Ethereum (ETH) 以太坊白皮书.pdf

A Next-Generation Smart Contract and DecentralizedApplication PlatSatoshiNakamoto s development ofBitcoin in2009 has oftenbeenhailedas a radical development inmoneyand currency, being thefirstexample ofadigitalasset which simultaneously has no backing or“intrinsicvalue“ and no centralizedissuer orcontroller.However,another-arguablymoreimportant-partoftheBitcoinexperimentistheunderlying blockchain technologyas a toolofdistributedconsensus,and attentionisrapidly starting toshift tothisother aspect ofBitcoin.Commonlycitedalternative applicationsofblockchain technologyincludeusing on-blockchain digitalassetstorepresent customcurrenciesandfinancialinstruments“coloredcoins“,theownershipofan underlying physical device “smart property“,non-fungible assetssuch asdomain names “Namecoin“, as well as morecomplexapplicationsinvolving having digitalassetsbeing directlycontrolled byapieceofcodeimplementingarbitraryrules “smart contracts“orevenblockchain-based“decentralizedautonomous organizations“ DAOs.What Ethereum intendstoprovideis a blockchainwitha built-infullyfledgedTuring-completeprogramming language that can beused tocreate“contracts“ thatcan beused toencodearbitrary statetransitionfunctions,allowing userstocreateanyofthesystemsdescribedabove,aswellasmanyothersthatwehavenotyetimagined,simplybywritingupthelogicin a fewlines ofcode.Table of Contents HistoryoBitcoinAsA StateTransitionSystemoMiningoMerkleTreesoAlternative Blockchain ApplicationsoScripting EthereumoEthereum AccountsoMessagesandTransactionsoEthereum StateTransitionFunctionoCodecutionoBlockchainand Mining ApplicationsoTokenSystemsoFinancialderivativesoIdentityand ReputationSystemsoDecentralizedFileStorageoDecentralizedAutonomous OrganizationsoFurtherApplications MiscellaneaAnd ConcernsoModifiedGHOSTImplementationoFeesoComputationAndTuring-CompletenessoCurrency AndIssuanceoMining CentralizationoScalability Conclusion ReferencesandFurther ReadingIntroduction to Bitcoin and Existing ConceptsHistoryTheconcept ofdecentralizeddigital currency, as well as alternativeapplicationslike propertyregistries,has beenaround fordecades.Theanonymouse-cashprotocolsofthe1980sandthe1990s,mostlyreliantona cryptographicprimitive known as Chaumian blinding,providedacurrency witha high degreeofprivacy, but theprotocolslargelyfailedtogaintraction because oftheirrelianceona centralizedintermediary.In1998, WeiDai s b-money becamethe firstproposaltointroduce theideaofcreating moneythrough solving computationalpuzzles as wellasdecentralizedconsensus,buttheproposalwasscantondetailsastohowdecentralizedconsensuscould actually beimplemented.In 2005,HalFinneyintroduced a conceptof“reusable proofsofwork“, asystemwhich uses ideas from b-moneytogetherwithAdam Back scomputationallydifficult Hashcashpuzzles tocreateaconcept foracryptocurrency, but onceagainfellshortoftheidealby relying ontrustedcomputingasabackend.In2009,adecentralizedcurrencywasforthefirst timeimplementedinpracticeby Satoshi Nakamoto,combining establishedprimitives anaging ownership throughpublickeycryptographywithaconsensusalgorithmforkeepingtrackofwho owns coins,known as“proofofwork“.Themechanism behindproofofwork was a breakthroughin thespacebecauseitsimultaneously solvedtwo problems.First,it provided asimpleandmoderatelyeffectiveconsensusalgorithm,allowingnodesinthenetwork tocollectively agreeona set ofcanonical updatestothestateoftheBitcoinledger.Second,itprovidedamechanismforallowingfreeentryintotheconsensus process,solving thepolitical problemofdeciding who getstoinfluence theconsensus, whilesimultaneouslypreventingsybil attacks. It does thisby substituting aal barriertoparticipation,such astherequirement