接着上一篇,我们继续聊聊《比特币白皮书》的第 11 部分:计算 (Calculations)。
计算(Calculation)
还是老规矩,原文和中文翻译放在这里,便于中英文对照,有条件的可以原文理解。
We consider the scenario of an attacker trying to generate an alternate chain faster than the honest chain. Even if this is accomplished, it does not throw the system open to arbitrary changes, such as creating value out of thin air or taking money that never belonged to the attacker. Nodes are not going to accept an invalid transaction as payment, and honest nodes will never accept a block containing them. An attacker can only try to change one of his own transactions to take back moneyhe recently spent.
假设⼀个场景,某个攻击者正在试图⽣成⼀个⽐诚实链更快的替代链。就算他成功了,也不能对系统做任意的修改,即,他不可能凭空制造出价值,也⽆法获取从未属于他的钱。⽹络节点不会把⼀笔⽆效交易当作⽀付,⽽诚实节点也永远不会接受⼀个包含这种⽀付的区块。攻击者最多只能修改属于他⾃⼰的交易,进⽽试图取回他已经花出去的钱。
The race between the honest chain and an attacker chain can be characterized as a Binomial Random Walk. The success event is the honest chain being extended by one block, increasing its lead by +1, and the failure event is the attacker's chain being extended by one block, reducing the gap by-1.
诚实链和攻击者之间的竞争可以⽤⼆项式随机漫步来描述。成功事件是诚实链刚刚被添加了⼀个新的区块,使得它的优势增加了 ;⽽失败事件是攻击者的链刚刚被增加了⼀个新的区块,使得诚实链的优势减少了1。
The probability of an attacker catching up from a given deficit is analogous to a Gambler's Ruin problem. Suppose a gambler with unlimited credit starts at a deficit and plays potentially an infinite number of trials to try to reach breakeven. We can calculate the probability he ever reaches breakeven, or that an attacker ever catches up with the honest chain, as follows:
攻击者能够从落后局⾯追平的概率类似于赌徒破产问题。假设,⼀个拿着⽆限筹码的赌徒,从亏空开始,允许他赌⽆限次,⽬标是填补上已有的亏空。我们能算出他最终能填补亏空的概率,也就是攻击者能够赶上诚实链的概率,如下:
Given our assumption that, the probability drops exponentially as the number of blocks the attacker has to catch up with increases. With the odds against him, if he doesn't make a lucky lunge forward early on, his chances become vanishingly small as he falls further behind.
既然我们已经假定, 既然攻击者需要赶超的区块数量越来越多,那么其成功概率就会指数级下降。于赢⾯不利时,如果攻击者没有在起初就能幸运地向前猛跨⼀步,那么他的胜率将在他进⼀步落后的同时消弭殆尽。
We now consider how long the recipient of a new transaction needs to wait before being sufficiently certain the sender can't change the transaction. We assume the sender is an attacker who wants to make the recipient believe he paid him for a while, then switch it to pay back to himself after some time has passed. The receiver will be alerted when that happens, but the sender hopes it will be too late.
现在考虑⼀下⼀笔新交易的收款⼈需要等多久才能充分确定发款⼈不能更改这笔交易。我们假定发款⼈是个攻击者,妄图让收款⼈在⼀段时间⾥相信他已经⽀付对付款项,随后将这笔钱再转回给⾃⼰。发⽣这种情况时,收款⼈当然会收到警告,但发款⼈希望那时⽊已成⾈。
The receiver generates a new key pair and gives the public key to the sender shortly before signing. This prevents the sender from preparing a chain of blocks ahead of time by working on it continuously until he is lucky enough to get far enough ahead, then executing the transaction at that moment. Once the transaction is sent, the dishonest sender starts working in secret on a parallel chain containing an alternate version of his transaction.
