Ethereum (ETH) 以太坊白皮书.pdf
A Next-Generation Smart Contract and DecentralizedApplication PlatSatoshiNakamotos development ofBitcoin in2009 has oftenbeenhailedas a radical development inmoneyand currency, being thefirstexample ofadigitalasset which simultaneously has no backing orintrinsicvalue and no centralizedissuer orcontroller.However,another-arguablymoreimportant-partoftheBitcoinexperimentistheunderlying blockchain technologyas a toolofdistributedconsensus,and attentionisrapidly starting toshift tothisother aspect ofBitcoin.Commonlycitedalternative applicationsofblockchain technologyincludeusing on-blockchain digitalassetstorepresent customcurrenciesandfinancialinstrumentscoloredcoins,theownershipofan underlying physical device smart property,non-fungible assetssuch asdomain names Namecoin, as well as morecomplexapplicationsinvolving having digitalassetsbeing directlycontrolled byapieceofcodeimplementingarbitraryrules smart contractsorevenblockchain-baseddecentralizedautonomous organizations DAOs.What Ethereum intendstoprovideis a blockchainwitha built-infullyfledgedTuring-completeprogramming language that can beused tocreatecontracts thatcan beused toencodearbitrary statetransitionfunctions,allowing userstocreateanyofthesystemsdescribedabove,aswellasmanyothersthatwehavenotyetimagined,simplybywritingupthelogicin a fewlines ofcode.Table of Contents HistoryoBitcoinAsA StateTransitionSystemoMiningoMerkleTreesoAlternative Blockchain ApplicationsoScripting EthereumoEthereum AccountsoMessagesandTransactionsoEthereum StateTransitionFunctionoCodecutionoBlockchainand Mining ApplicationsoTokenSystemsoFinancialderivativesoIdentityand ReputationSystemsoDecentralizedFileStorageoDecentralizedAutonomous OrganizationsoFurtherApplications MiscellaneaAnd ConcernsoModifiedGHOSTImplementationoFeesoComputationAndTuring-CompletenessoCurrency AndIssuanceoMining CentralizationoScalability Conclusion ReferencesandFurther ReadingIntroduction to Bitcoin and Existing ConceptsHistoryTheconcept ofdecentralizeddigital currency, as well as alternativeapplicationslike propertyregistries,has beenaround fordecades.Theanonymouse-cashprotocolsofthe1980sandthe1990s,mostlyreliantona cryptographicprimitive known as Chaumian blinding,providedacurrency witha high degreeofprivacy, but theprotocolslargelyfailedtogaintraction because oftheirrelianceona centralizedintermediary.In1998, WeiDais b-money becamethe firstproposaltointroduce theideaofcreating moneythrough solving computationalpuzzles as wellasdecentralizedconsensus,buttheproposalwasscantondetailsastohowdecentralizedconsensuscould actually beimplemented.In 2005,HalFinneyintroduced a conceptofreusable proofsofwork, asystemwhich uses ideas from b-moneytogetherwithAdam Backscomputationallydifficult Hashcashpuzzles tocreateaconcept foracryptocurrency, but onceagainfellshortoftheidealby relying ontrustedcomputingasabackend.In2009,adecentralizedcurrencywasforthefirst timeimplementedinpracticeby Satoshi Nakamoto,combining establishedprimitives anaging ownership throughpublickeycryptographywithaconsensusalgorithmforkeepingtrackofwho owns coins,known asproofofwork.Themechanism behindproofofwork was a breakthroughin thespacebecauseitsimultaneously solvedtwo problems.First,it provided asimpleandmoderatelyeffectiveconsensusalgorithm,allowingnodesinthenetwork tocollectively agreeona set ofcanonical updatestothestateoftheBitcoinledger.Second,itprovidedamechanismforallowingfreeentryintotheconsensus process,solving thepolitical problemofdeciding who getstoinfluence theconsensus, whilesimultaneouslypreventingsybil attacks. It does thisby substituting aal barriertoparticipation,such astherequirement