toberegisteredas a uniqueentityona particular list,withan economic barrier-theweight ofasinglenodein theconsensusvoting processisdirectlyproportional tothecomputing power thatthenodebrings.Since then,an alternativeapproachhas beenproposedcalled proofofstake,calculating theweightofanodeasbeingproportionaltoitscurrencyholdingsandnotcomputationalresources;thediscussionoftherelativemeritsofthetwoapproachesis beyondthescopeofthispaper but itshould be notedthatbothapproachescan beused toserve as thebackbone ofacryptocurrency.Bitcoin As A State Transition SystemFrom atechnical standpoint,theledger ofa cryptocurrency such asBitcoincan bethought ofas a statetransitionsystem, wherethereisa“state“consisting oftheownership statusofallexistingbitcoins and a“statetransitionfunction“ that takes astateand atransaction andoutputsanew statewhich is theresult.Ina standard banking system,forexample, thestateis abalance sheet,atransaction is arequest tomoveXfromAtoB,andthestatetransitionfunctionreducesthueinA s account by Xand increases thue inB s account byX. IfA saccount has lessthan Xin thefirst place,thestatetransitionfunctionreturnsanerror. Hence,onecan allydefineAPPLYS,TX- S or ERRORInthebanking systemdefinedaboveAPPLY{ Alice 50, Bob 50 },“send 20 from Alice toBob“ {Alice 30, Bob 70 }ButAPPLY{ Alice 50, Bob 50 },“send 70 from Alice toBob“ ERRORThe“state“in Bitcoinis thecollectionofall coinstechnically, “unspenttransactionoutputs“orUTXOthathavebeenmintedandnotyetspent,witheach UTXOhaving a denominationand an owner definedby a20-byteaddresswhich is essentiallya cryptographic public key[1]. Atransactioncontainsoneormores,witheach containing areferencetoanexisting UTXOand a cryptographic signatureproducedbytheprivatekeyassociatedwiththeowner saddress,andoneormoreoutputs,with eachoutput containinga new UTXO tobeaddedtothestate.Thestatetransitionfunction APPLYS,TX - S can bedefinedroughly asfollows1. Foreach in TXoIfthereferencedUTXOis not in S,returnan error.oIf the provided signature does not match the owner of theUTXO,return anerror.2. Ifthesum ofthedenominationsofall UTXOislessthanthesum ofthe denominationsofall output UTXO,returnan error.3. Return S withallUTXOremovedandalloutputUTXOadded.Thefirst half ofthefirst steppreventstransactionsendersfromspending coinsthat do notexist,thesecondhalf ofthefirststeppreventstransactionsendersfromspending otherpeople s coins,andthesecondstepenforcesconservationofvalue. In ordertouse thisforpayment,theprotocolisas follows. Suppose Alicewantstosend11.7BTC toBob.First,Alicewill look fora setofavailableUTXO thatsheowns that totalsup toatleast 11.7 BTC. Realistically, Alice will not beabletoget exactly11.7 BTC; say thatthesmallest she can get is64212. Shethencreatesa transactionwiththosethreesandtwo outputs.Thefirst output will be11.7 BTC withBob s addressas itsowner,and thesecondoutput will betheremaining 0.3 BTC “change“,withtheownerbeing Alice herself.MiningIfwe hadaccesstoatrustworthycentralizedservice,thissystemwouldbetrivial toimplement;it could simply becodedexactly as described,using a centralizedserver s hard drive tokeep track ofthestate.However,withBitcoinwe aretrying tobuild adecentralizedcurrencysystem,sowe will need tocombinethestatetransactionsystemwithaconsensus systemin ordertoensure thateveryone agreesontheorderoftransactions.Bitcoin s decentralizedconsensus processrequiresnodesinthenetwork tocontinuously attempttoproduce packagesoftransactionscalled “blocks“. The network isintended toproduceroughlyoneblock every tenminutes,witheach block containingatimestamp,anonce,areferencetoie.hashofthepreviousblockandalistofall ofthetransactionsthathave taken placesince thepreviousblock.Over time,thiscreatesa