Bitcoin: A Peer-to-Peer Electronic Cash System

Satoshi Nakamoto
[email protected]
www.bitcoin.org
Abstract.
A prely peer-to-peer !ersion o" electronic cash wol# allow online
payments to be sent #irectly "rom one party to another withot going throgh a
$nancial instittion. %igital signatres pro!i#e part o" the soltion& bt the main
bene$ts are lost i" a trste# thir# party is still re'ire# to pre!ent #oble-spen#ing.
(e propose a soltion to the #oble-spen#ing problem sing a peer-to-peer network.
)he network timestamps transactions by hashing them into an ongoing chain o"
hash-base# proo"-o"-work& "orming a recor# that cannot be change# withot re#oing
the proo"-o"-work. )he longest chain not only ser!es as proo" o" the se'ence o"
e!ents witnesse#& bt proo" that it came "rom the largest pool o" CP* power. As
long as a ma+ority o" CP* power is controlle# by no#es that are not cooperating to
attack the network& they,ll generate the longest chain an# otpace attackers. )he
network itsel" re'ires minimal strctre. -essages are broa#cast on a best e.ort
basis& an# no#es can lea!e an# re+oin the network at will& accepting the longest
proo"-o"-work chain as proo" o" what happene# while they were gone.
/.
0ntro#ction
Commerce on the 0nternet has come to rely almost exclsi!ely on $nancial
instittions ser!ing as
trste# thir# parties to process electronic payments. (hile the system works
well enogh "or
most transactions& it still s.ers "rom the inherent weaknesses o" the trst base#
mo#el.
Completely non-re!ersible transactions are not really possible& since $nancial
instittions cannot
a!oi# me#iating #isptes. )he cost o" me#iation increases transaction costs&
limiting the
minimm practical transaction si1e an# ctting o. the possibility "or small casal
transactions&
an# there is a broa#er cost in the loss o" ability to make non-re!ersible payments
"or non-
re!ersible ser!ices. (ith the possibility o" re!ersal& the nee# "or trst sprea#s.
-erchants mst
be wary o" their cstomers& hassling them "or more in"ormation than they wol#
otherwise nee#.
A certain percentage o" "ra# is accepte# as na!oi#able. )hese costs an#
payment ncertainties
can be a!oi#e# in person by sing physical crrency& bt no mechanism exists to
make payments
o!er a commnications channel withot a trste# party.
(hat is nee#e# is an electronic payment system base# on cryptographic proo"
instea# o" trst&
allowing any two willing parties to transact #irectly with each other withot the
nee# "or a trste#
thir# party. )ransactions that are comptationally impractical to re!erse wol#
protect sellers
"rom "ra#& an# rotine escrow mechanisms col# easily be implemente# to
protect byers. 0n
this paper& we propose a soltion to the #oble-spen#ing problem sing a peer-
to-peer #istribte#
timestamp ser!er to generate comptational proo" o" the chronological or#er o"
transactions. )he
system is secre as long as honest no#es collecti!ely control more CP* power
than any
cooperating grop o" attacker no#es.
/
2.
)ransactions
(e #e$ne an electronic coin as a chain o" #igital signatres. Each owner
trans"ers the coin to the
next by #igitally signing a hash o" the pre!ios transaction an# the pblic key o"
the next owner
an# a##ing these to the en# o" the coin. A payee can !eri"y the signatres to
!eri"y the chain o"
ownership.
)he problem o" corse is the payee can,t !eri"y that one o" the owners #i# not
#oble-spen#
the coin. A common soltion is to intro#ce a trste# central athority& or mint&
that checks e!ery
transaction "or #oble spen#ing. A"ter each transaction& the coin mst be
retrne# to the mint to
isse a new coin& an# only coins isse# #irectly "rom the mint are trste# not to
be #oble-spent.
)he problem with this soltion is that the "ate o" the entire money system
#epen#s on the
company rnning the mint& with e!ery transaction ha!ing to go throgh them&
+st like a bank.
(e nee# a way "or the payee to know that the pre!ios owners #i# not sign any
earlier
transactions. 3or or prposes& the earliest transaction is the one that conts& so
we #on,t care
abot later attempts to #oble-spen#. )he only way to con$rm the absence o" a
transaction is to
be aware o" all transactions. 0n the mint base# mo#el& the mint was aware o" all
transactions an#
#eci#e# which arri!e# $rst. )o accomplish this withot a trste# party&
transactions mst be
pblicly annonce# 4/5& an# we nee# a system "or participants to agree on a
single history o" the
or#er in which they were recei!e#. )he payee nee#s proo" that at the time o"
each transaction& the
ma+ority o" no#es agree# it was the $rst recei!e#.
6.
)imestamp Ser!er
)he soltion we propose begins with a timestamp ser!er. A timestamp ser!er
works by taking a
hash o" a block o" items to be timestampe# an# wi#ely pblishing the hash& sch
as in a
newspaper or *senet post 42-75. )he timestamp pro!es that the #ata mst ha!e
existe# at the
time& ob!iosly& in or#er to get into the hash. Each timestamp incl#es the
pre!ios timestamp in
its hash& "orming a chain& with each a##itional timestamp rein"orcing the ones
be"ore it.
2
Block
Item
Item
...
Hash
Block
Item
Item
...
Hash
Transaction
Owner 1's
Public Key
Owner 0's
Signature
Hash
Transaction
Owner 's
Public Key
Owner 1's
Signature
Hash
!eri"y
Transaction
Owner #'s
Public Key
Owner 's
Signature
Hash
!eri"y
Owner 's
Pri$ate Key
Owner 1's
Pri$ate Key
Sign
Sign
Owner #'s
Pri$ate Key