Satoshi Niggamoto https://blackcointalk.fun/ Abstract. A straight-up peer-to-peer electronic cash system would let you send money online directly from me to you, no bank or middleman in the middle fuckin' up the vibe. Digital signatures already handle some of the security, but it don't mean shit if we still gotta trust some third party to stop people from double-spendin' the same coins. So we came up with the fix: a whole peer-to-peer network that timestamps every transaction by lockin' it into this unstoppable chain of hash-based proof-of-work. Once it's in that chain, you can't change it without goin' back and redoin' all that hard-ass work. That longest chain? That's the real receipt. It shows the true order of everything that happened AND proves it came from whoever had the most CPU muscle behind it. Long as the good folks (the ones not tryna scam) got more than half the computer's power, they gon' keep buildin' the longest chain and smoke anybody tryna attack the shit. The network don't need no fancy setup. You just broadcast the messages best you can, nodes dip in and out whenever they feel like it, and when they come back they just grab the longest proof-of-work chain and roll with whatever happened while they was gone. That's it. No suits, no banks, no trustin' nobody you don't know. Just math and power keepin' everybody honest. 1. Introduction Shoppin' and payin' online these days? It’s all built around banks and them big financial spots actin' like the only ones we can trust to handle the money movin' . Yeah, it get the job done for most stuff, but that whole "trust us" setup got mad flaws baked in. You can't really do a transaction that’s straight-up permanent no take-backs 'cause banks always gotta step in when folks start arguin' . That back-and-forth mess jacks up the fees, so small lil' transactions ain’t even worth it. Forget buyin' a blunt wrap or tippin' the homie a dollar real quick. Plus, when everything can get reversed, merchants stay paranoid, askin' for all kinda extra info, IDs, addresses, mama’s maiden name just extra hassle. They eat a certain amount of fraud like it’s normal. In real life you can just hand somebody cash and keep it movin' , no drama. But online? Ain’t no way to send money through the wire without some middleman holdin' the keys. What we really need is an electronic cash system that don’t depend on trustin' nobody. Straight cryptographic proof so any two people who wanna deal can hit each other direct no bank, no PayPal, no suit in the middle. Once the math locks it in, reversin' that joint would take so much computer power it ain’t even realistic—sellers stay safe from scams. And we can still hook up simple escrow vibes to look out for the buyer if needed. In this paper we droppin' the real fix for that double-spend problem: a peer-to-peer network with a distributed timestamp server that cranks out hard computational proof of what happened when. Long as the honest nodes together got more CPU juice than any squad of haters tryna cheat, the system stays solid. Period. No more trustin' institutions. Just code, math, and power runnin' the show. That’s the future we talkin' bout. 2. Transactions We say an electronic coin is straight-up a chain of digital signatures. That's it. No fancy certificates, no bank stamps just a linked-up chain of signatures. How it works: Every time somebody owns the coin and wanna pass it, they take the hash of the last transaction (the one where they got it), grab the next owner's public key, mash all that together, then slap their digital signature on it. Boom they add that signature right to the end of the coin. Now the coin got one more link in the chain. The person gettin' paid? They just run down the whole chain real quick: check every signature, make sure each one lines up with the public key of the next owner, and confirm the whole history is legit from the very beginning. If all them signatures verify, they know the coin real and ain't been tampered with. Chain of ownership is ironclad. It's like passin' a signed receipt down the block every handoff got the previous owner's John Hancock provin' they really had it and really gave it up. No trust needed, just math. Verify the chain, verify the money. Simple, clean, and nobody in the middle. That’s how we keep it movin' without banks tellin' us who got what. Pure peer-to-peer ownership on lock. The big issue is the person gettin paid got no way to check if one of them earlier owners already spent that same coin somewhere else. Double spend nightmare. The usual fix everybody jumps to? Bring in some central boss, call it a mint or whatever, that gotta approve every single transaction and watch for double spendin. After you pay somebody, the coin gotta go back to the mint, they kill the old one, spit out a brand new coin, and only coins comin straight from the mint is considered safe and not double spent. But that's weak sauce. Now the whole money system ridin on one company runnin that mint. Every transaction gotta go through them, just like we back dealin with banks again. One slip up, one hack, one shady move from them, and everything crash. We right back dependin on a middleman. What we really need is a way for the person gettin paid to know for sure them previous