[white paper] Ethereum: next generation smart contract and decentralized application platform

cnstartech 2022-04-03 20:11:39 阅读数:916

white paper ethereum generation smart

Among them, Ben Cong is 2009 year 1 When bitcoin blockchain is launched in June , He also introduced two new, revolutionary, untested concepts to the world . The first is bitcoin (bitcoin), A decentralized point-to-point online currency , Without any asset guarantee 、 Intrinsic value or value is maintained in the case of the central issuer . up to now , Bitcoin has attracted a lot of public attention , Politically speaking , It is a currency without a central bank , And there are violent price fluctuations .

However , Nakamoto's great experiment has an equally important part as bitcoin : The blockchain concept based on workload proof enables people to reach a consensus on the transaction sequence . Bitcoin as an application can be described as a first application (first-to-file) System : If someone has 50BTC And at the same time to A and B Send this 50BTC, Only the first confirmed transaction will take effect . There is no inherent way to decide which of the two transactions comes first , This problem has hindered the development of decentralized digital currency for many years . Nakamoto's blockchain is the first reliable decentralized solution . Now? , Developers' attention began to quickly turn to the second part of bitcoin Technology , How blockchain can be applied in fields other than money .

Frequently mentioned applications , Including the use of digital assets on the chain to represent customized currencies and financial instruments ( Color coin ), Ownership of some basic physical equipment ( Smart assets ), There are no replaceable assets like domain names ( Domain name currency ) And such as decentralized exchanges , Financial derivatives , More advanced applications such as point-to-point gambling and online identity and reputation systems .

Another important area often asked is “ Intelligent contract ”- A system that automatically transfers digital assets according to arbitrary rules in advance . for example , A person may have a storage contract , In the form of “A You can withdraw up to... Every day X Coins ,B At most every day Y individual ,A and B Together, you can extract ,A You can stop B The right to withdraw cash ”. The logical extension of this contract is the decentralization of autonomous organizations (DAOs)- A long-term smart contract that contains an organization's assets and encodes the organization's rules . The goal of Ethereum is to provide a blockchain with built-in mature Turing complete language , In this language, contracts can be created to encode any state transition function , Users simply use a few lines of code to implement logic , You can create all the systems mentioned above and many other systems we can't imagine .


● history

○ Bitcoin as a state transition system
○ dig
○ Ms merkel tree
○ Alternative blockchain applications
○ Script

● The etheric fang

○ Ethereum account

○ Messages and transactions

○ Ethereum state transition function

○ Code execution

○ Blockchain and mining

● application

○ Token system

○ Financial derivatives

○ Identity and reputation system

○ Decentralized file storage

○ Decentralized autonomous organization

○ Further application

● Miscellaneous and concerns

○ Implementation of improved ghost protocol

○ cost

○ Calculation and Turing complete

○ Currency and issue

○ Centralization of mining

○ Extensibility

● review : Decentralized applications

● Conclusion

● Notes and advanced reading



The concept of decentralized digital currency , As with alternative applications such as property registration , It was put forward decades ago .1980 and 1990 Anonymous e-cash protocol in the s , Most of them are based on JOM blind signature technology (Chaumian blinding) On the basis of . These e-cash protocols provide a highly private currency , But none of these agreements became popular , Because they all rely on a centralized intermediary .1998 year , Dai Wei (Wei Dai) Of b-money The idea of creating money by solving computational problems and decentralized consensus is introduced for the first time , However, the proposal does not give a specific way to achieve decentralized consensus .2005 year , Finney (Hal Finney) Introduced “ Reusable workload proof mechanism ”(reusable proofs of work) Concept , It is used at the same time b-money Thoughts and Adam Back Proposed computationally difficult hash cash (Hashcash) Problem to create cryptographic currency . however , This concept is once again lost in idealization , Because it relies on trusted computing as the back end .

Because currency is a first application , The order of transactions is crucial , So a decentralized currency needs to find a way to achieve a decentralized consensus . The main obstacle encountered by all previous e-money protocols of bitcoin is , Despite the fault tolerance on how to create a secure Byzantine problem (Byzantine-fault-tolerant) The research of multi-party consensus system has been going on for many years , But the above agreement solves only half of the problem . These protocols assume that all participants in the system are known , And produce such as “ If there is N Parties participate in the system , Then the system can tolerate N/4 Malicious participants ” This form of security boundary . The problem with this assumption, however, is , Anonymously , The security boundary set by the system is vulnerable to witch attacks , Because an attacker can create thousands of nodes on a server or botnet , So as to unilaterally ensure a majority share .

Nakamoto's innovation is to introduce such a concept : Combine a very simple node based decentralized consensus protocol with workload proof mechanism . Nodes obtain the right to participate in the system through the workload proof mechanism , Package transactions every ten minutes to “ block ” in , To create a growing blockchain . Nodes with a lot of computing power have greater influence , But getting more computing power than the whole network is much more difficult than creating a million nodes . Although the bitcoin blockchain model is very simple , But practice has proved that it is good enough , In the next five years , It will be the cornerstone of more than 200 currencies and agreements around the world .

Bitcoin as a state transition system

From a technical point of view , Bitcoin ledgers can be thought of as a state transition system , The system includes all existing bitcoin ownership status and “ State transition functions ”. The state transition function takes the current state and transaction as inputs , Output new state . for example , In a standard banking system , Status is a balance sheet , A from A Account to B Account transfer X The dollar request is a transaction , The state transition function will start from A Subtract... From the account X dollar , towards B Account increase X dollar . If A The balance of the account is less than X dollar , The state transition function returns an error message . So we can define the state transition function as follows :


In the banking system mentioned above , The state transition function is as follows :

APPLY({ Alice: $50, Bob: $50 },”send $20 from Alice to Bob”) = { Alice: $30,Bob: $70 }

however :

APPLY({ Alice: $50, Bob: $50 },”send $70 from Alice to Bob”) = ERROR

Of bitcoin system “ state ” Is all that has been dug up 、 Bitcoin without cost ( It's technically called “ Transaction output not spent ,unspent transaction outputs or UTXO”) Set . Every UTXO Each has a face value and owner ( from 20 A byte is essentially defined by the address of a cryptographic public key [1]). A transaction includes one or more inputs and one or more outputs . Each input contains a pair of existing UTXO And a cryptographic signature created by the private key corresponding to the owner address . Each output contains a new... Added to the state UTXO.

In bitcoin system , State transition functions APPLY(S,TX)->S’ In general, it can be defined as follows :

  1. Each input of the transaction :

    ● If you quote UTXO Does not exist in the present state (S), Return error prompt

    ● If the signature is consistent with UTXO The owner's signature is inconsistent , Return error prompt

  2. If all UTXO The total face value entered is less than all UTXO Total output face value , Return error prompt

  3. Return to the new state S’, New status S’ Remove all inputs from the UTXO, Added all outputs UTXO.

The first part of the first step prevents the sender of the transaction from spending non-existent bitcoin , The second part prevents the sender of the transaction from spending other people's bitcoin . The second step is to ensure the conservation of value . The payment agreement of bitcoin is as follows . hypothesis Alice Want to give Bob send out 11.7BTC. in fact ,Alice It can't happen to have 11.7BTC. hypothesis , The minimum amount of bitcoin she can get is :6+4+2=12. therefore , She can create a pen with 3 Inputs ,2 An output transaction . The face value of the first output is 11.7BTC, The owner is Bob(Bob My bitcoin address ), The face value of the second output is 0.3BTC, The owner is Alice own , That is, change .


If we have a trusted centralized service organization , The state transition system can be easily implemented , The above functions can be simply and accurately coded . However , We want to build bitcoin system into a decentralized monetary system , To make sure everyone agrees on the order of the transaction , We need to combine the state transition system with a consensus system . The decentralized consensus process of bitcoin requires nodes in the network to constantly try to package transactions into “ block ”. The network is designed to generate one block every ten minutes , Each block contains a timestamp 、 A random number 、 A reference to the previous block ( That is hash ) And a list of all transactions that have occurred since the last block was generated . This creates a growing blockchain over time , It's constantly updated , So that it can represent the latest status of the bitcoin ledger .

According to this paradigm , The algorithm to check whether a block is valid is as follows :

  1. Check whether the previous block referenced by the block exists and is valid .

  2. Check whether the timestamp of the block is later than that of the previous block , And before the future 2 Hours [2].

