上一章对比特币白皮书的隐私篇进行了只字不差地研读,点此回顾隐私。
We consider the scenario of an attacker trying to generate an alternate chain faster than the honest chain.
我们设想一个情景:攻击比特币区块链系统者生成链的速度比诚实节点生成链的速度更快。
Even if this is accomplished, it does not throw the system open to arbitrary changes, such as creating value out of thin air or taking money that never belonged to the attacker.
即使这个情景变成现实,也并不意味着系统可以被攻击者完全控制,就像凭空创造价值或是掠夺从不属于攻击者的货币。
Nodes are not going to accept an invalid transaction as payment, and honest nodes will never accept a block containing them.
节点不会接受一笔无效的交易作为支付,也不会接受含有无效交易的区块。
An attacker can only try to change one of his own transaction to take back money he recently spent.
攻击者只能尝试去篡改他自己的交易,从而能拿回刚刚付给别人的钱。
The race between the honest chain and an attacker chain can be characterized as a Binomial Random Walk.
诚实节点与攻击节点之间的竞赛可以看成是二项随机游走。
The success event is the honest chain being extended by one block, increasing its lead by +1, and the failure event is the attacker’s chain being extended by one block, reducing the gap by -1.
这个竞赛的成功事件被定义为诚实链条延伸一个区块,使得与攻击链条的差距+1,失败事件定义为攻击链条延伸一个区块,使得与诚实链条的差距-1.
The probability of an attacker catching up from a given deficit is analogous to a Gambler’s Ruin problem.
攻击节点从某一差距追上诚实节点的可能性可以看成是“赌徒破产”问题。
Suppose a gambler with unlimited credit starts at a deficit and plays potentially an infinite number of trails to try to reach breakeven.
假设一个赌徒拥有无限可透支的信用,开始通过可能是无数次的赌博来填补亏空直至保本。
We can calculate the probability he ever reaches breakeven, or that an attacker ever catches up with the honest chain, as follows:
p = probability an honest node finds the next block
q = probability the attacker finds the next block
qz = probability the attacker will ever catch up form z blocks behind
qz=1 , if p<=q qz=(q/p)^z , if p>q
我们可以计算该赌徒最终能够保本的概率,即攻击节点能够追上诚实节点的概率。定义:
p=诚实节点生成下一个区块的概率
q=攻击节点生成下一个区块的概率
qz=攻击节点从落后诚实节点z个区块时,追上诚实节点的概率
如果p<=q,那么qz=1,即诚实节点生成下一个区块的概率小于攻击节点,那么攻击节点肯定可以追上诚实节点。
如果p>q,那么qz=(q/p)z,即诚实节点生成下一个区块的概率大于攻击节点,那么攻击节点追上诚实节点的概率为(q/p)z
Given our assumption that p > q, the probability drops exponentially as the number of blocks the attacker has to catch up with increases.
如果诚实节点生成区块速度更快(p>q),那么攻击成功的概率会随着区块数量的增加而随指数级下降。
With the odds against him, if he doesn’t make a lucky lunge forward early on, his chances become vanishingly small as he falls further behind.
因为概率没有站在攻击者一方, 如果攻击者不能很幸运的迅速追赶上诚实节点,那么攻击成功的概率将会越来越渺茫。
We now consider how long the recipient of a new transaction needs to wait before being sufficiently certain the sender can't change the transaction.
我们现在考虑一下收款人在收到转账后需要等待多长时间才能确认付款人已经无法篡改这笔交易,从而拿回已经支付的货币。
We assume the sender is an attacker who wants to make the recipient believe he paid him for a while, then switch it to pay back to himself after some time has passed.
我们假设付款人是一个攻击者,他想让收款人相信自己已经付款一段时间了,然后将已经付掉的钱重新拿回来。
The receiver will be alerted when that happens, but the sender hopes it will be too late.
收款人在这种情况发生的时候能够收到警告,但是付款人希望收到警告时已经太迟了。
The receiver generates a new key pair and gives the public key to the sender shortly before signing.
收款人生成一对新的秘钥,然后在付款人签名前不久才把公钥给到付款人。
This prevents the sender form preparing a chain of blocks ahead of time by working on it continuously until he is lucky enough to get far enough ahead, then executing the transaction at the moment.
