Introduction
Commerce on the internet has come to rely almost exclusively on financial institutions serving as trusted third parties to process electronic payments. While this system works well enough for most transactions, it suffers from the inherent weaknesses of the trust-based model. Completely non-reversible transactions are not truly possible since financial institutions must mediate disputes, increasing costs and limiting the minimum practical transaction size.
What is needed is an electronic payment system based on cryptographic proof instead of trust, allowing any two willing parties to transact directly without a trusted third party. Transactions that are computationally impractical to reverse would protect sellers from fraud, while routine escrow mechanisms could protect buyers. This paper proposes a solution to the double-spending problem using a peer-to-peer distributed timestamp server to generate computational proof of the chronological order of transactions.
The Double-Spending Problem
Traditional Transaction Models
In traditional electronic cash systems, digital signatures provide part of the solution but cannot prevent double-spending without a trusted third party. We define an electronic coin as a chain of digital signatures where each owner transfers the coin to the next by digitally signing a hash of the previous transaction and the public key of the next owner. While this allows verification of ownership, it doesn't prevent a previous owner from double-spending the coin.
The Need for a New Approach
The common solution has been to introduce a trusted central authority, or mint, that checks every transaction for double-spending. However, this approach centralizes power and requires every transaction to go through a single entity, much like a traditional bank. We need a system where the payee can know that previous owners did not sign any earlier transactions without relying on a centralized authority.
The Blockchain Solution
Timestamp Server Foundation
The proposed solution begins with a timestamp server that hashes a block of items to be timestamped and widely publishes the hash. Each timestamp includes the previous timestamp in its hash, forming a chain where each additional timestamp reinforces those before it. This creates an immutable record that cannot be altered without redoing all subsequent work.
Proof-of-Work Mechanism
To implement a distributed timestamp server on a peer-to-peer basis, we use a proof-of-work system similar to Hashcash. The proof-of-work involves scanning for a value that, when hashed, begins with a number of zero bits. The average work required is exponential in the number of zero bits required but can be verified by executing a single hash.
For our timestamp network, we implement proof-of-work by incrementing a nonce in the block until a value is found that gives the block's hash the required zero bits. Once the CPU effort has been expended to satisfy the proof-of-work, the block cannot be changed without redoing the work. As later blocks are chained after it, changing any block would require redoing all subsequent blocks.
Network Operation
Transaction Processing Steps
The network operates through these steps:
- New transactions are broadcast to all nodes
- Each node collects new transactions into a block
- Each node works on finding a difficult proof-of-work for its block
- When a node finds a proof-of-work, it broadcasts the block to all nodes
- Nodes accept the block only if all transactions are valid and not already spent
- Nodes express acceptance by working on creating the next block using the hash of the accepted block
Nodes always consider the longest chain to be the correct one and continue working to extend it. If two nodes broadcast different versions of the next block simultaneously, nodes work on the first received but save the other branch in case it becomes longer. The tie is broken when the next proof-of-work is found and one branch becomes longer.
Network Resilience
The network requires minimal structure, with messages broadcast on a best-effort basis. Nodes can leave and rejoin at will, accepting the longest proof-of-work chain as proof of what happened while they were gone. New transactions don't need to reach all nodes immediately—as long as they reach many nodes, they will be included in a block before long.
Economic Incentives
Coin Creation and Distribution
By convention, the first transaction in a block is a special transaction that starts a new coin owned by the block's creator. This adds incentive for nodes to support the network and provides a way to initially distribute coins without a central authority. The steady addition of new coins is analogous to gold miners expending resources to add gold to circulation, though in this case, the resources are CPU time and electricity.
Transaction Fees and Security
The incentive can also be funded through transaction fees. If a transaction's output value is less than its input value, the difference becomes a transaction fee added to the block's incentive value. Once a predetermined number of coins enter circulation, the incentive can transition entirely to transaction fees, creating an inflation-free system.
The incentive structure encourages nodes to stay honest. Even if a greedy attacker assembles more CPU power than all honest nodes, they would find it more profitable to play by the rules and earn new coins rather than undermine the system and devalue their own wealth.
System Optimization
Disk Space Reclamation
Once the latest transaction in a coin is buried under enough blocks, spent transactions before it can be discarded to save disk space. Transactions are hashed in a Merkle Tree, with only the root included in the block's hash. Old blocks can be compacted by stubbing off branches of the tree, eliminating the need to store interior hashes.
A block header with no transactions is about 80 bytes. With blocks generated every 10 minutes, this amounts to approximately 4.2MB per year. Given typical computer system specifications and storage growth trends, storage should not present a problem even if block headers must be kept in memory.
Simplified Payment Verification
It's possible to verify payments without running a full network node. A user only needs to keep copies of block headers from the longest proof-of-work chain and obtain the Merkle branch linking the transaction to its timestamped block. While this verification is reliable when honest nodes control the network, it becomes more vulnerable if the network is overpowered by an attacker.