  3. Check whether the workload certificate of the block is valid .

  4. Assign the final state of the previous block to S[0].

  5. hypothesis TX Is the transaction list of the block , contain n transaction . To belong to 0……n-1 All of the i, State transition S[i+1] = APPLY(S[i],TX[i]). If any transaction i Error in state transition , Exit procedure , Returns an error .

  6. Back to right , state S[n] Is the final state of this block .

Essentially , Each transaction in the block must provide a correct state transition , It should be noted that ,“ state ” Not encoded into blocks . It is purely an abstract concept remembered by the verification node , For any block, you can start from the creation state , Add each transaction of each block in order ,( Properly ) Calculate the current state . in addition , Note the order in which miners include transactions in the block . If there is... In a block A、B Two transactions ,B The cost is A Created UTXO, If A stay B before , This block is valid , otherwise , This block is invalid .

The interesting part of the block verification algorithm is “ Proof of workload ” Concept : For each block SHA256 Hash processing , Treat the resulting hash as having a length of 256 Bit value , This value must be less than the target value of continuous dynamic adjustment , When writing this book, the target value is about 2^190. The purpose of workload proof is to make the creation of blocks difficult , So as to prevent the witch attacker from maliciously regenerating the blockchain . because SHA256 Is a completely unpredictable pseudo-random function , The only way to create a valid block is simply to keep trying and error , Increasing the number of random numbers , Check whether the new hash value is less than the target value . If the current target value is 2^192, It means that on average you need to try 2^64 Only once can a valid block be generated . generally speaking , Bitcoin network 2016 Reset the target value for each block , Ensure that one block is generated every ten minutes on average . In order to reward miners for their calculation work , Every miner who successfully generates a block has the right to include a sum in the block and send it to themselves out of thin air 25BTC Transactions . in addition , If the input of the transaction is greater than the output , The difference is taken as “ transaction cost ” Pay the miners . By the way , The reward for miners is the only mechanism for bitcoin issuance , There is no bitcoin in the creation state .

In order to better understand the purpose of mining , Let's analyze what happens when there are malicious attackers on the bitcoin network . Because the cryptographic basis of bitcoin is very secure , Therefore, the attacker will choose to attack the part that is not directly protected by cryptography : Transaction order . The attacker's strategy is very simple :

  1. Send... To the seller 100BTC Purchase goods ( Especially electronic goods that do not need to be mailed ).

  2. Wait until the goods are delivered .

  3. Create another transaction , Will be the same 100BTC Send to your account .

  4. Make the bitcoin network believe that the transaction sent to its own account was sent first .

Once step (1) happen , In a few minutes, the miners will package the deal into blocks , Suppose it's the 270000 Block . About an hour later , There will be five blocks behind this block , Each block indirectly points to the transaction , To confirm the transaction . At this time, the seller receives the payment , And deliver to the buyer . Because we assume that this is a digital commodity , The attacker can receive the goods immediately . Now? , The attacker creates another transaction , Will be the same 100BTC Send to your account . If the attacker only broadcasts this message to the whole network , This transaction will not be processed . The miner will run the state transition function APPLY(S,TX), It is found that this transaction will cost UTXO. therefore , The attacker will fork the blockchain , Will be the first 269999 Regenerate the... Block as the parent block 270000 Block , Replace old transactions with new transactions in this block . Because the block data is different , This requires a new proof of workload . in addition , Because the attacker generated a new second 270000 Blocks have different hashes , So the original second 270001 To the first 270005 The block of does not point to it , Therefore, the original blockchain is completely separated from the attacker's new block . When blockchain bifurcation occurs , The long branch of the blockchain is considered to be an honest blockchain , The legal miners will follow the original second 270005 Post block mining , Only the attacker is in the new section 270000 Post block mining . In order to make his blockchain the longest , He needs to have more computing power than the whole network except him to catch up with ( namely 51% attack ).

Ms merkel tree

Left : Only Merkel tree (Merkle tree) A few nodes on the are enough to give a legal proof of the branch .

Right : Any attempt to change any part of Merkel's tree will eventually lead to inconsistency somewhere in the chain .

An important scalability feature of bitcoin system is : Its blocks are stored in a multi-level data structure . The hash of a block is actually just the hash of the block header , The block header contains a timestamp 、 random number 、 The length of the last block hash and the root hash of the Merkel tree that stores all block transactions is about 200 A piece of data in bytes .

Merkel tree is a binary tree , Consists of a set of leaf nodes 、 A set of intermediate nodes and a root node constitute . A large number of leaf nodes at the bottom contain basic data , Each intermediate node is a hash of its two child nodes , The root node is also hashed by its two child nodes , Represents the top of the Merkel tree . The purpose of Merkel tree is to allow block data to be transmitted sporadically : Nodes can download block headers from a source , Download other parts of the tree related to it from another source , And still be able to confirm that all the data are correct . This is because of the upward diffusion of hashes : If a malicious user tries to add a fake transaction at the bottom of the tree , The resulting changes will result in changes to the upper nodes of the tree , And changes to higher nodes , Eventually, the root node and the block hash are changed , In this way, the protocol will record it as a completely different block ( Almost certainly with an incorrect workload ).

The long-term sustainability of the Merkel tree agreement bitcoin can be said to be crucial . stay 2014 year 4 month , A full node in the bitcoin network - A node that stores and processes all data for all blocks - Take up 15GB Of memory space , And more than... Every month 1GB The rate of growth . at present , This storage space is acceptable for desktop computers , But the mobile phone can no longer load such huge data . In the future, only commercial institutions and enthusiasts will act as a complete node . Simplify payment confirmation (SPV) The protocol allows another node to exist , Such nodes are called “ Light node ”, It's in the download area , Use the block header to confirm the proof of workload , Then only download the Merkel tree related to its transaction “ Branch ”. This allows light nodes to download only a small part of the whole blockchain , You can safely determine the status of any bitcoin transaction and the current balance of the account .

Other blockchain applications

The idea of applying the idea of blockchain to other fields has long appeared . stay 2005 year , Nick Saab proposed “ Title Property with ownership ” The concept of , This paper describes how the development of replication database technology makes the blockchain based system applicable to the registration of land ownership , Creation includes, for example, property rights 、 Detailed framework of concepts such as illegal occupation and Georgia land tax . However , Unfortunately, there was no practical replication database system at that time , So this agreement has not been put into practice . however , since 2009 Since the successful development of decentralized consensus of bitcoin system in , Many other applications of blockchain are beginning to appear rapidly .

● Domain name currency (namecoin)- Founded in 2010 year , A name registration database called decentralization . image Tor、Bitcoin and BitMessage Such a decentralized protocol , Need some way to confirm the account , In this way, other talents can interact with users . however , The only identity available in all existing solutions is like 1LW79wp5ZBqaHW1jL5TciBCrhQYtHagUWy Such a pseudo-random hash . ideally , People want to have an elephant “george” An account with such a name . However , The problem is if someone can create “george” Account , Then others can also create “george” Account to pretend . The only solution is to apply first (first-to-file), Only the first registrant can successfully register , The second cannot register the same account again . This problem can be solved by using the consensus protocol of bitcoin . Domain name currency is the earliest way to realize the name registration system by using blockchain 、 The most successful system .

● Color coin (Colored coins)- The purpose of color currency is to create people's own digital currency on the bitcoin blockchain , perhaps , Money in a more general sense – Digital token provides services . According to the color coin agreement , People can pay for a particular bitcoin UTXO Assign colors , Issue new currency . The protocol recursively converts other UTXO Defined as a transaction input UTXO The same color . This allows the user to keep a color that contains only a specific color UTXO, Send these UTXO Just like sending ordinary bitcoin , Judge the received by tracing back all blockchains UTXO Color .