toberegisteredas a uniqueentityona particular list,withan economic barrier-theweight ofasinglenodein theconsensusvoting processisdirectlyproportional tothecomputing power thatthenodebrings.Since then,an alternativeapproachhas beenproposedcalled proofofstake,calculating theweightofanodeasbeingproportionaltoitscurrencyholdingsandnotcomputationalresources;thediscussionoftherelativemeritsofthetwoapproachesis beyondthescopeofthispaper but itshould be notedthatbothapproachescan beused toserve as thebackbone ofacryptocurrency.Bitcoin As A State Transition SystemFrom atechnical standpoint,theledger ofa cryptocurrency such asBitcoincan bethought ofas a statetransitionsystem, wherethereisastateconsisting oftheownership statusofallexistingbitcoins and astatetransitionfunction that takes astateand atransaction andoutputsanew statewhich is theresult.Ina standard banking system,forexample, thestateis abalance sheet,atransaction is arequest tomoveXfromAtoB,andthestatetransitionfunctionreducesthueinAs account by Xand increases thue inBs account byX. IfAsaccount has lessthan Xin thefirst place,thestatetransitionfunctionreturnsanerror. Hence,onecan allydefineAPPLYS,TX- Sor ERRORInthebanking systemdefinedaboveAPPLY{ Alice 50, Bob 50 },send 20 from Alice toBob {Alice 30, Bob 70 }ButAPPLY{ Alice 50, Bob 50 },send 70 from Alice toBob ERRORThestatein Bitcoinis thecollectionofall coinstechnically, unspenttransactionoutputsorUTXOthathavebeenmintedandnotyetspent,witheach UTXOhaving a denominationand an owner definedby a20-byteaddresswhich is essentiallya cryptographic public key[1]. Atransactioncontainsoneormores,witheach containing areferencetoanexisting UTXOand a cryptographic signatureproducedbytheprivatekeyassociatedwiththeownersaddress,andoneormoreoutputs,with eachoutput containinga new UTXO tobeaddedtothestate.Thestatetransitionfunction APPLYS,TX - S can bedefinedroughly asfollows1. Foreach in TXoIfthereferencedUTXOis not in S,returnan error.oIf the provided signature does not match the owner of theUTXO,return anerror.2. Ifthesum ofthedenominationsofall UTXOislessthanthesum ofthe denominationsofall output UTXO,returnan error.3. Return S withallUTXOremovedandalloutputUTXOadded.Thefirst half ofthefirst steppreventstransactionsendersfromspending coinsthat do notexist,thesecondhalf ofthefirststeppreventstransactionsendersfromspending otherpeoples coins,andthesecondstepenforcesconservationofvalue. In ordertouse thisforpayment,theprotocolisas follows. Suppose Alicewantstosend11.7BTC toBob.First,Alicewill look fora setofavailableUTXO thatsheowns that totalsup toatleast 11.7 BTC. Realistically, Alice will not beabletoget exactly11.7 BTC; say thatthesmallest she can get is64212. Shethencreatesa transactionwiththosethreesandtwo outputs.Thefirst output will be11.7 BTC withBobs addressas itsowner,and thesecondoutput will betheremaining 0.3 BTC change,withtheownerbeing Alice herself.MiningIfwe hadaccesstoatrustworthycentralizedservice,thissystemwouldbetrivial toimplement;it could simply becodedexactly as described,using a centralizedservers hard drive tokeep track ofthestate.However,withBitcoinwe aretrying tobuild adecentralizedcurrencysystem,sowe will need tocombinethestatetransactionsystemwithaconsensus systemin ordertoensure thateveryone agreesontheorderoftransactions.Bitcoins decentralizedconsensus processrequiresnodesinthenetwork tocontinuously attempttoproduce packagesoftransactionscalled blocks. The network isintended toproduceroughlyoneblock every tenminutes,witheach block containingatimestamp,anonce,areferencetoie.hashofthepreviousblockandalistofall ofthetransactionsthathave taken placesince thepreviousblock.Over time,thiscreatesa