Bitcoin P2P e-cash paper


I’ve been working on a new electronic cash system that’s fully
peer-to-peer, with no trusted third party.

The paper is available at:

The main properties:
Double-spending is prevented with a peer-to-peer network.
No mint or other trusted parties.
Participants can be anonymous.
New coins are made from Hashcash style proof-of-work.
The proof-of-work for new coin generation also powers the
network to prevent double-spending.

Bitcoin: A Peer-to-Peer Electronic Cash System

Abstract. A purely peer-to-peer version of electronic cash would
allow online payments to be sent directly from one party to another
without the burdens of going through a financial institution.
Digital signatures provide part of the solution, but the main
benefits are lost if a trusted party is still required to prevent
double-spending. We propose a solution to the double-spending
problem using a peer-to-peer network. The network timestamps
transactions by hashing them into an ongoing chain of hash-based
proof-of-work, forming a record that cannot be changed without
redoing the proof-of-work. The longest chain not only serves as
proof of the sequence of events witnessed, but proof that it came
from the largest pool of CPU power. As long as honest nodes control
the most CPU power on the network, they can generate the longest
chain and outpace any attackers. The network itself requires
minimal structure. Messages are broadcasted on a best effort basis,
and nodes can leave and rejoin the network at will, accepting the
longest proof-of-work chain as proof of what happened while they
were gone.

Full paper at:

Satoshi Nakamoto




Re: Bitcoin P2P e-cash paper


>Satoshi Nakamoto wrote:
>> I’ve been working on a new electronic cash system that’s fully
>> peer-to-peer, with no trusted third party.
>> The paper is available at:
>We very, very much need such a system, but the way I understand your
>proposal, it does not seem to scale to the required size.
>For transferable proof of work tokens to have value, they must have
>monetary value. To have monetary value, they must be transferred within
>a very large network – for example a file trading network akin to
>To detect and reject a double spending event in a timely manner, one
>must have most past transactions of the coins in the transaction, which,
> naively implemented, requires each peer to have most past
>transactions, or most past transactions that occurred recently. If
>hundreds of millions of people are doing transactions, that is a lot of
>bandwidth – each must know all, or a substantial part thereof.

Long before the network gets anywhere near as large as that, it would be safe
for users to use Simplified Payment Verification (section 8) to check for
double spending, which only requires having the chain of block headers, or
about 12KB per day. Only people trying to create new coins would need to run
network nodes. At first, most users would run network nodes, but as the
network grows beyond a certain point, it would be left more and more to
specialists with server farms of specialized hardware. A server farm would
only need to have one node on the network and the rest of the LAN connects with
that one node.

The bandwidth might not be as prohibitive as you think. A typical transaction
would be about 400 bytes (ECC is nicely compact). Each transaction has to be
broadcast twice, so lets say 1KB per transaction. Visa processed 37 billion
transactions in FY2008, or an average of 100 million transactions per day.
That many transactions would take 100GB of bandwidth, or the size of 12 DVD or
2 HD quality movies, or about $18 worth of bandwidth at current prices.

If the network were to get that big, it would take several years, and by then,
sending 2 HD movies over the Internet would probably not seem like a big deal.

Satoshi Nakamoto


263,353 total views, 9 views today


Re: Bitcoin P2P e-cash paper


James A. Donald wrote:
> The core concept is that lots of entities keep complete and consistent
> information as to who owns which bitcoins.
> But maintaining consistency is tricky. It is not clear to me what
> happens when someone reports one transaction to one maintainer, and
> someone else transports another transaction to another maintainer. The
> transaction cannot be known to be valid until it has been incorporated
> into a globally shared view of all past transactions, and no one can
> know that a globally shared view of all past transactions is globally
> shared until after some time has passed, and after many new
> transactions have arrived.
> Did you explain how to do this, and it just passed over my head, or
> were you confident it could be done, and a bit vague as to the details?

The proof-of-work chain is the solution to the synchronisation problem, and to
knowing what the globally shared view is without having to trust anyone.

A transaction will quickly propagate throughout the network, so if two versions
of the same transaction were reported at close to the same time, the one with
the head start would have a big advantage in reaching many more nodes first.
Nodes will only accept the first one they see, refusing the second one to
arrive, so the earlier transaction would have many more nodes working on
incorporating it into the next proof-of-work. In effect, each node votes for
its viewpoint of which transaction it saw first by including it in its
proof-of-work effort.

If the transactions did come at exactly the same time and there was an even
split, it’s a toss up based on which gets into a proof-of-work first, and that
decides which is valid.

When a node finds a proof-of-work, the new block is propagated throughout the
network and everyone adds it to the chain and starts working on the next block
after it. Any nodes that had the other transaction will stop trying to include
it in a block, since it’s now invalid according to the accepted chain.

The proof-of-work chain is itself self-evident proof that it came from the
globally shared view. Only the majority of the network together has enough CPU
power to generate such a difficult chain of proof-of-work. Any user, upon
receiving the proof-of-work chain, can see what the majority of the network has
approved. Once a transaction is hashed into a link that’s a few links back in
the chain, it is firmly etched into the global history.

Satoshi Nakamoto