● Yuan (Metacoins)- The concept of yuancoin is to create a new protocol on the bitcoin blockchain , Use bitcoin transactions to save yuan currency transactions , But different state transition functions are used APPLY’. Because the meta currency protocol cannot prevent invalid meta currency transactions on the bitcoin blockchain , So add a rule if APPLY’(S,TX) Returns an error , This agreement will default APPLY’(S,TX) = S. This creates an arbitrary 、 The advanced cryptographic currency protocol that cannot be implemented in bitcoin system provides a simple solution , And the development cost is very low , Because the problems of mining and network have been handled by bitcoin protocol .

therefore , generally speaking , There are two ways to build consensus agreements : Establish an independent network and establish protocols on bitcoin network . Although applications like domain currency have been successful using the first method , However, the implementation of this method is very difficult , Because each application needs to create an independent blockchain and establish 、 Test all state transitions and network code . in addition , We predict that the application of decentralized consensus technology will obey power-law distribution , Most applications are too small to ensure the security of free blockchain , We also notice a large number of decentralized applications , Especially decentralized autonomous organizations , Interaction between applications is required .

On the other hand , The bitcoin based approach has drawbacks , It does not inherit bitcoin and can make simplified confirmation payment (SPV) Characteristics of . Bitcoin can simplify the confirmation of payment , Because bitcoin can use the blockchain depth as the validity confirmation agent . At some point , Once the ancestors of a transaction are far enough away from now , They can be considered part of the legal state . By contrast , The bitcoin blockchain based meta currency protocol cannot force the blockchain not to include transactions that do not comply with the meta currency protocol . therefore , The simplified payment confirmation of secure RMB protocol requires backward scanning of all blocks , Until the initial point of the blockchain , To confirm whether a transaction is valid . at present , Of all bitcoin based meta currency protocols “ light ” All implementations rely on trusted servers to provide data , This is for cryptographic currencies whose main purpose is to eliminate the need for trust , Just a fairly suboptimal result .


Even without extending the bitcoin protocol , It can also achieve... To some extent ” Intelligent contract ”. The currency of the UTXO Can be owned by more than one public key , It can also be owned by more complex scripts written in stack based programming languages . In the first mock exam , Spend such UTXO, Data that satisfies the script must be provided . in fact , The basic public key ownership mechanism is also implemented through scripts : The script takes the elliptic curve signature as input , Verify the transaction and own this UTXO The address of , If the validation is successful , return 1, Otherwise return to 0. More complex scripts are used for other different applications . for example , One can create a script that requires two of the three private keys to confirm the transaction ( Multisignature ), For company accounts 、 For savings accounts and some business agents , This script is very useful . Scripts can also be used to send rewards to users who solve computing problems . People can even create such scripts “ If you can provide the simplified confirmation payment certificate that you have sent a certain amount of dog coins to me , This bitcoin UTXO It's yours ”, Essentially , Bitcoin system allows decentralized exchange of different cryptographic currencies .

However , There are some serious restrictions on the scripting language of bitcoin system :

● Lack of Turing completeness – That is to say , Although bitcoin scripting language can support a variety of Computing , But it can't support all calculations . The main missing is the circular statement . Circular statements are not supported to avoid infinite loops during transaction confirmation . Theoretically , For script programmers , This is an insurmountable obstacle , Because any loop can be repeated many times if Statement to simulate , But doing so will lead to inefficient utilization of script space , for example , Implementing an alternative elliptic curve signature algorithm may require 256 Repeated multiplication , Each time, it needs to be coded separately .

● Value blindness (Value-blindness).UTXO The script cannot provide fine control over the withdrawal limit of the account . for example , Oracle contract (oracle contract) A powerful application of is hedging contracts ,A and B Each sends value to the hedging contract 1000 Bitcoin for dollars ,30 After heaven , Script to A Send value 1000 Bitcoin for dollars , towards B Send the remaining bitcoin . Although implementing hedging contracts requires a prophet (oracle) Decide how many dollars a bit is worth , But compared with today's fully centralized solutions , This mechanism has made great progress in reducing trust and infrastructure . However , because UTXO Is inseparable , To realize this contract , The only way is to use many different denominations very inefficiently UTXO( For example, it corresponds to a maximum of 30 Each k, There is one 2^k Of UTXO) And make the Oracle pick out the right UTXO Send to A and B.

● Missing status – UTXO Can only be spent or not spent , This leaves no room for multi-stage contracts or scripts that require any other internal state . This enables the realization of multi-stage option contracts 、 Decentralized exchange offer or two-stage encryption acceptance protocol ( Necessary to ensure that rewards are calculated ) Very difficult . It also means that UTXO Can only be used to build simple 、 A one-time contract , Instead of contracts with more complex states, such as decentralized organizations , Makes the meta protocol difficult to implement . The combination of binary state and value blindness means another important application - Withdrawal limit - It is impossible to achieve .

● Blockchain blind (Blockchain-blindness)- UTXO Can't see the data of the blockchain , For example, random numbers and the hash of the previous block . This flaw deprives the scripting language of its potential value based on randomness , It seriously limits the application of gambling and other fields .

We have examined three ways to build advanced applications on cryptographic currencies : Build a new blockchain , Use scripts on the bitcoin blockchain , Establish a bitcoin protocol on the bitcoin blockchain . The method of building a new block chain can freely realize any characteristics , Cost is the development time and cultivation effort . The method of using scripts is very easy to implement and standardize , But its ability is limited . Yuan currency protocol, although very easy to implement , But it has the defect of poor scalability . In Ethereum system , Our goal is to build a common framework that can have all the advantages of these three models at the same time .

The etheric fang

The purpose of Ethereum is based on script 、 Competition currency and chain yuan agreement (on-chain meta-protocol) Integrate and improve concepts , Enables developers to create arbitrary consensus based 、 Extensible 、 standardized 、 Characteristic complete 、 Easy to develop and collaborative applications . Ethereum builds the ultimate Abstract foundation layer - A blockchain built with Turing complete programming language - Enables anyone to create contracts and decentralized applications , And set up their freely defined ownership rules 、 Transaction mode and state transition function . The main framework of domain currency only needs two lines of code , Other protocols such as currency and reputation systems can be implemented in less than 20 lines of code . Intelligent contract - An encrypted box that contains value and can only be opened if certain conditions are met - We can also create... On our platform , And because of Turing's completeness 、 Value awareness (value-awareness)、 Blockchain awareness (blockchain-awareness) And the increased power of multiple states , And the smart contract that bitcoin script can provide is much more powerful .

Ethereum account

In Ethereum system , The state is defined by what is called “ Account ”( Each account has a 20 Address of byte ) Object and the state transition of transferring value and information between two accounts . Ethereum's account consists of four parts :

  • random number , A counter used to determine that each transaction can only be processed once

  • The current Ethernet balance of the account

  • The contract code of the account , If any

  • Account storage ( The default is empty. )

Ether money (Ether) It is the main encryption fuel inside Ethereum , Used to pay transaction costs . generally speaking , Ethereum has two types of accounts : All external accounts ( Controlled by the private key ) And the contract account ( Controlled by contract code ). All external accounts have no code , People can send messages from an external account by creating and signing a transaction . Every time the contract account receives a message , The code inside the contract will be activated , Allow it to read and write to internal storage , And send other messages or create contracts .

Messages and transactions

Ethereum's message is somewhat similar to bitcoin trading , But there are three important differences between the two . First of all , Ethereum messages can be created by external entities or contracts , However, bitcoin transactions can only be created from the outside . second , Ethereum messages can optionally contain data . Third , If the recipient of Ethereum message is a contract account , You can choose to respond , This means that Ethereum messages also contain the concept of functions .

In Ethereum “ transaction ” A signed packet that stores messages sent from an external account . The transaction contains the recipient of the message 、 Used to confirm the sender's signature 、 Ether account balance 、 The data to be sent and the two are called STARTGAS and GASPRICE The numerical . In order to prevent exponential explosion and infinite loop of code , Each transaction requires a calculation step triggered by the execution of the code - Including the initial message and all messages raised during execution - Make restrictions .STARTGAS That's the limit ,GASPRICE Is that each calculation step needs to pay the miner's fee . If during the execution of the transaction ,“ Run out of fuel ”, All state changes return to the original state , However, the transaction costs already paid are not recoverable . If there is fuel left when the transaction is suspended , Then the fuel will be returned to the sender . There are separate transaction types and corresponding message types for creating contracts ; The address of the contract is calculated based on the random number of the account and the hash of the transaction data .

An important consequence of the messaging mechanism is Ethereum's “ First-class citizen ” property - Contracts have the same rights as external accounts , Including the right to send messages and create other contracts . This allows the contract to play multiple different roles at the same time , for example , Users can make decentralized organizations ( A contract ) A member of becomes an intermediary account ( Another contract ), A customized Lambert signature based on quantum proof for a paranoid use ( The third contract ) And an account that is secured by five private keys ( The fourth contract ) The co signing entity provides intermediary services . The strength of Ethereum platform is that decentralized organization and agency contracts do not need to care about the type of account of each participant in the contract .