persistent,ever-growing,“blockchain“thatconstantly updatestorepresent thelatest stateoftheBitcoinledger.Thealgorithm forchecking ifa block isvalid, expressedin thisparadigm,is asfollows1. Check if the previous block referenced by the block exists and isvalid.2. Check that the timestamp of the block is greater than that of theprevious block[2] and lessthan2 hours intothefuture3. Check that theproofofwork ontheblock isvalid.4. Let S[0] be thestateattheendoftheprevious block.5. Suppose TX is the block s transaction list with n transactions. Forall i in 0...n-1,set S[i1]APPLYS[i],TX[i] Ifanyapplicationreturnsanerror,exit and returnfalse.6. Returntrue, andregisterS[n] as thestateat theend ofthisblock.Essentially, each transactionin theblock must provide a valid statetransitionfromwhatwas thecanonicalstatebeforethetransactionwascutedtosomenew state.Notethatthestateis not encodedin theblockin any way; it ispurely an abstractiontoberememberedby thidatingnodeand can onlybesecurely computedforany block bystarting from thegenesis stateand sequentially applying everytransactionineveryblock.Additionally,notethattheorderinwhichtheminerincludes transactionsintotheblock matters;if thereare twotransactionsAandBinablocksuchthatBspendsaUTXOcreatedbyA,thentheblock will be valid ifA comesbeforeB but nototherwise.Theonidityconditionpresent intheabove listthatis notfound inothersystemsis therequirement for“proofofwork“. The preciseconditionisthatthedouble-SHA256 hash ofevery block,treatedas a256-bitnumber,mustbelessthanadynamicallyadjustedtarget,whichasofthetimeofthiswritingisapproximately2187.Thepurposeofthisistomake block creationcomputationally“hard“, therebypreventingsybilattackers from remaking theentire blockchainin theirfavor.Because SHA256is designedtobea completely unpredictablepseudorandomfunction, theonly way tocreatea valid block issimplytrialanderror,repeatedlyincrementingthenonceandseeingifthenewhash matches.Atthecurrent targetof2187,thenetworkmust make an average of269 triesbeforea valid block is found;in general,thetarget isrecalibratedbythenetworkevery2016blockssothatonaverageanewblockis producedby somenodein thenetworkevery tenminutes.Inordertocompensateminersforthiscomputationalwork, theminer ofeveryblockisentitledtoincludeatransactiongivingthemselves25BTCout ofnowhere.Additionally, if any transactionhas a highertotaldenominationinitssthan initsoutputs,thedifferencealso goestotheminer asa “transactionfee“.Incidentally,this isalsotheonlymechanism by which BTC areissued; thegenesisstatecontainednocoinsatall.Inorder tobetterunderstandthepurposeofmining,let us examinewhat happens intheevent ofa malicious attacker. SinceBitcoin sunderlying cryptographyis known tobesecure, theattackerwill targettheonepartoftheBitcoinsystemthatisnotprotectedbycryptographydirectlytheorder oftransactions.Theattacker s strategy is simple1. Send 100 BTC to a merchant in exchange for some productpreferablya rapid-delivery digital good2. Waitforthedelivery oftheproduct3. Produce another transaction sending the same 100 BTC tohimself4. Try to convince the network that his transaction to himself wastheonethat came first.Oncestep1 has takenplace,aftera fewminutessomeminer willincludethetransaction ina block,say block number 270000.Afteraboutonehour,fivemoreblockswillhavebeenaddedtothechainafterthatblock, witheachofthose blocks indirectlypointing tothetransactionand thus “confirming“ it.At thispoint,themerchant willaccept thepayment as finalized and delivertheproduct;since we areassuming thisis a digitalgood,delivery is instant.Now, the attackercreatesanothertransaction sendingthe100 BTC tohimself.If theattackersimply releasesit intothewild, thetransactionwill