persistent,ever-growing,blockchainthatconstantly updatestorepresent thelatest stateoftheBitcoinledger.Thealgorithm forchecking ifa block isvalid, expressedin thisparadigm,is asfollows1. Check if the previous block referenced by the block exists and isvalid.2. Check that the timestamp of the block is greater than that of theprevious block[2] and lessthan2 hours intothefuture3. Check that theproofofwork ontheblock isvalid.4. Let S[0] be thestateattheendoftheprevious block.5. Suppose TX is the blocks transaction list with n transactions. Forall i in 0...n-1,set S[i1]APPLYS[i],TX[i] Ifanyapplicationreturnsanerror,exit and returnfalse.6. Returntrue, andregisterS[n] as thestateat theend ofthisblock.Essentially, each transactionin theblock must provide a valid statetransitionfromwhatwas thecanonicalstatebeforethetransactionwascutedtosomenew state.Notethatthestateis not encodedin theblockin any way; it ispurely an abstractiontoberememberedby thidatingnodeand can onlybesecurely computedforany block bystarting from thegenesis stateand sequentially applying everytransactionineveryblock.Additionally,notethattheorderinwhichtheminerincludes transactionsintotheblock matters;if thereare twotransactionsAandBinablocksuchthatBspendsaUTXOcreatedbyA,thentheblock will be valid ifA comesbeforeB but nototherwise.Theonidityconditionpresent intheabove listthatis notfound inothersystemsis therequirement forproofofwork. The preciseconditionisthatthedouble-SHA256 hash ofevery block,treatedas a256-bitnumber,mustbelessthanadynamicallyadjustedtarget,whichasofthetimeofthiswritingisapproximately2187.Thepurposeofthisistomake block creationcomputationallyhard, therebypreventingsybilattackers from remaking theentire blockchainin theirfavor.Because SHA256is designedtobea completely unpredictablepseudorandomfunction, theonly way tocreatea valid block issimplytrialanderror,repeatedlyincrementingthenonceandseeingifthenewhash matches.Atthecurrent targetof2187,thenetworkmust make an average of269 triesbeforea valid block is found;in general,thetarget isrecalibratedbythenetworkevery2016blockssothatonaverageanewblockis producedby somenodein thenetworkevery tenminutes.Inordertocompensateminersforthiscomputationalwork, theminer ofeveryblockisentitledtoincludeatransactiongivingthemselves25BTCout ofnowhere.Additionally, if any transactionhas a highertotaldenominationinitssthan initsoutputs,thedifferencealso goestotheminer asa transactionfee.Incidentally,this isalsotheonlymechanism by which BTC areissued; thegenesisstatecontainednocoinsatall.Inorder tobetterunderstandthepurposeofmining,let us examinewhat happens intheevent ofa malicious attacker. SinceBitcoinsunderlying cryptographyis known tobesecure, theattackerwill targettheonepartoftheBitcoinsystemthatisnotprotectedbycryptographydirectlytheorder oftransactions.Theattackers strategy is simple1. Send 100 BTC to a merchant in exchange for some productpreferablya rapid-delivery digital good2. Waitforthedelivery oftheproduct3. Produce another transaction sending the same 100 BTC tohimself4. Try to convince the network that his transaction to himself wastheonethat came first.Oncestep1 has takenplace,aftera fewminutessomeminer willincludethetransaction ina block,say block number 270000.Afteraboutonehour,fivemoreblockswillhavebeenaddedtothechainafterthatblock, witheachofthose blocks indirectlypointing tothetransactionand thus confirming it.At thispoint,themerchant willaccept thepayment as finalized and delivertheproduct;since we areassuming thisis a digitalgood,delivery is instant.Now, the attackercreatesanothertransaction sendingthe100 BTC tohimself.If theattackersimply releasesit intothewild, thetransactionwill