TaiFang state transition function

Ethereum's state transition function :APPLY(S,TX) -> S’, It can be defined as follows :

  1. Check whether the format of the transaction is correct ( That is, there is the correct value )、 Whether the signature is valid and whether the random number matches the random number of the sender's account . If no , Returns an error .

  2. Calculate transaction costs :fee=STARTGAS * GASPRICE, And determine the sender's address from the signature . Subtract transaction costs from the sender's account and increase the sender's random number . If the account balance is insufficient , Returns an error .

  3. Set the initial value GAS = STARTGAS, And subtract a certain amount of fuel value according to the number of bytes in the transaction .

  4. Transfer value from sender's account to receiver's account . If the receiving account does not exist , Create this account . If the receiving account is a contract , The code that runs the contract , Until the code runs out or the fuel runs out .

  5. If the value transfer fails because the sender's account does not have enough money or the code execution runs out of fuel , Return to the original state , But there are transaction costs , The transaction fee is added to the miner's account .

  6. otherwise , Return all remaining fuel to the sender , The consumed fuel is sent to the miners as a transaction fee .

for example , Suppose the contract code is as follows :

if !contract.storage[msg.data[0]]: contract.storage[msg.data[0]] = msg.data[1]

It should be noted that , In reality, the contract code uses the underlying Ethereum virtual machine (EVM) The code is written . The above contract is in our high-level language Serpent Written in language , It can be compiled into EVM Code . Suppose the contract memory is empty at the beginning , One is worth 10 The etheric , Fuel for 2000, The fuel price is 0.001 Ethernet and the two data field values are [ 2, ‘CHARLIE’ ] [3] After the transaction is sent , The processing process of the state transition function is as follows :

  1. Check whether the transaction is valid 、 Is the format correct .

  2. Check that the transaction sender has at least 2000*0.001=2 An ether . If there is , Subtract... From the sender's account 2 An ether .

  3. Initial setting gas=2000, Suppose the transaction length is 170 byte , The cost per byte is 5, subtract 850, So there's still 1150.

  4. Subtract... From the sender's account 10 An ether , Add... To the contract account 10 An ether .

  5. Run code . In this contract , It's easy to run the code : It checks that the contract memory index is 2 Has been used at , Notice that it is not used , Then set its value to CHARLIE. Suppose this consumes 187 Unit of fuel , So the remaining fuel is 1150 – 187 = 963.

6. Add... To the sender's account 963*0.001=0.963 An ether , Return to the final state .

If there is no contract to receive the transaction , Then all transaction costs are equal to GASPRICE Multiplied by the byte length of the transaction , Transaction data has nothing to do with transaction costs . in addition , It should be noted that , Contract initiated messages can be used to calculate and allocate fuel limits for the messages they generate , If the sub calculation runs out of fuel , It only returns to the state when the message was sent . therefore , Like a deal , The contract can also set strict restrictions on the subcalculation it generates , Protect their computing resources .

Code execution

The Ethereum contract code is written in a low-level stack based bytecode language , go by the name of “ Ethereum virtual machine code ” perhaps “EVM Code ”. The code consists of a series of bytes , Each byte represents an operation . generally speaking , Code execution is an infinite loop , Every time the program counter increases ( The initial value is zero ) Just do it once , Until the code is executed or an error is encountered ,STOP perhaps RETURN Instructions . Operations can access three types of data storage spaces :

● Stack , A last in first out data store ,32 Byte values can be stacked , Out of the stack .

● Memory , Infinitely scalable byte queue .

● Long term storage of contracts , A secret key / Storage of values , The secret key and value are 32 Byte size , Different from the stack and memory reset at the end of the calculation , The stored content will remain for a long time .

Code can access values just as it can access block header data , The data in the sender and the received message , The code can also return a byte queue of data as output .

EVM The formal execution model of the code is surprisingly simple . When the Ethereum virtual machine is running , Its complete computational state can be represented by tuples (block_state, transaction, message, code, memory, stack, pc, gas) To define , here block_state Is the global status that contains all account balances and storage . Each round of execution , By calling up the... Of the code pc( Program counter ) Bytes , The current instruction was found , Each instruction defines how it affects tuples . for example ,ADD Take the two elements out of the stack and put their sum on the stack , take gas( fuel ) Subtract... Together pc Add one ,SSTORE Take the top two elements out of the stack and insert the second element into the contract storage location defined by the first element , Also reduce the most 200 Of gas Value and will pc Add one , Although there are many ways to optimize Ethereum through real-time compilation , But the basic implementation of Ethereum can be implemented in hundreds of lines of code .

Blockchain and mining

Although there are some differences , However, Ethereum's blockchain is similar to bitcoin blockchain in many ways . The difference between their blockchain architectures is , The Ethereum block contains not only transaction records and recent status , It also contains block serial number and difficulty value . The block confirmation algorithm in Ethereum is as follows :

  1. Check whether the previous block referenced by the block exists and is valid .

  2. Check whether the timestamp of the block is larger than the last block referenced , And less than 15 minute .

  3. Check the block serial number 、 Difficulty value 、 Transaction root , Uncle Gen and fuel quota ( Many underlying concepts unique to Ethereum ) Whether it works .

  4. Check whether the workload certificate of the block is valid .

  5. take S[0] Assigned to... Of the previous block STATE_ROOT.

  6. take TX List of transactions assigned as blocks , Altogether n transaction . To belong to 0……n-1 Of i, State transition S[i+1] = APPLY(S[i],TX[i]). If an error occurs in any of the transformations , Fuel spent or procedures performed here (gas) More than the GASLIMIT, Returns an error .

  7. use S[n] to S_FINAL assignment , Pay the miners a block reward .

8 Check S-FINAL Whether or not STATE_ROOT identical . If the same , Blocks are valid . otherwise , The block is invalid .

At first glance, this confirmation method seems inefficient , Because it needs to store all the states of each block , But in fact, the confirmation efficiency of Ethereum can be compared with that of bitcoin . The reason is that the state is stored in the tree structure (tree structure), For each block added, only a small part of the tree structure needs to be changed . therefore , generally speaking , Most of the tree structure of two adjacent blocks should be the same , So store data once , You can use pointers ( That is, subtree hash ) Quote twice . One is called “ Patricia tree ”(“Patricia Tree”) The tree structure can achieve this , This includes the modification of Merkel's tree concept , It is not only allowed to change nodes , You can also insert and delete nodes . in addition , Because all the status information is part of the last block , So there is no need to store all the block history - If this method can be applied to bitcoin system , After calculation, the storage space can be 10-20 Times the savings .


In general , There are three applications on Ethereum . The first is financial applications , Provide users with a more powerful way to manage and participate in contracts with their money . Including sub currency , Financial derivatives , Hedging contracts , Savings wallet , will , Even some kind of comprehensive employment contract . The second category is semi financial applications , There is money here, but there are also important non money aspects , A perfect example is the self imposed reward for solving computational problems . Last , There are also complete non-financial applications such as online voting and decentralized governance .

Token system

On chain token system has many applications , From sub currencies representing assets such as dollars or gold to corporate stocks , Individual tokens represent smart assets , Secure and unforgeable coupons , A token system used to reward points that has nothing to do with traditional values . Implementing token systems in Ethereum is surprisingly easy . The key point is to understand , All currency or token systems , Basically, it is a database with the following operations : from A Subtract from X Unit and put X The unit is added to B On , The premise is that (1)A At least... Before trading X Units and (2) The deal was A approval . Implementing a token system is to implement such logic into a contract .

use Serpent The basic code of implementing a token system in language is as follows :

from = msg.sender to = msg.data[0] value = msg.data[1] if contract.storage[from] >= value: contract.storage[from] = contract.storage[from] value contract.storage[to] = contract.storage[to] + value

This is essentially what this article will further describe “ The banking system ” A minimal implementation of the state transition function . Additional code needs to be added to provide the ability to distribute money in initial and other edge situations , Ideally, a function will be added to let other contracts query the balance of an address . That's enough . Theoretically , The token system based on Ethereum as a sub currency may include an important function that bitcoin based chain coins lack : The ability to pay transaction fees directly in this currency . The way to achieve this capability is to maintain an Ethernet account in the contract to pay transaction fees for the sender , By collecting the internal currencies used as transaction costs and auctioning them off in a running auction , The contract continuously injects capital into the Ethereum account . In this way, users need to use ether “ Activate ” Their accounts , But once there is ether in the account, it will be reused because each contract will recharge it .

