By Satoshi Nakamoto
Abstract
A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without relying on financial institutions. Digital signatures solve part of the problem, but the main benefits are lost if a trusted third party is still required to prevent double-spending.
We propose a solution using a peer-to-peer network to timestamp transactions via a proof-of-work-based chain, creating a public ledger that cannot be altered without redoing the computational work. The longest chain serves as proof of the consensus sequence of events and demonstrates participation from the most CPU power. As long as honest nodes control the majority of CPU power, they will outpace attackers. The network requires minimal structure, with nodes joining or leaving freely and accepting the longest chain as authoritative.
1. Introduction
Commerce online relies heavily on financial intermediaries to facilitate electronic payments. While functional, this model inherits the weaknesses of trust-based systems: irreversible transactions are impossible due to dispute mediation, transaction costs limit micropayments, and trust requirements expose merchants to fraud.
Cryptographic proof offers an alternative, enabling direct transactions without intermediaries. Our system prevents double-spending via a decentralized timestamp server, achieving security as long as honest nodes dominate computational power.
Core Keywords:
- Blockchain
- Decentralization
- Proof-of-Work
- Cryptography
- Double-Spending
- Peer-to-Peer
- Digital Signatures
2. Transactions
An electronic coin is a chain of digital signatures. Each owner signs a hash of the previous transaction and the next owner’s public key, appending it to the coin. Recipients verify signatures to confirm ownership history.
Problem: Recipients cannot ensure the coin wasn’t double-spent. Traditional solutions involve trusted mints, but our system replaces this with public announcement and consensus on transaction order.
3. Timestamp Servers
A timestamp server batches transactions into blocks, hashing each block with the previous block’s hash, forming an immutable chain. Altering a block requires recomputing all subsequent blocks.
4. Proof-of-Work
To implement a distributed timestamp server, we use Hashcash-style proof-of-work (PoW). Nodes compete to solve a computationally difficult puzzle (finding a hash with leading zero bits). Successfully mined blocks are broadcasted, and nodes accept them only if all transactions are valid.
Security: PoW ensures majority CPU power controls block generation. Attackers must outpace the entire network to alter history, a feat exponentially harder as blocks accumulate.
5. Network Workflow
- New transactions broadcast to all nodes.
- Nodes collect transactions into blocks and compete to solve PoW.
- The first node to solve PoW broadcasts the block.
- Nodes validate transactions and accept the block by extending its chain.
- Conflicts resolve when one chain becomes longer (consensus).
Nodes tolerate incomplete data by requesting missing blocks.
6. Incentives
- Block Rewards: The first transaction in a block creates new coins (mining reward), incentivizing participation and distributing currency.
- Transaction Fees: Fees replace inflation once all coins are issued.
- Honesty: Attacking the network (e.g., double-spending) is less profitable than adhering to rules, as honest mining yields more coins.
7. Disk Space Optimization
Old transactions are pruned using Merkle trees. Only block headers (80 bytes) are stored, requiring ~4.2MB/year—feasible given modern storage.
👉 Learn more about blockchain efficiency
8. Simplified Payment Verification
Users can verify payments without running a full node by storing block headers and requesting Merkle branches linking transactions to blocks. This method assumes honest nodes dominate but is vulnerable if attackers control the network.
9. Value Combining & Privacy
- Transactions support multiple inputs/outputs for splitting/combining values.
- Privacy: Public keys are anonymized, revealing transaction amounts but not identities. Using new key pairs per transaction prevents linkage.
10. Calculations
The probability an attacker catches up from z blocks behind follows a Poisson distribution. For q = attacker’s share of CPU power:
#include <math.h>
double AttackerSuccessProbability(double q, int z) {
double p = 1.0 - q;
double lambda = z * (q / p);
double sum = 1.0;
for (int k = 0; k <= z; k++) {
double poisson = exp(-lambda);
for (int i = 1; i <= k; i++) poisson *= lambda / i;
sum -= poisson * (1 - pow(q / p, z - k));
}
return sum;
}Results: Probability drops exponentially with z (e.g., q=0.3 requires z=24 for P < 0.1%).
11. Conclusion
We’ve proposed a trustless electronic cash system using cryptographic proof and decentralized consensus. The network’s robustness lies in its simplicity—nodes cooperate without central coordination, and security scales with honest CPU power.
👉 Explore Bitcoin’s whitepaper in depth
FAQ
Q1: How does Bitcoin prevent double-spending?
A1: Through decentralized consensus—transactions are confirmed only if included in the longest valid blockchain, making double-spending computationally infeasible.
Q2: What is proof-of-work?
A2: A cryptographic puzzle requiring significant CPU effort to solve, ensuring blocks are hard to create but easy to verify.
Q3: Can transactions remain private?
A3: Yes, by using new key pairs per transaction and anonymizing public keys, though multi-input transactions may reveal linkages.
Q4: How are miners incentivized?
A4: Via block rewards (new coins) and transaction fees, aligning their interests with network security.
Q5: What if attackers control 51% of CPU power?
A5: They could theoretically rewrite recent blocks, but this is economically irrational and detectable by nodes.
Q6: How scalable is Bitcoin’s storage model?
A6: Pruning and Merkle trees minimize storage needs, with block headers requiring only ~4MB/year.