notbeprocessed;miners will attempttorun APPLYS,TX and noticethat TX consumesaUTXOwhichisnolongerinthestate.Soinstead,theattackercreatesa forkoftheblockchain, starting by mining anotherversionofblock270000pointingtothesameblock269999asaparentbut withthenewtransaction inplace oftheoldone.Because theblockdatais different,thisrequires redoing theproofofwork. Furthermore,theattackers newversion ofblock 270000 has a different hash,so theoriginalblocks270001to270005donotpointtoit;thus,theoriginalchain and theattackers newchain are completelyseparate.The rule isthatin a forkthelongest blockchain istakentobethetruth,and solegitimateminers will work onthe270005 chain while theattackeraloneisworkingonthe270000chain.Inorderfortheattackertomakehisblockchain thelongest,he would needtohave morecomputationalpowerthantherestofthenetworkcombinedinordertocatchuphence,51 attack.Merkle TreesLeftitsufficestopresentonlyasmallnumberofnodesinaMerkletreetogive aproofofthidityofa branch.Rightany attempttochangeany part oftheMerkletreewill eventuallyleadtoan inconsistencysomewhere up thechain.AnimportantscalabilityfeatureofBitcoinisthattheblockisstoredinamulti-leveldatastructure.Thehashofablockisactuallyonlythehashoftheblock header,a roughly200-bytepiece ofdatathat containsthetimestamp,nonce,previous block hash and theroothash ofa datastructurecalled theMerkletreestoring all transactionsin theblock. AMerkletreeisa type ofbinary tree,composedofa setofnodeswith alargenumberofleafnodesatthebottomofthe treecontainingtheunderlying data,aset ofintermediatenodeswhere each nodeisthehashofitstwochildren,andfinallyasinglerootnode,alsoedfromthehash ofitstwo children,representingthetopofthetree.ThepurposeoftheMerkletreeistoallowthedatainablocktobedeliveredpiecemealanodecan downloadonlytheheaderofa block from onesource,thesmallpartofthetreerelevanttothemfromanothersource,and stillbe assured thatallofthedataiscorrect.The reasonwhy thisworks is thathashes propagateupwardif amalicious userattemptstoswapinafaketransactionintothebottomofaMerkletree,thischangewill cause a changein thenodeabove, and thena changein thenodeabovethat,finallychanging theroot ofthetreeand thereforethehashoftheblock,causingtheprotocoltoregisteritasacompletelydifferentblockalmost certainlywithan invalid proof ofwork.TheMerkle treeprotocol isarguably essentialtolong-termsustainability.A full nodein theBitcoinnetwork,onethat storesandprocessestheentiretyofevery block,takes up about 15 GBofdiskspacein theBitcoinnetwork asofApril 2014, and isgrowing by over agigabytepermonth.Currently, thisis viable forsomedesktopcomputersand not phones,and lateronin thefutureonlybusinessesand hobbyistswill beabletoparticipate.A protocolknown assimplifiedpaymentverificationSPVallowsforanotherclassofnodestoexist,calledlight nodes,which downloadtheblock headers,verifytheproofofwork ontheblockheaders, andthendownload onlythebranches associatedwithtransactionsthat are relevant tothem.Thisallowslightnodestodeterminewithastrongguaranteeofsecuritywhatthestatusofany Bitcointransaction,and theircurrent balance,is whiledownloading onlya very small portionoftheentireblockchain.Alternative Blockchain ApplicationsTheidea oftaking theunderlying blockchain idea and applying it tootherconceptsalso has along history. In 2005, Nick Szabo came outwiththeconceptofsecure propertytitleswithowner authority, adocumentdescribing hownew advances in replicateddatabasetechnology will allowfora blockchain-based system forstoring aregistryofwho owns what land,creatingan elaborateframeworkincluding conceptssuch as homesteading,adverse possessionandGeorgianland tax. However,therewas unfortunately no effectivereplicateddatabase systema