Financial derivatives and currencies with stable values

Financial derivatives are “ Intelligent contract ” The most common application of , It is also one of the easiest to implement in code . The main challenge of implementing financial contracts is that most of them need to refer to an external price publisher ; for example , A very demanding application is one used to hedge against ether ( Or other cryptographic currencies ) Smart contracts that fluctuate relative to the dollar , But the contract needs to know the price of ether against the dollar . The simplest way is through a specific organization ( For example, NASDAQ ) Maintenance of “ Data provided “ Contract for , The design of the contract enables the organization to update the contract as needed , An interface is provided to enable other contracts to obtain a reply containing price information by sending a message to the contract .

When these key elements are in place , Hedging contracts will look like the following :

wait for A Input 1000 Ether money ..

wait for B Input 1000 Ether money .

Provide contracts by querying data , take 1000 The dollar value of ether , for example ,x dollar , Record to memory .

30 Days later , allow A or B“ Reactivate “ Contract to send value x The dollar's ether ( Re query the data to provide the contract , To get a new price and calculate ) to A And send the rest of the ether to B.

Such contracts have extraordinary potential in cryptography business . One of the problems that cryptography currency is often criticized is its price volatility ; Although a large number of users and businesses may need the security and convenience brought by cryptographic assets , But they are not willing to face the fall of assets during the day 23% The case of value . Until now, , The most common recommendation is that the issuer endorse the asset ; The idea is that the issuer creates a seed currency , For this seed currency, they have the right to issue and redeem , To give ( Offline ) Provide them with a unit specific related asset ( For example, gold , dollar ) People have a unit of sub currency . The publisher promises that when anyone returns a unit of cryptographic assets . Return the related assets of a unit . This mechanism enables any non cryptographic asset to be “ upgrade “ For cryptographic assets , If the publisher is trustworthy .

However, in practice, developers are not always trustworthy , And in some cases, the banking system is too fragile , Or not honest enough to make such a service impossible to exist . Financial derivatives offer an alternative . There will no longer be a single issuer that provides reserves to support an asset , Instead, there is a decentralized market of speculators who bet that the price of a cryptographic asset will rise . Different from the publisher , Speculators have no bargaining power , Because hedging contracts freeze their reserves in contracts . Note that this approach is not completely decentralized , Because we still need a trusted data source to provide price information , Although still controversial, this is still reducing infrastructure demand ( Different from the publisher , A price publisher does not need a license and seems to fall into the category of free speech ) And reducing the risk of potential fraud .

Identity and reputation system

The earliest alternative currency , Domain name currency , Try to use a bitcoin like block chain to provide a name registration system , Where users can register their names with other data in a public database . The most common application cases are like “bitcoin.org“( Or in the domain currency ,”bitcoin.bit“) The same domain name with a IP The domain name system corresponding to the address . Other applications include e-mail authentication systems and potentially more advanced reputation systems . Here is the basic contract for Ethereum to provide a name registration system similar to domain name coin :

if !contract.storage[tx.data[0]]: contract.storage[tx.data[0]] = tx.data[1]

The contract is very simple ; It is a database in the Ethereum network that can be added but cannot be modified or removed . Anyone can register a name as a value and never change . A more complex name registration contract will contain information that allows queries from other contracts “ Functional terms “, And a name ” The owner “( The first registrant ) Mechanisms for modifying data or transferring ownership . You can even add reputation and trust network functions to it .

Decentralized storage

In the past few years, there have been some popular online file storage startups , The most outstanding thing is Dropbox, It seeks to allow users to upload their hard disk backups , Provide backup storage services and allow users to access, so as to charge users monthly . However , At this point, the file storage market is sometimes relatively inefficient ; A cursory observation of existing services shows that , Especially in “ Mysterious Valley “20-200GB At a level where there is neither free space nor enterprise user discounts , The monthly price of mainstream file storage cost means paying the cost of the whole hard disk in one month . The Ethereum contract allows the development of a decentralized storage ecosystem , In this way, users can get a small profit by renting out their own hard disk or unused cyberspace , This reduces the cost of file storage .

The basic component of such a facility is what we call “ De centralization Dropbox contract “. The contract works as follows . First , Someone divides the data to be uploaded into blocks , Encrypt every piece of data to protect privacy , And build a Merkel tree . Then create a contract with the following rules , Every time N Block , The contract will extract a random index from the Merkel tree ( Provide randomness by using the hash of the last block that can be accessed by the contract code ), Then give the first entity X Ethernet to support a payment with similar simplified verification (SPV) Proof of ownership of the block at a specific index in the tree . When a user wants to download his file again , He can use the micro payment channel protocol ( For example, every 32k Byte payment 1 Saab ) Restore file ; In terms of cost, the most efficient way is that the payer does not publish the transaction until the end , Instead, use a slightly more cost-effective transaction with the same random number in every 32k Bytes to replace the original transaction .

An important feature of this agreement is , Although it looks like a person trusts many random nodes that are not ready to lose files , But he can divide the document into many small pieces through secret sharing , Then, through the monitoring contract, it is known that each small block is still saved by a node . If a contract is still paying , Then it provides evidence that someone is still saving the file .

Decentralized autonomous organization (DAO)

Generally speaking “ Decentralized autonomous organization (DAO, decentralized autonomous organization)” The concept of is a virtual entity with a certain number of members or shareholders , Rely on, for example 67% More to decide how much to spend and modify the code . Members collectively decide how the organization allocates funds . The method of allocating funds may be a reward , Wages or more attractive mechanisms, such as rewarding work with internal currency . This simply uses cryptography block chain technology to fundamentally copy the legal meaning of traditional companies or non-profit organizations to achieve enforcement . So far, many people around DAO The discussion is all about a shareholder with dividends and tradable shares “ Decentralized autonomous companies (DAC,decentralized autonomous corporation)” Of “ capitalist ” Pattern ; As an alternative , One is described as “ Decentralized autonomous communities (decentralized autonomous community)” The entity will give all members equal rights in decision-making and require 67% The majority agreed that . Everyone can only have one membership, which needs to be enforced by the group .

Here's how to implement... In code DO The outline of . The simplest design is a piece of code that can be modified by itself if two-thirds of the members agree . Although the code is theoretically immutable , However, by placing the code trunk in a separate contract and pointing the address of the contract call to a changeable storage, it is still easy to bypass the obstacles and make the code modifiable , In such a DAO There are three types of transactions in the simple implementation of contracts , Distinguished by the data provided by the transaction :

●[0,i,K,V] The registration index is i The storage address index for is K to v Suggestions for changes to the contents of .

●[0,i] Register for suggestions i Vote for .

●[2,i] If there are enough votes, confirm the proposal i.

Then the contract has specific terms for each item . It will maintain a record of all open storage changes and a table of who voted . There is also a table of all members . When any change to the stored content is agreed by a two-thirds majority , A final transaction will execute this change . A more complex framework will add built-in voting functions to realize, such as sending transactions , Increase or decrease members , Even provide voting representatives such as appointed democracy ( That is, anyone can entrust another person to vote on his behalf , And this delegation is transitive , So if A Commissioned B then B Commissioned C that C Will decide A Vote for ). This design will make DAO Grow organically as a decentralized community , So that people can finally hand over the task of selecting suitable candidates to experts , Different from the current system , As community members continue to change their standing in line, experts will easily appear and disappear over time .

An alternative model is decentralized companies , Any account there can have 0 To more shares , The decision requires the consent of a two-thirds majority of the shares . A complete framework will include asset management functions - You can submit orders for buying and selling shares and accept such orders ( The premise is that there is an order matching mechanism in the contract ). Representatives still exist in a democratic way of appointment , Produced “ Board of directors ” The concept of .