Businesses receiving frequent payments will likely want to run their own nodes for more independent security and quicker verification. For occasional users, simplified verification provides adequate security with minimal resource requirements.
👉 Explore advanced blockchain security methods
Transaction Structure
Value Combination and Splitting
Although possible to handle coins individually, making separate transactions for every cent would be unwieldy. Transactions contain multiple inputs and outputs to allow value splitting and combining. Typically, there's either a single input from a larger previous transaction or multiple inputs combining smaller amounts, with at most two outputs: one for payment and one returning change to the sender.
Fan-out, where a transaction depends on several transactions that depend on many more, isn't problematic. There's never a need to extract a complete standalone copy of a transaction's history, making the system efficient even for complex transaction chains.
Privacy Considerations
Anonymous Public Keys
The traditional banking model achieves privacy by limiting information access to involved parties and trusted third parties. While our system requires publicly announcing all transactions, privacy is maintained by keeping public keys anonymous. The public can see that someone is sending an amount to someone else but cannot link transactions to specific identities—similar to information released by stock exchanges where trade times and sizes are public, but parties remain anonymous.
As an additional firewall, a new key pair should be used for each transaction to prevent linking to a common owner. Some linking remains unavoidable with multi-input transactions, which reveal that their inputs were owned by the same owner. The risk is that if a key owner is revealed, linking could expose other transactions belonging to that same owner.
Security Calculations
Attack Scenario Analysis
We consider an attacker trying to generate an alternate chain faster than the honest chain. Even if successful, the attacker cannot make arbitrary changes like creating value from nothing or taking money that never belonged to them. Nodes won't accept invalid transactions, and honest nodes will never accept blocks containing them. An attacker can only try to change their own transactions to take back recently spent money.
The race between honest and attacker chains resembles a Binomial Random Walk. The probability of an attacker catching up from a deficit drops exponentially as the number of blocks they need to overcome increases. With odds against them, if an attacker doesn't make early progress, their chances become vanishingly small as they fall further behind.
Transaction Confirmation Timing
The recipient of a new transaction needs to wait before being certain the sender cannot change it. We assume the sender might be an attacker who wants to temporarily convince the recipient of payment before switching it back to themselves. The receiver generates a new key pair and gives the public key to the sender shortly before signing to prevent precomputation attacks.
The recipient waits until the transaction is added to a block and several blocks are linked after it. The attacker's potential progress follows a Poisson distribution, and we can calculate the probability they could still catch up. Results show this probability drops off exponentially with each additional block confirmation.
Conclusion
We have proposed a system for electronic transactions without relying on trust. Starting with digital signatures providing strong ownership control, we added a peer-to-peer network using proof-of-work to record a public transaction history that quickly becomes computationally impractical for attackers to change when honest nodes control majority CPU power.
The network's unstructured simplicity makes it robust. Nodes work simultaneously with minimal coordination,不需要 identification since messages aren't routed to specific places and need only best-effort delivery. Nodes can leave and rejoin at will, accepting the proof-of-work chain as proof of events during their absence.
They vote with CPU power, accepting valid blocks by working to extend them and rejecting invalid blocks by refusing to work on them. This consensus mechanism enforces all necessary rules and incentives, creating a secure, decentralized electronic cash system.
👉 Learn more about cryptocurrency implementation strategies
Frequently Asked Questions
What problem does Bitcoin solve?
Bitcoin solves the double-spending problem in digital cash systems without requiring a trusted central authority. It enables peer-to-peer electronic payments that are secure, verifiable, and irreversible through cryptographic proof instead of trust in third parties.
How does proof-of-work secure the network?
Proof-of-work requires computational effort to create new blocks, making it economically impractical to alter transaction history. The longest chain represents the greatest computational effort, and honest nodes extending this chain outpace attackers attempting to create alternative histories.
What prevents someone from creating unlimited Bitcoins?
The protocol limits new coin creation through the proof-of-work mechanism and predetermined issuance schedule. Each block creates a fixed number of new coins, and this reward halves at regular intervals until reaching the maximum supply of 21 million coins.
How private are Bitcoin transactions?
While all transactions are publicly recorded on the blockchain, privacy is maintained through pseudonymous addresses. Users can enhance privacy by using new addresses for each transaction, though some transaction linking remains possible through analysis techniques.
Can Quantum computers break Bitcoin's security?
Current cryptographic algorithms could be vulnerable to sufficiently powerful quantum computers, but the Bitcoin network can transition to quantum-resistant algorithms when necessary. The community actively monitors cryptographic developments to maintain security.
How long does transaction confirmation take?
Confirmation time varies based on network congestion and transaction fees. Typically, a transaction is considered reasonably secure after 6 block confirmations (about 60 minutes), though for small amounts, fewer confirmations may be acceptable.