收款⼈⽣成了⼀对新的公私钥,⽽后在签署之前不久将公钥告知发款⼈。这样可以防⽌⼀种情形:发款⼈提前通过连续运算去准备⼀条链上的区块,并且只要有⾜够的运⽓就会⾜够领先,直到那时再执⾏交易。⼀旦款项已被发出,那个不诚实的发款⼈开始秘密地在另⼀条平⾏链上开⼯,试图在其中加⼊⼀个反向版本的交易。
The recipient waits until the transaction has been added to a block and blocks have been linked after it. He doesn't know the exact amount of progress the attacker has made, but assuming the honest blocks took the average expected time per block, the attacker's potential progress will be a Poisson distribution with expected value:
收款⼈等到此笔交易被打包进区块,并已经有 个区块随后被加⼊。他并不知道攻击者的⼯作进展究竟如何,但是可以假定诚实区块在每个区块⽣成过程中耗费的平均时间;攻击者的潜在进展符合泊松分布,其期望值为:
To get the probability the attacker could still catch up now, we multiply the Poisson density for eachamount of progress he could have made by the probability he could catch up from that point:
为了算出攻击者依然可以赶上的概率,我们要把攻击者需要追赶的区块数⽬的帕松分布概率密度,乘以在落后该区块数⽬下能够追上来的概率:
Rearranging to avoid summing the infinite tail of the distribution... 为了避免对密度分布的⽆穷级数求和重新整理…
Converting to C code... 转换为 C 语⾔程序……
Running some results, we can see the probability drop off exponentially with . 获取部分结果,我们可以看到概率随着 的增加指数级下降:
Solving for P less than 0.1%... 若是 P ⼩于 0.1%……
比特币的安全性来源
这一章原文可真够长的,解释起来也多少费点劲,我尽量用大白话说明白。
先扣个结论,本章说得是:
比特币的安全性靠两件事:算力(谁在算题) 和 时间(等多少个区块确认)。等的区块越多,想要“翻盘”(攻击成功)的人成功的概率就以指数级下降,很快变得可以忽略不计。
why概率
第一个问题,为什么要算“概率”呢?
有人(攻击者)想悄悄做手脚,比如先把钱付给你,让你相信,然后在私底下另起一条链,把那笔交易改成退回给自己。
这种缺德事能不能成功呢?全看攻击者(付款人)能跑多快,也就是他拥有多少算力;以及你(收款人)等了多少个区块确认。
这听起来还是有些捏把汗的,别着急,我们接着往下看。
正义vs邪恶的追赶
我们不妨把概率想成两支队伍的“追赶比赛”:
诚实队每 10 分钟跑一圈(出一个区块),他们总人数(或速度)很庞大。 攻击者队也在跑,但他人少(算力小),有时能追上一圈,有时落后。
当你收到一笔钱并且它在链上被“盖章”后(被一个区块包含),每增加一个后继区块,诚实队就在前面又多跑了一圈,攻击者想追上就更难了。
相当于每多等一个区块就等于诚实队再领先一圈,等得越久,攻击者队作案成功的概率就越低,还是指数级的下降。所以说,难度还是相当之大的。
掰开揉碎了理解
原文里巴拉巴拉列了好一堆公式和数字,还有程序、表格啥的,没点知识储备还真容易懵圈。
不过,我们也不是数学家或研究员,没必要较那个真儿,俗人自然有俗人的理解方式——类比。
把文中的概率公式简单翻译成下表,理解难度没那么大了吧。这个表,究竟想说啥呢?
先看10%这行:如果攻击者只有全网 10%算力,他想在6次确认后推翻交易,成功概率只有 0.024%,也就是万分之二左右。这就是行业为啥常说“6 确认比较稳”,是这么个来头。
再看 20%这行:如果攻击者算力高达 20%,那 6 确认仍有 1% 的风险,所以大额交易要等更多确认,比如10~12确认,降低坏人的成功概率。
再看30%/40% 这行:确认数必须暴增才安全。
最后看50% 这行:当坏人能控制一半算力,那么他成功概率就相当于100%,基本稳赢。所以坊间会常说“比特币只要防住 51% 攻击,它就是安全的”。
二手车交易
上面的理解多少还有些抽象,我们接着举例,就拿买卖二手车举例吧,聊聊实际中怎么应用?
还是用表格,更直观。
提前预防
最后,白皮书还提到一个关键点,就是:
收款方在签名前生成新的公私钥对,并把公钥给付款方,目的在于阻止付款方提前秘密“预挖”一条包含替代交易的链。
啥意思呢?大白话理解就是:
如果付款方事先不停地练习造一条“伪链”并等到有利时刻才放出交易,他可能占便宜。收款方用新地址确保付款方不能提前“准备好”能直接替换的旧链,就防范了该种风险。
| 
美国
加拿大
新加坡
日本
迪拜
澳洲
泰国
越南
新西兰
马来
意大利
英国
德国
法国
西班牙