notbeprocessed;miners will attempttorun APPLYS,TX and noticethat TX consumesaUTXOwhichisnolongerinthestate.Soinstead,theattackercreatesa “fork“oftheblockchain, starting by mining anotherversionofblock270000pointingtothesameblock269999asaparentbut withthenewtransaction inplace oftheoldone.Because theblockdatais different,thisrequires redoing theproofofwork. Furthermore,theattacker s newversion ofblock 270000 has a different hash,so theoriginalblocks270001to270005donot“point“toit;thus,theoriginalchain and theattacker s newchain are completelyseparate.The rule isthatin a forkthelongest blockchain istakentobethetruth,and solegitimateminers will work onthe270005 chain while theattackeraloneisworkingonthe270000chain.Inorderfortheattackertomakehisblockchain thelongest,he would needtohave morecomputationalpowerthantherestofthenetworkcombinedinordertocatchuphence,“51 attack“.Merkle TreesLeftitsufficestopresentonlyasmallnumberofnodesinaMerkletreetogive aproofofthidityofa branch.Rightany attempttochangeany part oftheMerkletreewill eventuallyleadtoan inconsistencysomewhere up thechain.AnimportantscalabilityfeatureofBitcoinisthattheblockisstoredinamulti-leveldatastructure.The“hash“ofablockisactuallyonlythehashoftheblock header,a roughly200-bytepiece ofdatathat containsthetimestamp,nonce,previous block hash and theroothash ofa datastructurecalled theMerkletreestoring all transactionsin theblock. AMerkletreeisa type ofbinary tree,composedofa setofnodeswith alargenumberofleafnodesatthebottomofthe treecontainingtheunderlying data,aset ofintermediatenodeswhere each nodeisthehashofitstwochildren,andfinallyasinglerootnode,alsoedfromthehash ofitstwo children,representingthe“top“ofthetree.ThepurposeoftheMerkletreeistoallowthedatainablocktobedeliveredpiecemealanodecan downloadonlytheheaderofa block from onesource,thesmallpartofthetreerelevanttothemfromanothersource,and stillbe assured thatallofthedataiscorrect.The reasonwhy thisworks is thathashes propagateupwardif amalicious userattemptstoswapinafaketransactionintothebottomofaMerkletree,thischangewill cause a changein thenodeabove, and thena changein thenodeabovethat,finallychanging theroot ofthetreeand thereforethehashoftheblock,causingtheprotocoltoregisteritasacompletelydifferentblockalmost certainlywithan invalid proof ofwork.TheMerkle treeprotocol isarguably essentialtolong-termsustainability.A “full node“in theBitcoinnetwork,onethat storesandprocessestheentiretyofevery block,takes up about 15 GBofdiskspacein theBitcoinnetwork asofApril 2014, and isgrowing by over agigabytepermonth.Currently, thisis viable forsomedesktopcomputersand not phones,and lateronin thefutureonlybusinessesand hobbyistswill beabletoparticipate.A protocolknown as“simplifiedpaymentverification“SPVallowsforanotherclassofnodestoexist,called“light nodes“,which downloadtheblock headers,verifytheproofofwork ontheblockheaders, andthendownload onlythe“branches“ associatedwithtransactionsthat are relevant tothem.Thisallowslightnodestodeterminewithastrongguaranteeofsecuritywhatthestatusofany Bitcointransaction,and theircurrent balance,is whiledownloading onlya very small portionoftheentireblockchain.Alternative Blockchain ApplicationsTheidea oftaking theunderlying blockchain idea and applying it tootherconceptsalso has along history. In 2005, Nick Szabo came outwiththeconceptof“secure propertytitleswithowner authority“, adocumentdescribing how“new advances in replicateddatabasetechnology“ will allowfora blockchain-based system forstoring aregistryofwho owns what land,creatingan elaborateframeworkincluding conceptssuch as homesteading,adverse possessionandGeorgianland tax. However,therewas unfortunately no effectivereplicateddatabase systema