be
We need a way for the payee to know that the previous analogous to gold miners expending resources to add gold to q=0.1 q=0.3
maintained by breaking the flow of information in another z=0 P=1.0000000 z=0 P=1.0000000
owners did not sign any earlier transactions. For our circulation. In our case, it is CPU time and electricity that is z=1 P=0.2045873 z=5 P=0.1773523
place: by keeping public keys anonymous. The public can see
purposes, the earliest transaction is the one that counts, so expended. z=2 P=0.0509779 z=10 P=0.0416605
that someone is sending an amount to someone else, but z=3 P=0.0131722 z=15 P=0.0101008
we don't care about later attempts to double-spend. The only The incentive can also be funded with transaction fees. If z=4 P=0.0034552 z=20 P=0.0024804
without information linking the transaction to anyone. This is z=5 P=0.0009137 z=25 P=0.0006132
way to confirm the absence of a transaction is to be aware of the output value of a transaction is less than its input value, z=6 P=0.0002428 z=30 P=0.0001522
similar to the level of information released by stock z=7 P=0.0000647 z=35 P=0.0000379
all transactions. In the mint based model, the mint was aware the difference is a transaction fee that is added to the z=8 P=0.0000173 z=40 P=0.0000095
exchanges, where the time and size of individual trades, the
of all transactions and decided which arrived first. To incentive value of the block containing the transaction. Once z=9 P=0.0000046 z=45 P=0.0000024
"tape", is made public, but without telling who the parties z=10 P=0.0000012 z=50 P=0.0000006
accomplish this without a trusted party, transactions must be a predetermined number of coins have entered circulation,
were.
publicly announced [1], and we need a system for participants the incentive can transition entirely to transaction fees and be Solving for P less than 0.1%...
to agree on a single history of the order in which they were completely inflation free. P < 0.001 q=0.30 z=24
q=0.10 z=5 q=0.35 z=41
received. The payee needs proof that at the time of each The incentive may help encourage nodes to stay honest. If a q=0.15 z=8 q=0.40 z=89
q=0.20 z=11 q=0.45 z=340
transaction, the majority of nodes agreed it was the first greedy attacker is able to assemble more CPU power than all q=0.25 z=15
received. the honest nodes, he would have to choose between using it
to defraud people by stealing back his payments, or using it to
generate new coins. He ought to find it more profitable to
12. Conclusion
3. Timestamp Server As an additional firewall, a new key pair should be used for We have proposed a system for electronic transactions
The solution we propose begins with a timestamp server. A play by the rules, such rules that favour him with more new
each transaction to keep them from being linked to a without relying on trust. We started with the usual framework
timestamp server works by taking a hash of a block of items coins than everyone else combined, than to undermine the
common owner. Some linking is still unavoidable with multi- of coins made from digital signatures, which provides strong
to be timestamped and widely publishing the hash, such as in system and the validity of his own wealth.
input transactions, which necessarily reveal that their inputs control of ownership, but is incomplete without a way to
a newspaper or Usenet post [2-5]. The timestamp proves that were owned by the same owner. The risk is that if the owner prevent double-spending. To solve this, we proposed a peer-
the data must have existed at the time, obviously, in order to 7. Reclaiming Disk Space of a key is revealed, linking could reveal other transactions to-peer network using proof-of-work to record a public
get into the hash. Each timestamp includes the previous Once the latest transaction in a coin is buried under enough that belonged to the same owner. history of transactions that quickly becomes computationally
timestamp in its hash, forming a chain, with each additional blocks, the spent transactions before it can be discarded to impractical for an attacker to change if honest nodes control a
timestamp reinforcing the ones before it. save disk space. To facilitate this without breaking the block's
11. Calculations majority of CPU power. The network is robust in its
hash, transactions are hashed in a Merkle Tree [7][2][5], with unstructured simplicity. Nodes work all at once with little
We consider the scenario of an attacker trying to generate an
only the root included in the block's hash. Old blocks can then coordination. They do not need to be identified, since
alternate chain faster than the honest chain. Even if this is
be compacted by stubbing off branches of the tree. The messages are not routed to any particular place and only
accomplished, it does not throw the system open to arbitrary
interior hashes do not need to be stored. need to be delivered on a best effort basis. Nodes can leave
changes, such as creating value out of thin air or taking
money that never belonged to the attacker. Nodes are not and rejoin the network at will, accepting the proof-of-work
4. Proof-of-Work going to accept an invalid transaction as payment, and honest chain as proof of what happened while they were gone. They
To implement a distributed timestamp server on a peer-to- nodes will never accept a block containing them. An attacker vote with their CPU power, expressing their acceptance of
peer basis, we will need to use a proof- of-work system similar can only try to change one of his own transactions to take valid blocks by working on extending them and rejecting
to Adam Back's Hashcash [6], rather than newspaper or back money he recently spent. invalid blocks by refusing to work on them. Any needed rules
Usenet posts. The proof-of-work involves scanning for a value The race between the honest chain and an attacker chain and incentives can be enforced with this consensus
that when hashed, such as with SHA-256, the hash begins can be characterized as a Binomial Random Walk. The success mechanism.
with a number of zero bits. The average work required is event is the honest chain being extended by one block, References
exponential in the number of zero bits required and can be increasing its lead by +1, and the failure event is the attacker's [1] W. Dai, "b-money," http://www.weidai.com/bmoney.txt, 1998.
verified by executing a single hash. chain being extended by one block, reducing the gap by -1. [2] Massias, et al., "Design of a secure timestamping service with minimal trust requirements,"
In 20th Symposium on Information Theory in the Benelux, May 1999.
For our timestamp network, we implement the proof-of- A block header with no transactions would be about 80 bytes.
The probability of an attacker catching up from a given [3] S. Haber, W.S. Stornetta, "How to time-stamp a digital document," In Journal of Cryptology,
work by incrementing a nonce in the block until a value is If we suppose blocks are generated every 10 minutes, 80 vol 3, no 2, pages 99-111, 1991.
deficit is analogous to a Gambler's Ruin problem. Suppose a [4] Bayer et al., "Improving the efficiency and reliability of digital time-stamping," In Sequences
found that gives the block's hash the required zero bits. Once bytes * 6 * 24 * 365 = 4.2MB per year. With computer
gambler with unlimited credit starts at a deficit and plays II: Methods in Comm., Security and Computer Science, p. 329-334, 1993.
the CPU effort has been expended to make it satisfy the systems typically selling with 2GB of RAM as of 2008, and [5] S. Haber, W.S. Stornetta, "Secure names for bit-strings," In Proceedings of the 4th ACM
potentially an infinite number of trials to try to reach Conference on Computer and Communications Security, pages 28-35, April 1997.
proof-of-work, the block cannot be changed without redoing Moore's Law predicting current growth of 1.2GB per year, [6] A. Back, "Hashcash - a denial of service counter-measure,"
breakeven. We can calculate the probability he ever reaches
the work. As later blocks are chained after it, the work to storage should not be a problem even if the block headers http://www.hashcash.org/papers/hashcash.pdf, 2002.
breakeven, or that an attacker ever catches up with the [7] R.C. Merkle, "Protocols for public key cryptosystems," In Proc. 1980 Symposium on Security
change the block would include redoing all the blocks after it. must be kept in memory. and Privacy, IEEE Computer Society, pages 122-133, April 1980.
honest chain, as follows [8]: [8] W. Feller, "An introduction to probability theory and its applications," 1957.