文章暂时分为两个部分：

一：写这篇文章的目的
二：中英文对照

一：写这篇文章的目的

比特币白皮书是个经典，翻译这个简短的文章主要是为了提高一个台阶的训练自己的英语，就像每天跑步中最后一程去冲刺进而提高自己的能力一样，这个翻译对我的英语学习来说算是冲刺，其次，学习区块链知识，或许没有比这更原滋原味的区块链学习教材了，因为不是一天完成的，我会每天发布更新，直到完成，如果您看到文章觉得有错误的地方欢迎交流指正。

原文链接：https://bitcoin.org/bitcoin.pdf

二：中英文对照

Abstract

A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution. Digital signatures provide part of the solution, but the main benefits are lost if a trusted third party is still required to prevent double-spending. We propose a solution to the double-spending problem using a peer-to-peer network. The network timestamps transactions by hashing them into an ongoing chain of hash-based proof-of-work, forming a record that cannot be changed without redoing the proof-of-work. The longest chain not only serves as proof of the sequence of events witnessed, but proof that it came from the largest pool of CPU power. As long as a majority of CPU power is controlled by nodes that are not cooperating to attack the network, they'll generate the longest chain and outpace attackers. The network itself requires minimal structure. Messages are broadcast on a best effort basis, and nodes can leave and rejoin the network at will, accepting the longest proof-of-work chain as proof of what happened while they were gone.

摘要：

一个点对点的电子现金可以达到不通过传统金融机构实现双方的在线支付。数字签名解决了一部分问题，但是如果为了避免双重支付而引进一个第三方信任机构将会使得大部分收益受损。我们提出了一个使用点点网络来解决双重支付问题。这个经过哈希化处理的网络时间戳就进入了基于哈希工作量证明的不间断的链，这样就形成了一个没有重做工作量证明就不可能改变的记录。最长的这条链不仅担任着见证各个交易发生先后顺序的证明，而且证明他来至于最大的CPU能量矿池。只要被大量节点控制的CPU能量不去合作攻击网络，他们生产的链就能超过攻击者的链进而成为最长的那条链。网络本身要求很小的机构。信息尽最大努力被广播出，而且节点可以随意的离开或加入网络中，接受这个最长的链以便于作为证明他们离开的时候发生什么的证明。

1.Introduction

Commerce on the Internet has come to rely almost exclusively on financial institutions serving as trusted third parties to process electronic payments. While the system works well enough for most transactions, it still suffers from the inherent weaknesses of the trust based model. Completely non-reversible transactions are not really possible, since financial institutions cannot avoid mediating disputes. The cost of mediation increases transaction costs, limiting the minimum practical transaction size and cutting off the possibility for small casual transactions, and there is a broader cost in the loss of ability to make non-reversible payments for non-reversible services. With the possibility of reversal, the need for trust spreads. Merchants must be wary of their customers, hassling them for more information than they would otherwise need. A certain percentage of fraud is accepted as unavoidable. These costs and payment uncertainties can be avoided in person by using physical currency, but no mechanism exists to make payments over a communications channel without a trusted party.
What is needed is an electronic payment system based on cryptographic proof instead of trust, allowing any two willing parties to transact directly with each other without the need for a trusted third party. Transactions that are computationally impractical to reverse would protect sellers from fraud, and routine escrow mechanisms could easily be implemented to protect buyers. In this paper, we propose a solution to the double-spending problem using a peer-to-peer distributed timestamp server to generate computational proof of the chronological order of transactions. The system is secure as long as honest nodes collectively control more CPU power than any cooperating group of attacker nodes.