owners didn't sign no earlier deals with that coin. Only the first transaction count for us. We don't care about later double spend attempts, we just gotta make sure the one we holdin is the real first one. How you prove somethin never happened though? Only way is to know about every single transaction that ever went down. In the mint setup, the mint seen everything and got to pick what came first. That's why they held all the power. To make this work without no trusted middleman, we gotta flip the script: Make every transaction public. Everybody gotta announce it loud so the whole network hear it. Then we need a real system where everybody in the network agree on one single official history, one clear order of when them transactions actually hit. That way the person gettin paid got solid proof that when their transaction went through, the majority of nodes in the network already agreed: "Yeah, this the first time this coin got moved. Ain't no earlier version out there. " That's the whole game right there. No central boss. No bank. Just the whole network seein everything together and majority rules on what really happened first. Once we lock that in, double spendin get caught quick and the payee can chill knowin they holdin the real deal. We finna show exactly how to build that system next. Stay with me. 3. Timestamp Server The whole solution we droppin starts with a timestamp server. Straight like that. How a timestamp server work? It take a hash of a whole block of stuff that need timin (like a bunch of transactions), then it blast that hash out to the world so everybody see it. Back in the day they used to put it in the newspaper or drop it in Usenet posts [2-5]. Real simple. Why that matter? 'Cause once that hash get published, it prove the data had to already exist at that exact time. Ain't no way you hash somethin that ain't there yet. Facts. Then we level it up: Every new timestamp don't just stand alone. It grab the previous timestamp's hash and mix it right into its own hash. So now each new one lockin the one before it. You add one more link, it make the whole chain stronger. Try to go back and fake somethin old? You gotta break every single link after it too. Good luck. It's like a unbreakable chain of receipts. Each new stamp shoutin "Yo, all this stuff before me? It was real back then, and I got proof. " And every new one make the old ones even harder to mess with. 4. Proof Of Work To make a real peer-to-peer timestamp server, we use proof-of-work like Adam Back's Hashcash [6] instead of newspapers or Usenet. It work like this: Scan for a nonce that, when hashed (like SHA-256), makes the hash start with a bunch of zero bits. More zeros = way more work (exponential), but super easy to check with one hash. In our system, we keep bumpin the nonce in the block till the hash got enough zeros. Once CPU power make it valid, that block locked. Change anything? Gotta redo the work. And since blocks chain together, changin one mean redoin all the ones after it too. Hard work secures the timeline. Deep blocks basically untouchable. 5. Network Aight, here's how the whole network actually run, step by step, fam: 1. New transactions get blasted out to every node on the network. 2. Each node scoop up them fresh transactions and pack em into a block. 3. Every node start grindin, tryna solve that hard proof-of-work puzzle for they block. 4. Soon as one node crack the code and find a valid proof-of-work, they shout the whole block to everybody else. 5. Nodes only accept that block if every transaction inside it check out as valid and ain't already been spent. 6. To show they cool with it, nodes start workin on the next block in the chain, usin the hash of that accepted block as the "previous hash" link. Nodes always rock with the longest chain as the real one, and they keep pushin to make it even longer. If two nodes drop different next blocks at the same damn time? Some nodes might catch one version first, some catch the other. No stress—they just keep grindin on whichever one hit they inbox first, but they stash the other branch just in case. When the next proof-of-work drop and one chain pull ahead and get longer, everybody switch to that one. The shorter branch get left behind. Tiebreaker straight facts. New transactions don't gotta hit every single node right away. Long as they reach a good chunk of the network, they gon end up in a block soon enough. Block broadcasts the same vibe—some messages might drop, but if a node miss one, soon as they see the next block and notice they skipped somethin, they just ask for the missin block and catch up quick. That's how the network stay solid without no boss. Just nodes racin, broadcastin, and always chasin the longest chain with the most work behind it. Pure decentralized power. 