More advanced organizational governance mechanisms may be implemented in the future ; Now a decentralized organization (DO) It can be from decentralized autonomous organizations (DAO) Begin to describe .DO and DAO The difference is vague , A general dividing line is whether governance can be through a political process or “ Automatically ” Process realization , A good intuition test is “ No common language ” standard : If two members don't speak the same language, can the organization work normally ? obviously , A simple traditional holding company will fail , Such as bitcoin protocol is likely to succeed , Robin · Hansen's “futarchy”, A mechanism to achieve organizational governance by predicting the market is a real illustration “ autonomous ” A good example of what type of governance might look like . Note that one does not have to assume that all DAO More than all DO superior ; Autonomy is just a tool that has great advantages in some specific scenarios , But paradigms that may not work elsewhere , Many half DAO Possible .

Further application

1. Savings wallet . hypothesis Alice Want to keep her money safe , But she is worried about losing or being stolen by hackers . She put the ether in and Bob In a contract signed , As shown below , The contract is a bank :

Alice Up to... Can be extracted per day alone 1% Capital of .

Bob Up to... Can be extracted per day alone 1% Capital of , but Alice You can use her private key to create a transaction cancellation Bob Withdrawal authority of .

Alice and Bob Together, you can withdraw funds at will .

In general , Every day 1% Yes Alice enough , If Alice If you want to withdraw more cash, she can contact Bob Ask for help . If Alice Your private key was stolen , She can find... Immediately Bob Transfer her funds to a new contract . If she loses her private key ,Bob You can put the money out slowly . If Bob Showing malice , She can turn off his withdrawal authority .

2. Crop insurance . One can easily create a financial derivatives contract using weather conditions rather than any price index as data input . If an Iowa farmer buys a financial derivative with reverse compensation based on Iowa's rainfall , So if you encounter drought , The farmer will automatically receive compensation funds, and if there is enough rain, he will be very happy because his crop will harvest well .

3. A decentralized data publisher . For difference based financial contracts , In fact, I passed “ Xie Lindian ” It is possible for the protocol to decentralize the data publisher . The working principle of Schelling point is as follows :N Party provides input values to the system for a specified data ( for example ETH/USD Price ), All values are sorted , Each provides 25% To 75% Nodes between values will be rewarded , Everyone has the incentive to provide the answers that others will provide , The answer that a large number of players can really agree is obviously the correct answer by default , This constructs a model that can theoretically provide many numerical values , Include ETH/USD Price , The Berlin temperature is even the result of a particularly difficult calculation of the decentralization protocol .

4. Multi signature smart contract . Bitcoin allows multi signature based trading contracts , for example ,5 Gather the private key 3 You can use the money . Ethereum can be made more detailed , for example ,5 Gather the private key 4 Put all the money you can spend , If only 3 Spend up to... Every day 10% Capital of , Only 2 You can only spend it every day 0.5% Capital of . in addition , Multi signature in Ethereum is asynchronous , mean , Both parties can register their signatures on the blockchain at different times , When the last signature is in place, the transaction will be sent automatically .

5. Cloud computing .EVM Technology can also be used to create a verifiable computing environment , Allow the user to invite others to perform the calculation, and then selectively request evidence that the calculation has been completed correctly at a certain randomly selected checkpoint . This allows you to create a desktop that any user can use , It is possible for laptops or dedicated servers to participate in the cloud computing market , On site inspection and safety deposit can be used to ensure that the system is trustworthy ( That is, no node can profit from deception ). Although such a system may not be suitable for all tasks ; for example , Tasks requiring advanced interprocess communication are not easy to complete on a large node cloud . However, some other tasks are easy to implement in parallel ;[email protected], [email protected] And genetic algorithms are easy to carry out on such a platform .

6. Point to point gambling . Any number of point-to-point gambling protocols can be moved to Ethereum's blockchain , for example Frank Stajano and Richard Clayton Of Cyberdice. The simplest gambling agreement is actually such a simple contract , It is used to bet on the difference between the hash value of the next block and the guessed value , Based on this, more complex gambling protocols can be created , To achieve near zero cost and no cheating gambling services .

7. Forecast market . Whether there is an Oracle or a Sherin coin , Forecasting the market will be easy to achieve , The forecast market with Schelling coins may prove to be the first mainstream as a decentralized organization management agreement “ futarchy” application .

8. Centralized market in the chain , Based on identity and reputation systems .

Miscellaneous and concerns

Implementation of improved ghost protocol

“ ghost “ agreement (”Greedy Heaviest Observed Subtree” (GHOST) protocol) By Yonatan Sompolinsky and Aviv Zohar stay 2013 year 12 Innovation introduced in January . The motivation of ghost protocol is that the current fast confirmed block chain is plagued by low security due to the high invalidation rate of blocks ; Because it takes time ( Set to t) Spread to the whole network , If the miners A Dug out a block and the miners B Happened to be A The block spread to B Another block was excavated before , The miners B The block will be invalidated and will not contribute to network security . Besides , There is also the problem of centralization : If A It's a network with the whole network 30% The power of the mine pool B Have 10% Calculation power ,A Will face 70% All the time, there is a risk of voiding blocks, and B stay 90% Obsolete blocks are being generated all the time . therefore , If the void rate is high ,A Will simply be more efficient because of a higher share of computing power , Combine these two factors , The fast block chain generated by blocks is likely to lead to a pool having a share of computing power that can actually control the mining process .

just as Sompolinsky and Zohar Described as , By calculating which chain “ The longest ” Include waste blocks when , Ghost protocol solves the first problem of reducing network security ; That is to say , Not only the parent block of a block and earlier ancestor blocks , Obsolete descendant block of ancestor block ( In Ethereum terms, it is called “ Shu block ”) It is also added to calculate which block has the maximum workload to support it . We have surpassed Sompolinsky and Zohar The protocol described to solve the second problem – Centralization tendency , Ethereum pays “ Shu block ” Identify the waste block that contributes to the new block confirmation 87.5% Reward , Put them into the calculation “ Nephew block ” Will be rewarded 12.5%, however , Transaction fees are not awarded to the uncle .

Ethereum implemented a simplified version of the ghost protocol that only goes down to the fifth layer . Its characteristics are , Waste blocks can only be used as Uncle blocks by the second to fifth generations of their parents , Not the younger generation of further relationship ( For example, the sixth generation of the parent block , Or the third generation of grandfathers ) Included in the calculation . There are several reasons for this . First , Unconditional ghost protocol will bring too much complexity to calculate which tertiary block of a given block is legal . secondly , The unconditional ghost protocol with the compensation used by Ethereum deprives the miner of the incentive to mine on the main chain rather than a public attacker's Chain . Last , The calculation shows that the five layer ghost protocol with excitation is even when the out block time is 15s In the case of 95% Above efficiency , And have 25% The benefit of centralization is less than 3%.


Because each transaction published to the blockchain takes up the cost of download and verification , There needs to be a normative mechanism including transaction fees to prevent indiscriminate transactions . The default method used by bitcoin is purely voluntary transaction fees , Rely on miners to act as gatekeepers and set dynamic minimum costs . Because this method is “ Market based ”, Enables miners and transaction senders to determine prices based on supply and demand , So this method has been successfully accepted in the bitcoin community . However , The problem with this logic is , Transaction processing is not a market ; Although it is attractive to intuitively interpret transaction processing as the service provided by miners to senders , But in fact, the transactions recorded by a miner need to be processed by each node in the network , Therefore, the largest part of the cost of transaction processing is borne by the third party rather than the miner who decides whether to include the transaction . therefore , There is a great possibility of a tragedy of the Commons .

However , When a special and imprecise simplified assumption is given , This loophole in the market-based mechanism magically eliminates its own influence . The argument is as follows . hypothesis :

  1. A deal brings k Step by step , Offer rewards kR To any miner who records the transaction , here R Set by the transaction publisher , k and R For miners, it is in advance ( In general ) Visible .

  2. The cost of each node processing each operation is C ( That is, the efficiency of all nodes is the same ).

  3. Yes N Mining nodes , Each calculation force is consistent ( That is, the calculation power of the whole network 1/N).

  4. There is no full node without mining .

When the expected reward is greater than the cost , Miners are willing to dig . such , Because miners have 1/N The opportunity to process the next block , So the expected return is kR/N , The treatment cost of miners is simple kC. So when kR/N > kC, namely R > NC when . Miners are willing to record transactions . Be careful R Is the cost per step provided by the transaction sender , Is the lower limit for miners to benefit from dealing with transactions . NC It is the cost of processing an operation in the whole network . therefore , Miners are only motivated to include transactions where the benefits outweigh the costs .