1.引言

网上交易几乎完全依赖金融机构提供的第三方信任来完成电子支付。虽然对大多数交易来说这个系统运行良好，但是这个信任机制仍然存在着内在的缺陷。完全不可逆的交易不是不可能的，因此金融机构不可避免的产于到争议调停中。争议的花费增加了交易成本，限制了最小交易的尺度，切断了产生小的偶然发生的交易的可能性，而且这有着巨大花费使我们失去了成就一个不可逆的支付对于一个不可逆的交易的能力。由于可以扭转的交易存在的可能，这样信任的需求被扩大。商家必须堤防消费，同时为了避免自己惹上麻烦他们不会提供比原本需要的更多信息给消费者。一定比例的诈骗因为无法避免而被接受。这种不确定性的花费和成本可以通过亲自使用物理性质的货币而避免，但是还不存在一种机制使得去掉受信任的的第三方从而支持电子交易。
我们需要的是一个基于密码学证据的电子支付系统来取代信任，来允许任何自愿交易的双方直接交易而无需第三方的信任机构。从计算机的角度来看这种不可逆转的交易用来保护卖方免受欺诈，而日常那种第三方担保的机制很容易被用来保护买方。 白皮书中我们提出了一种方案来解决双重问题，它使用了点对点分布式时间戳服务器来生成算力进而作为交易发生先后顺序的证明。只要所有诚实节点所控制的算力高于所有攻击者节点形成的算力那么系统就是安全的。

2.Transactions

We define an electronic coin as a chain of digital signatures. Each owner transfers the coin to the next by digitally signing a hash of the previous transaction and the public key of the next owner and adding these to the end of the coin. A payee can verify the signatures to verify the chain of ownership.
The problem of course is the payee can't verify that one of the owners did not double- spend the coin. A common solution is to introduce a trusted central authority, or mint, that checks every transaction for double spending. After each transaction, the coin must be returned to the mint to issue a new coin, and only coins issued directly from the mint are trusted not to be double-spent. The problem with this solution is that the fate of the entire money system depends on the company running the mint, with every transaction having to go through them, just like a bank.
We need a way for the payee to know that the previous owners did not sign any earlier transactions. For our purposes, the earliest transaction is the one that counts, so we don't care about later attempts to double-spend. The only way to confirm the absence of a transaction is to be aware of all transactions. In the mint based model, the mint was aware of all transactions and decided which arrived first. To accomplish this without a trusted party, transactions must be publicly announced [1], and we need a system for participants to agree on a single history of the order in which they were received. The payee needs proof that at the time of each transaction, the majority of nodes agreed it was the first received.

transaction.png

2，交易

我们把一系列的数字签名定义为电子货币。一个货币持有者通过对前一个哈希化的交易和接收币的公钥进行数字签名来把货币发送给其他人同时把这些增加到货币中。接收者通过确认数字签名来确认拥有者的这条链。

很自然的一个问题是收款人无法确认付款人是否存在双重支付。普遍的做法是引入一个可信任的中心化的权威机构或者一个铸币厂，他们来确认是否交易存在双重支付。一笔交易之后每一个货币都必须送到铸币厂进而发行一个新币，同时每个直接从铸币厂发出的新币才会被信任没有产生双重支付。问题的解决方案变成了所有货币系统的命运全部依赖于一个运转着铸币厂的公司，每一笔交易不得不通过他们就像一个银行。

我们需要一种方式让收币者知道对这笔钱来说发币者没有签署任何更早的交易。一个早期的交易被记录下来我们就不用担心之后双重支付的尝试。仅有的确认不存在一笔交易的方式是了能够了解到所有的交易。在铸币厂的模型中，铸币厂意识到所有的交易并且知道哪一笔交易最先送达。为了达到不需要受信任的机构的系统，交易必须被广播出去，我们需要系统参与者对于接收到的所有交易顺序只认可唯一的交易历史。收款人需要知道每一个当下交易的证明，大部分的节点认可这笔交易是第一次接收到的。

3.Timestamp Server

The solution we propose begins with a timestamp server. A timestamp server works by taking a hash of a block of items to be timestamped and widely publishing the hash, such as in a newspaper or Usenet post [2-5]. The timestamp proves that the data must have existed at the time, obviously, in order to get into the hash. Each timestamp includes the previous timestamp in its hash, forming a chain, with each additional timestamp reinforcing the ones before it.

Timestamp Server.png

我们计划的解决方案开始于时间戳服务。一个时间戳是这样工作的，它通过获取一个已经盖上时间戳同时哈希化的项目的区块同时广泛的传播这个哈希，例如再报纸和网络帖子（2-5）（这一句翻译说明我没有理解时间戳的工作机制）。很明显为了进入哈希化，时间戳证明了在此时间上这个数据已经存在了。每一个时间戳包含了在同一个链上的哈希数据中的先前的时间戳，在这链上，每一个时间戳进一步加强了他前面一个时间戳的安全性。

4.Proof-of-Work

To implement a distributed timestamp server on a peer-to-peer basis, we will need to use a proof-of-work system similar to Adam Back's Hashcash [6], rather than newspaper or Usenet posts. The proof-of-work involves scanning for a value that when hashed, such as with SHA- 256, the hash begins with a number of zero bits. The average work required is exponential in the number of zero bits required and can be verified by executing a single hash.