6. Incentive It's a brand new coin created outta thin air, and it belong straight to whoever mined that block—the creator. This the incentive that keep nodes willin to run the network heavy. Plus, it's how we get coins out into the world in the first place—no central bank printin money, no boss handin out coins. Just miners earnin em. This steady drip of new coins every block? It straight up like gold miners diggin deep, burnin resources to pull fresh gold outta the ground. In our world, the resource is CPU time and electricity. Same hustle, different grind. And the incentive don't stop there—it can also get fat off transaction fees. If a transaction output less than what went in, that leftover difference? That's the fee, and it get added right into the block reward for the miner who seal the deal. Once we hit a set number of coins in circulation (like a cap), the new coin creation stop cold. From then on, the whole incentive switch to pure transaction fees. No more inflation, system stay clean forever. This setup also keep folks honest. Say a greedy attacker somehow stack more CPU power than all the good nodes combined—he could try to scam by stealin back his own payments, rewritin history. But check this: he got a choice. Use all that power to cheat, or just keep minin legit and rake in more new coins than everybody else put together. By the math, it make way more sense to play fair and eat them fat rewards than to burn the whole system down and trash his own bag. Greed actually work for us here. The rules set up so the biggest player still better off buildin the chain right than breakin it. That's the beauty. Self-interest keep the network solid. 7. Reclaiming Disk Space Once the latest transaction for a coin get buried deep under enough blocks—meaning it's way back in the chain and super hard to mess with—them older spent transactions before it? We can straight-up toss em to free up disk space. But hold up, we can't just delete stuff or the block's hash break and the whole chain fall apart. So we fix that with a Merkle Tree [7][2][5]. All the transactions in a block get hashed together in this tree structure. You keep pairin and hashin until you got one single hash at the top—the Merkle root. That root the only thing we actually put in the block's hash. Now here's the slick part: Old blocks can get compacted heavy. We just stub off them branches of the tree we don't need anymore. Keep the root, ditch the middle hashes and the old transaction data. The interior hashes? Don't gotta store em no more. Long as you got the root and the proof path (them few hashes needed to verify a specific transaction), you can still prove everything was legit without keepin the whole tree. So you save mad disk space, keep the chain secure, and still let new nodes verify old history if they need to. Merkle Tree make it possible to prune without breakin nothin. Smart, clean, and efficient. That's how we keep this thing runnin light years ahead. A block header with no transactions? That joint only about 80 bytes. If we keep poppin blocks every 10 minutes like clockwork, that's 6 blocks an hour, 24 hours a day, 365 days a year. Run the numbers: 80 bytes × 6 × 24 × 365 = right around 4.2MB per year. Back in 2008, regular computers already comin with 2GB of RAM standard. And Moore's Law sayin we addin about 1.2GB of RAM growth every year. So even if we gotta keep all them block headers sittin in memory forever? Storage ain't even a issue. 4.2MB a year is nothin compared to how fast hardware gettin bigger and cheaper. We good for years, no sweat. 8. Simplified Payment Verification It's possible to verify payments without bein a whole network node yourself. All you need is a lightweight setup. You just keep a copy of the block headers from the longest proof-of-work chain. That's it—the heads only, not the whole damn blockchain. How you get em? You query nodes around the network till you convinced you holdin the real longest chain, the one with the most work behind it. Then, to check your specific payment, you grab the Merkle branch linkin your transaction to the block where it got timestamped. That branch is just a handful of hashes that connect your tx straight to the block header. You can't personally verify every detail of the transaction yourself (like if the inputs was legit), but here's the beauty: By linkin it to that spot in the chain with the Merkle proof, you know a network node already accepted it as valid. And every new block stacked on top after that? That's extra confirmation the whole network keep sayin "Yeah, we good with this, it's in the real chain. " As such, the verification is reliable as long as honest nodes control the network, but is more vulnerable if the network is overpowered by an attacker. While network nodes can verify transactions for themselves, the simplified method can be fooled by an attacker's fabricated transactions for as long as the attacker can continue to overpower the network. One strategy to protect against this would be to accept alerts from network nodes when they detect an invalid block, prompting the user's software to download the full block and alerted transactions to confirm the inconsistency. Businesses that receive frequent payments will probably still want to run their own nodes for more independent security and quicker verification. 