However , There are several important deviations between these assumptions and the actual situation :

1, Because the additional verification time delays the broadcast of the block, it increases the chance of the block becoming a waste block , Miners who process transactions pay a higher cost than other verification nodes .

2, All nodes without mining exist .

3, In practice, the distribution of computational force may end up being extremely uneven .

4, Speculators whose job is to destroy the Internet , Political enemies and lunatics do exist , And they can set up contracts intelligently so that their cost is much lower than other verification nodes .

The above first 1 Points Drive miners to include fewer transactions , The first 2 The number of points has increased NC; Therefore, the effects of these two points at least partially offset each other . The first 3 Point and No. 4 Point is the main problem ; As a solution, we simply establish a floating upper limit : No block can contain more than BLK_LIMIT_FACTOR Times the moving average of the long-term index, more operands . In particular :

blk.oplimit = floor((blk.parent.oplimit * (EMAFACTOR – 1) + floor(parent.opcount * BLK_LIMIT_FACTOR)) /EMA_FACTOR) BLK_LIMIT_FACTOR and EMA_FACTOR Yes, temporarily set to 65536 and 1.5 The constant , But it may be adjusted after further analysis. .

Calculation and Turing complete

It should be emphasized that Ethereum virtual machine is Turing complete ; It means EVM The code can perform any conceivable calculation , Including infinite loops .EVM There are two ways for code to implement loops . First ,JUMP Instructions can make the program jump back to somewhere in front of the code , There are also permits such as while x < 27: x = x * 2 The same conditional statement JUMPI The instruction implements conditional jump . secondly , Contracts can call other contracts , There is the potential to implement loops through recursion . This naturally leads to a problem : Can a malicious user have to shut down by forcing miners and all nodes into an infinite loop ? This problem arises because of a problem in computer science called downtime problem : Generally speaking, there is no way to know , Whether a given program can finish running in a limited time .

As described in the state transition section , Our scheme solves the problem by setting the maximum number of calculation steps for each transaction , If it exceeds, it is calculated that it will be restored to its original state, but the cost will still be paid . Messages work in the same way . To show the motivation behind this scheme , Consider the following example :

An attacker creates a contract that runs an infinite loop , Then an activation cycle transaction is sent to the miner , The miners will handle the transaction , Run an infinite cycle until the fuel runs out . Even if the fuel runs out, the transaction stops halfway , The deal is still right ( Go back ) And the miners still earn the cost of each step from the attackers .

An attacker creates a very long infinite loop with the intention of forcing the miner to calculate for a long time, so that several blocks have been generated before the end of the calculation, so the miner cannot record transactions to earn fees . However , The attacker needs to publish a STARTGAS Value to limit the number of executable steps , Therefore, the miner will know in advance that the calculation will take too many steps .

An attacker sees a file that contains information such as send(A,contract.storage[A]); contract.storage[A] = 0 The contract is then sent with a transaction that is only enough to perform the first step and not enough to perform the second step ( That is, withdraw cash without reducing the account balance ). Contract writers don't have to worry about defending against similar attacks , Because if the execution stops halfway, all changes are replied .

A financial contract works by extracting the median of nine dedicated data publishers to minimize risk , An attacker took over one of the data providers , Then press this DAO The variable address call mechanism described in this chapter is designed to change the data provider to run an infinite loop , Trying to force any attempt to claim funds from a financial contract will be suspended because of fuel depletion . However , The financial contract can set fuel restrictions in the message to prevent such problems .

The replacement of Turing completeness is Turing incompleteness , here JUMP and JUMPI The instruction does not exist and only one copy of each contract is allowed to exist in the call stack at a given time . In such a system , The above cost system and the uncertainty surrounding the efficiency of our scheme may not be needed , Because the cost of executing a contract will be determined by its size . Besides , Turing incompleteness is not even a big limitation , Of all the contractual examples we envision internally , So far, there is only one need to cycle , And even this cycle can be 26 Replaced by a repetition of a single line of code segment . Considering the serious trouble and limited benefits of Turing completeness , Why not simply use a Turing incomplete language ? In fact, Turing incompleteness is far from a simple solution . Why? ? Please consider the following contract :

C0: call(C1); call(C1); C1: call(C2); call(C2); C2: call(C3); call(C3); … C49: call(C50); call(C50); C50: (run one step of a program and record the change in storage)

Now? , Send such a transaction to A, such , stay 51 In one transaction , We have a need to spend 250 The contract calculated in step , Miners may try to detect such a logic bomb in advance by maintaining a maximum number of executable steps for each contract and calculating the number of possible execution steps for contracts that recursively call other contracts , But this would prohibit miners from creating other contracts ( Because above 26 The creation and execution of contracts can be easily put into a single contract ). Another problem is that the address field of a message is a variable , So generally speaking, it may not even know in advance which other contract a contract will call . therefore , Finally, we came to an amazing conclusion : Turing's complete management is surprisingly easy , In the absence of the same control, Turing's incomplete management is surprisingly difficult - Then why not make the agreement Turing complete ?

Currency and issue

The Ethereum network contains its own built-in currency, Ethereum , Ether plays a dual role , Provide major liquidity for a variety of digital asset transactions , What's more, it provides a mechanism to pay for transactions . In order to facilitate and avoid future disputes ( See current mBTC/uBTC/ Cong's argument ), The names of different denominations will be set in advance :

●1: Wei

●10^12: Saab

●10^15: Finney

●10^18: The etheric

This should be regarded as “ element ” and “ branch ” perhaps “ The currency ” and “ Cong ” An extended version of the concept , In the near future , We expect “ The etheric ” Used as an ordinary transaction ,“ Finney ” For Micro Trading ,“ Saab ” and “ Wei ” Used to discuss costs and implementation of the agreement .

The distribution mode is as follows :

● Through the offering , Ethereum will be in the form of BTC 1337-2000 The price of ether , A mechanism designed to raise funds for Ethereum organizations and pay developers has been successfully used on other cryptographic currency platforms . Early buyers will enjoy a large discount , Proceeds from the sale BTC It will be used exclusively to pay the salaries and rewards of developers and researchers , And projects invested in the cryptology currency ecosystem .

●0.099x (x For the total sale amount ) Will be assigned to BTC Early contributors to development prior to the success of financing or other deterministic financing , Another one 0.099x Will be allocated to long-term research projects .

● There will be... Every year since the launch 0.26x(x For the total sale amount ) Dug up by miners .

Issue breakdown

The permanent linear growth model reduces the risk of excessive concentration of wealth in bitcoin , And give people living in the present and future a fair opportunity to get money , At the same time, the incentive to acquire and hold ether money is maintained , Because in the long run “ Money supply growth rate ” It tends to zero . We also infer that , With the passage of time, there will always be the loss of money due to carelessness and death , Suppose the loss of money is a fixed proportion of the annual money supply , Finally, the total money supply in circulation will stabilize at a value equal to the annual money circulation divided by the loss rate ( for example , When the loss rate is 1% when , When the supply reaches 30x when , Every year, 0.3x Dug out at the same time 0.3x The loss of , Reach an equilibrium ).

In addition to the linear distribution mode , Like bitcoin, the supply growth rate of ether currency tends to zero in the long run .

Centralization of mining

Bitcoin mining algorithm basically allows miners to slightly change the block thousands of times , Until the hash of the modified version of a node is less than the target value ( It's about 2190). However , This mining algorithm is vulnerable to two forms of centralization attacks . The first one is , The mining ecosystem is specially designed to improve the efficiency of bitcoin mining by thousands of times ASICs( ASIC ) And computer chip control . This means that bitcoin mining is no longer highly decentralized and egalitarian , It requires the effective participation of huge capital . The second kind , Most bitcoin miners actually no longer complete block verification locally ; Instead, it relies on centralized ore pools to provide blocks . This problem can be said to be very serious : In writing this article , The two largest ore pools indirectly control about the whole network 50% Calculation power , Although when a pool or consortium tries 51% The fact that miners can switch to other pools during an attack alleviates the severity of the problem .