For our timestamp network, we implement the proof- of-work by incrementing a nonce in the block until a value is found that gives the block's hash the required zero bits. Once the CPU effort has been expended to make it satisfy the proof-of-work, the block cannot be changed without redoing the work. As later blocks are chained after it, the work to change the block would include redoing all the blocks after it.

proof-of-work.png

The proof-of-work also solves the problem of determining representation in majority decision making. If the majority were based on one-IP-address-one-vote, it could be subverted by anyone able to allocate many IPs. Proof-of-work is essentially one-CPU-one-vote. The majority decision is represented by the longest chain, which has the greatest proof-of- work effort invested in it. If a majority of CPU power is controlled by honest nodes, the honest chain will grow the fastest and outpace any competing chains. To modify a past block, an attacker would have to redo the proof-of-work of the block and all blocks after it and then catch up with and surpass the work of the honest nodes. We will show later that the probability of a slower attacker catching up diminishes exponentially as subsequent blocks are added.
To compensate for increasing hardware speed and varying interest in running nodes over time, the proof-of-work difficulty is determined by a moving average targeting an average number of blocks per hour. If they're generated too fast, the difficulty increases.

4.工作量证明
为了在一个点对点的系统中实施分布式时间戳服务，我们需要使用类似亚当帕克在哈希现金做法使用工作量证明系统，而不是像报纸或者网贴那样。工作量证明包括搜索一个当哈希时候的值，例如：SHA-26，这个哈希以若干个零字节开始。通常的工作对于所需要的大量零字节是指数级的，而可以通过一个简单的哈希来确认。

对于我们的时间戳网络，我们通过在区块中给出一个临时随机数，直到这个数字被发现并且符合区块哈希的零字节，这样就实现了工作量证明。一旦CPU的努力被消耗满足了工作量证明，那么这个区块就不能被改变，如果不重复做这个工作的话。之后区块之后形成了链，改变区块的工作就包括了重做这个区块之后所有的工作。

工作量证明也解决了大量决定中代表决定的问题。如果大部分是基于一个IP地址一个投票权的话，他可以被配置很多IPs的任何人破坏。工作量证明本质上是基于一个cpu一个投票权，大部分的决定取代了最长的链，同时这个决定对应着最大的工作量证明投入。如果大部分的cpu算力被诚实的节点控制，这个诚实的链条将会生成是最快的同时超过竞争链。对于修改过去区块，攻击者不得不重做这个区块的工作量证明和他之后所有的快的工作量证明，同时需要赶上并超过诚实节点的工作量。我们将在之后讲到慢一拍的攻击者赶上的可能性逐渐指数级别的减少随着后来的区块的增加。
随着时间的流逝，为了弥补增长的硬件速度和对运行一个节点变化的兴趣，工作量证明的困难程度被不断改变，这个改变是基于一个把目标定在每小时变化的区块数量的移动平均数来改变的。如果他们产生节点的熟读太快，困难就会增加。
5.Network

The steps to run the network are as follows:

1. New transactions are broadcast to all nodes.

2. Each node collects new transactions into a block.

3. Each node works on finding a difficult proof-of-work for its block.

4. When a node finds a proof-of-work, it broadcasts the block to all nodes.

5. Nodes accept the block only if all transactions in it are valid and not already spent.

6. Nodes express their acceptance of the block by working on creating the next block in the chain, using the hash of the accepted block as the previous hash.

Nodes always consider the longest chain to be the correct one and will keep working on extending it. If two nodes broadcast different versions of the next block simultaneously, some nodes may receive one or the other first. In that case, they work on the first one they received, but save the other branch in case it becomes longer. The tie will be broken when the next proof-of-work is found and one branch becomes longer; the nodes that were working on the other branch will then switch to the longer one.
New transaction broadcasts do not necessarily need to reach all nodes. As long as they reach many nodes, they will get into a block before long. Block broadcasts are also tolerant of dropped messages. If a node does not receive a block, it will request it when it receives the next block and realizes it missed one.