这样做可以防止付款人提前准备好一条链对区块进行持续的运算,当他刚好幸运地追上诚实链条的时候,就执行交易。
Once the transaction is sent, the dishonest sender starts working in secret on a parallel chain containing an alternate version of his transaction.
交易一旦发出,攻击者就开始秘密准备一条包含了该交易的平行链条。
The recipient waits until the transaction has been added to a block and z blocks have been linked after it.
收款人将等到这笔交易出现在区块中,并且还有z个区块跟在它后面。
He doesn’t know the exact amount of progress the attacker has made, but assuming the honest blocks took the average expected time per block, the attacker’s potential progress will be a Poisson distribution with expected value:
λ=z*q/p
收款人不知道攻击者具体进展了几个区块,假设诚实节点生成每个区块的时间是固定的话,那么攻击者潜在进展会呈现泊松分布,该分布期望值为:λ=z*q/p。
To get the probability the attacker could still catch up now, we multiply the Poisson density for each amount progress he could have made by the probability he could catch up form that point:
为了得出攻击者依然能够追上诚实节点的概率,将攻击者取得进展区块数量的泊松分布的概率密度乘以在此数量下依然可以追上诚实节点的概率。
白皮书计算过程
中间的计算过程,编程等步骤。看不懂,略过……
Running some results, we can see the probability drop off exponentially with z.
经过计算,可以看到攻击节点追上诚实节点的概率P随着z值(落后的区块数量)的增加,而呈指数级下降。
攻击节点追赶成功的概率随间隔区块数的增加呈指数级下降
这一章主要是计算攻击者可以成功攻击的概率,计算过程比较复杂。我们可以简单地把这个攻击问题和“赌徒破产”问题类比。
假设两个赌徒A和B,分别有M和N个筹码,两个人掷骰子,123则A赢,456则B赢,赢的人可以得到对方1个筹码。一直进行下去,知道某一方输光为止。
这种情况下,A和B赢得每一把赌博的概率是相等的都是50%,所以两人谁能笑到最后,就看谁手上的筹码更多。
A能赢的概率=M/M+N,B能赢的概率=N/M+N。如果M=N,那么双方都是一样的概率获胜即50%。
理想情况下,双方的筹码相等,每一把获胜的概率相等,则双方最终获胜的概率也相等。
但现实情况通常是你的筹码不如赌场,每一把获胜的概率肯定没有50%,在筹码和单次赌博的概率都处于劣势时,想从赌场手中赢钱无异于痴人说梦。而赌场所需要做的只是重复操作,一次次的赌,不需要做其他手脚,概率自然会将你的钱全部送到赌场的口袋里。因为赌场和概率站在一起,而赌徒站在了概率的对立面。
而攻击者就像是这样一个赌徒,诚实节点们就像是赌场。攻击者的筹码不如诚实节点(没有51%以上算力),攻击者每次攻击成功的概率没有50%,所以想要攻击成功的概率极低。随着落后诚实节点的区块数量越多,成功的概率也越小(指数级降低,见插图)。
相关文章:
只字不差地阅读比特币原版白皮书(一)——摘要
只字不差地阅读比特币原版白皮书(二)——介绍篇
只字不差地阅读比特币原版白皮书(三)——交易篇(Transactions)
只字不差地阅读比特币原版白皮书(四)——时间戳(Timestamp Server)
只字不差地阅读比特币原版白皮书(五)——工作量证明(Proof-of-Work)
只字不差地阅读比特币原版白皮书(六)——网络(Network)
只字不差地阅读比特币原版白皮书(七)——激励篇(Incentive)
只字不差地阅读比特币原版白皮书(八)——回收磁盘空间(Reclaiming Disk Space)
只字不差地阅读比特币原版白皮书(九)——简化支付验证(Simplified Payment Verification)
只字不差地阅读比特币原版白皮书(十)——价值的合并与分割(Combining and Splitting Value)
只字不差地阅读比特币原版白皮书(十一)——隐私(Privacy)
加密货币和区块链是什么?
什么是哈希(Hash)?
什么是数字签名(digital signatures)?
石油和比特币能被挖完吗?
网友评论