Ethereum now aims to use one based on each 1000 A mining algorithm that randomly generates a unique hash function from a random number , With a sufficiently wide computational domain , Advantages of removing dedicated hardware . Such a strategy will certainly not reduce the benefits of centralization to zero , But it doesn't have to be . Note that each individual user can use their personal laptop or desktop to complete a certain amount of mining activities almost free of charge , But when it comes to 100% Of CPU After utilization, more mining will require them to pay for power and hardware costs .ASIC Mining companies need to pay for power and hardware from the first hash . therefore , If the benefits of centralization can be maintained at (E + H) /E following , So even ASICs Ordinary miners who have been made still have room to live . in addition , We plan to design the mining algorithm so that mining needs to access the whole blockchain , Force miners to store completed blockchains or at least be able to verify each transaction . This eliminates the need for a centralized ore pool ; Although the ore pool can still play the role of smoothing the randomness of income distribution , But this function can be controlled without centralization P2P The pit is finished just as well . In this way, even most ordinary users still prefer light clients , By increasing the number of all nodes in the network, it also helps to resist centralization .


Scalability is a common concern of Ethereum , Just like bitcoin , Ethereum also suffers from the dilemma that every transaction needs to be handled by every node in the network . The current blockchain size of bitcoin is about 20GB, Per hour 1MB The rate of growth . If bitcoin network processing Visa Class 2000tps Transactions , It will be every three seconds 1MB The rate of growth (1GB Every hour ,8TB Every year, ). Ethereum may experience similar or even worse growth patterns , Because there are many applications on Ethereum blockchain , Not like bitcoin is just a simple currency , However, the fact that all Ethereum nodes only need to store state rather than complete blockchain history improves the situation .

The problem of large blockchain is the centralization of risk . If the block chain size increases to, for example 100TB, The possible scenario will be that only a very small number of large businesses will run all nodes , Regular users use light SPV node . This will increase the profit of all node partnership fraud ( For example, change the block reward , To themselves BTC) Risk concerns . Light nodes will not be able to detect such fraud immediately . Of course , At least there may be an honest all node , And in a few hours, information about the fraud will pass through Reddit Such channels leak , But it was too late : No matter what efforts ordinary users make to abolish the generated blocks , They will all encounter and launch a successful 51% Attack huge infeasible coordination problems of the same scale . Here in bitcoin , Now this is a problem , but Peter Todd A suggested change can alleviate this problem .

In the near future , Ethereum will use two additional strategies to deal with this problem . First , Because the mining algorithm based on blockchain , At least every miner will be forced to become a full node , This ensures a certain number of full nodes . secondly , what's more , After processing each transaction , We will include the root of an intermediate state tree into the blockchain . Even if block validation is centralized , As long as an honest verification node exists , The problem of centralization can be avoided by a verification protocol . If a miner posts an incorrect block , This block is either in the wrong format , Either state S[n] It's wrong. . because S[0] That's right. , There must be the first error state S[i] but S[i-1] That's right. , Verify that the node will provide the index i, Together with the processing APPLY(S[i-1],TX[i]) -> S[i] Subset of required Patricia tree nodes . These nodes will be instructed to perform this part of the calculation , Look at the resulting S[i] Is it consistent with the previously provided value .

in addition , What's more complicated is that malicious miners publish incomplete blocks to attack , There is not enough information to determine whether the block is correct . The solution is to question - Response agreement : The verification node queries the target transaction index , The light node receiving the challenge information will cancel the trust of the corresponding block , Until another miner or verifier provides a collection of Patricia's ideas as correct evidence .

review : Decentralized applications

The above contract mechanism enables anyone to establish a network wide consensus on a virtual machine to run command-line applications ( Basically ), It can change a network accessible state as its “ Hard disk ”. However , For most people , The lack of sufficient user friendliness of the command-line interface used as a transaction sending mechanism makes decentralization an attractive alternative . Last , A complete “ Decentralized applications ” It should include the underlying business logic components 【 Whether fully implemented in Ethereum or not , Use Ethereum in combination with other systems ( Like a P2P Message layer , One of them is planning to put into Ethereum client ) Or just another system 】 And the upper graphical user interface components . The Ethereum client is designed as a web browser , But including the right “eth” Javascript API Object support , Specific web pages that can be seen in the client are used to interact with Ethereum blockchain . from “ Tradition ” From the perspective of web pages , These pages are completely static content , Because blockchain and other decentralized protocols will completely replace the server to handle user initiated requests . Last , The decentralized protocol hopes to use Ethereum to store web pages in some way .


Ethereum protocol was originally provided as a highly common language, such as contract on the chain , Withdrawal restrictions and financial contracts , An upgraded version of cryptography currency with advanced functions such as gambling market . The Ethereum protocol will not directly “ Support ” Any application , But the existence of Turing complete programming language means that theoretically any contract can be created for any transaction type and Application . However, the more interesting thing about Ethereum is , The Ethereum agreement goes further than pure money , Around decentralized storage , Decentralized computing and decentralized forecasting market, as well as protocols and decentralized applications established by dozens of similar concepts , It has the potential to fundamentally improve the efficiency of the computing industry , And by adding the economic layer for the first time for other P2P The agreement provides strong support , Final , There will also be a large number of applications that have nothing to do with money .

The concept of arbitrary state transition implemented by Ethereum protocol provides a platform with unique potential ; And closed , For example, data storage , Agreements designed for a single purpose, such as gambling or finance, are different , Ethereum is open in design , And we believe that it is extremely suitable as a basic layer to serve the extremely large number of financial and non-financial agreements in the coming years .

Annotation and advanced reading


1. An experienced reader will notice that the bitcoin address is actually the hash of the elliptic curve public key , Not the public key itself , However, in fact, from the perspective of cryptography academic language, it is completely reasonable to call public key hash public key . This is because bitcoin cryptography can be considered as a customized digital signature algorithm , The public key consists of the hash of the elliptic curve public key , Signature consists of elliptic curve public key connected by elliptic curve signature , The verification algorithm includes checking the elliptic curve public key with the elliptic curve public key hash provided as the public key , And then use the elliptic curve public key to verify the elliptic curve signature .

2. Technically , front 11 The median of the blocks .

3. In the internal ,2 and “CHARLIE” It's all numbers , The latter one has a huge base256 Coding format , Numbers can be from 0 To 2^256-1.

extended reading

  1. Intrinsic value: https://tinyurl.com/BitcoinMag-IntrinsicValue
  2. Smart property: https://en.bitcoin.it/wiki/Smart_Property
  3. Smart contracts: https://en.bitcoin.it/wiki/Contracts
  4. B-money: http://www.weidai.com/bmoney.txt
  5. Reusable proofs of work: http://www.finney.org/~hal/rpow/
  6. Secure property titles with owner authority: http://szabo.best.vwh.net/securetitle.html
  7. Bitcoin whitepaper: http://bitcoin.org/bitcoin.pdf
  8. Namecoin: https://namecoin.org/
  9. Zooko’s triangle: http://en.wikipedia.org/wiki/Zookos_triangle
  10. Colored coins whitepaper: https://tinyurl.com/coloredcoin-whitepaper
  11. Mastercoin whitepaper: https://github.com/mastercoin-MSC/spec
  12. Decentralized autonomous corporations, Bitcoin Magazine: https://tinyurl.com/Bootstrapping-DACs
  13. Simplified payment verification:https://en.bitcoin.it/wiki/Scalability#Simplifiedpaymentverification
  14. Merkle trees: http://en.wikipedia.org/wiki/Merkle_tree
  15. Patricia trees: http://en.wikipedia.org/wiki/Patricia_tree
  16. GHOST: http://www.cs.huji.ac.il/~avivz/pubs/13/btc_scalability_full.pdf
  17. StorJ and Autonomous Agents, Jeff Garzik: https://tinyurl.com/storj-agents
  18. Mike Hearn on Smart Property at Turing Festival: http://www.youtube.com/watch?v=Pu4PAMFPo5Y
  19. Ethereum RLP: https://github.com/ethereum/wiki/wiki/%5BEnglish%5D-RLP
  20. Ethereum Merkle Patricia trees: https://github.com/ethereum/wiki/wiki/%5BEnglish%5D-Patricia-Tree
  21. Peter Todd on Merkle sum trees:http://sourceforge.net/p/bitcoin/mailman/message/31709140/

original text :https://github.com/ethereum/wiki/wiki/White-Paper

版权声明:本文为[cnstartech]所创,转载请带上原文链接,感谢。 https://netfreeman.com/2022/04/202204030744567653.html