网络：
跑一个网络的步骤如下：
新的交易被广播到所有的节点
每一个节点收集新的交易进入一个区块
每一个节点运转去找到一个困难的工作量证明为他们的区块
当一个节点找到一个工作量证明，他广播这个区块给所有的节点
节点接受这个区块仅当所有的交易是有效的，而不是已经花费的一笔交易
节点表达他们的接受这个区块通过转移他们的工作去找下一个链上的区块，使用被接受区块的哈希作为替代先前的哈希。
节点总是考虑整个最长的链作为正确的一条链并且在这条链上进行拓展，如果两个节点同时广播下一个区块的不同版本。一些节点会首先接受到其中一个另外一些接受到另一个。这种情况下，这些节点会在他们接收到的第一个节点上进行工作，但是会保存其他的分支，以防他变成更长的那个。这个并列会被打破，当下一个工作量证明的工作完成并且其中一个分支变得更长的时候；其他正在其他分支上工作的节点也会转而转换到更长的一个链上。
新的交易广播没有必要到达所有的节点。只要他们到达大部分节点就可以了，他们将会在链变长之前进入到区块。区块广播也是容忍掉落信息的。如果一个节点没有接受一个区块，他将请求这个块，当他接受下一个区块意识到自己错过了一个的时候。

6. Incentive
   By convention, the first transaction in a block is a special transaction that starts a new coin owned by the creator of the block. This adds an incentive for nodes to support the network, and provides a way to initially distribute coins into circulation, since there is no central authority to issue them.
   The steady addition of a constant of amount of new coins is analogous to gold miners expending resources to add gold to circulation. In our case, it is CPU time and electricity that is expended.
   The incentive can also be funded with transaction fees. If the output value of a transaction is
   less than its input value, the difference is a transaction fee that is added to the incentive value of the block containing the transaction. Once a predetermined number of coins have entered
   circulation, the incentive can transition entirely to transaction fees and be completely inflation
   free.
   The incentive may help encourage nodes to stay honest. If a greedy attacker is able to
   assemble more CPU power than all the honest nodes, he would have to choose between using it to defraud people by stealing back his payments, or using it to generate new coins. He ought to find it more profitable to play by the rules, such rules that favour him with more new coins than everyone else combined, than to undermine the system and the validity of his own wealth.
   6.激励
   按照惯例，在区块中的第一笔交易是一笔特殊的交易，因为这笔交易是以区块创造者以发行一个新的硬币开始，这种方式激励着节点支持网络，同时因为没有权威发行硬币，这种方式也提供了一种路径来初始化进入系统的硬币。这种稳定增加固有数量硬币的方案很想淘金者拓展资源来增加整体金子流通数量。而在整个案例中，扩展的是cpu的计算熟读和电力。
   这种激励也可以以交易费用的方式来提供。如果输出的价值小于输入的价值，这个差值就作为交易费用被增加到了为打包交易区块而存在的激励价值中。一旦预设的硬币数量进入了流通，这个激励就完全转换成了交易费用，同时也完全是通货膨胀费用。
   激励措施可能有助于帮助激励节点保持诚实。如果一个贪婪的攻击者能够集合比所有诚实节点更多的算力，他将不得不在是使用者这些算力去诈骗已经支付的费用和使用这些算力来产生更多的新比特币之间作出艰难抉择。他会发现和诚实节点一起遵守规则相比破坏整个系统让自己的财富也失效来说更为有利可图，这些规则让他能有比其他所有人的加起来更多的比特币。
   7.Reclaiming Disk Space
   Once the latest transaction in a coin is buried under enough blocks, the spent transactions before it can be discarded to save disk space. To facilitate this without breaking the block's hash,transactions are hashed in a Merkle Tree [7][2][5], with only the root included in the block's hash.Old blocks can then be compacted by stubbing off branches of the tree. The interior hashes do not need to be stored.
   7.内存回收
   一旦最近的一个硬币的交易被足够多的块覆盖，之前的交易记录就可以被清空以节省硬盘空间。为了加快这个进程同时不破坏块的哈希，交易在Merkle 树 [7][2][5]上被哈希化，在这个Merkle Tree [7][2][5]上只有根结点包含块的哈希。然后可以通过截断树的分支的方法来压缩区块。内部的哈希值不需要存储