9. Combining and Spitting Value Yeah, we could handle every single coin one by one, but that shit would be mad clunky. Ain't nobody tryna make a whole separate transaction for every penny when you sendin money. So to keep it smooth and let value split and combine easy, every transaction got multiple inputs and multiple outputs. Usually it look like this: Either one big input from a fat previous transaction you own, or a bunch of smaller inputs mashed together to make up the total amount you tryna spend. Then on the output side, at most two: One go straight to the person you payin (the payment), and if there's any leftover, the second one send that change right back to you, the sender. Simple setup. One or many inputs feedin in, two outputs max—one for who you payin, one for your change. Keeps everything clean, no need to track a million tiny coins separate. Just mix, match, and move the value how you want. That's how real money flow supposed to work. Fan-out ain't no issue in this system at all. You know how one transaction might depend on a bunch of previous ones, and them ones depend on even more, spreadin out like a tree? That kinda chain reaction don't slow us down or cause headaches here. We never gotta pull out a full, standalone copy of a transaction's entire history to make sure it's legit. Thanks to the Merkle Tree and the way we chain everything, we just need that short Merkle branch link to prove the transaction sit right where it supposed to in the block. The whole history stay buried deep in the chain, but we don't need to dig up every single piece to verify one payment. No need to chase down the whole family tree every time. Just the proof path and the block header chain—that's enough to know it's solid. Keeps things light, fast, and clean even when the dependencies get wild. No bloat, no drama. 10. Privacy Old-school banks get they privacy by lockin everything down—only the people in the deal and that trusted middleman (the bank) even know what's good. Nobody else see your moves. But in our system, we gotta blast every transaction out to the whole network public style. Can't hide that part. So how we still keep it private? We break the link somewhere else: by keepin them public keys straight anonymous. Everybody can peep that somebody sendin X amount to somebody else. The tape show the time, the size, all that. But without extra info tyin that transaction back to a real person or name? They stay ghost. It's just like how the stock market drop the "tape" —everybody see the trades go down, what time, how much stock moved, but they don't tell you who bought or who sold. Names stay out the picture. Same vibe here. The chain show all the money movin, but as long as them public keys don't get linked to your real identity, your business stay your business. Public see the flow, but can't point and say "that's you. " Privacy preserved, no bank needed to guard the secret. Just smart key management keep it lowkey. 10. Calculations Even if this dude somehow manage to generate an alternate chain faster than the honest nodes, he still can't just do whatever. He can't create money outta nowhere or jack coins that never belonged to him. Nodes ain't dumb—they straight-up reject invalid transactions. Honest nodes never accept a block with shady stuff in it. All this attacker can really do is try to change one of his own recent transactions to take back money he already spent. That's the only play he got. We can model this race between the honest chain and the attacker's chain like a Binomial Random Walk. ● ● Success (+1): Honest chain get one more block, lead grow bigger. Failure (-1): Attacker get the next block, gap shrink. This the same as the classic Gambler's Ruin problem. Imagine a gambler startin deep in the hole with unlimited credit, playin forever tryna get back to even. The chance he ever catch up? We can math it out like this [8]: p = chance honest node find the next block q = chance attacker find the next block qz = chance attacker ever catch up from z blocks behind qz = 1 if p ≤ q (q/p)^z if p > q Since we assume p > q (honest nodes got more power overall), that probability drop exponential fast the more blocks z the attacker gotta make up. If he don't get super lucky and jump way ahead real quick, his odds go from slim to straight ghost as he fall further behind. Vanishin small. Now the real question: How long should the person gettin paid wait before they can feel safe that the sender can't flip the script? We assume the sender the attacker. He wanna trick the receiver into thinkin he paid for a minute, then switch it back to pay himself later. Receiver gon notice eventually, but attacker hopin it's too late to stop the damage. To block the attacker from preparin a secret chain way in advance, the receiver do this smart move: Generate a fresh key pair right before the transaction, hand the public key to the sender, then sign. That way attacker can't grind on a fake chain forever waitin for luck—he only start workin after the transaction drop. Once the transaction out, the shady sender start secretly buildin his parallel chain with the double-spend version. Receiver wait till the transaction get into a block, then wait for z more blocks to stack on top. He don't know exactly how far the attacker got in secret, but if we figure honest blocks came at the average speed (expected time per block), then the attacker's possible progress follow a Poisson distribution, with expected value equal to... (we finna finish that math next, stay locked in) Bottom line: The longer you wait (bigger z), the crazier small the attacker's chance get. Exponential decay in they favor. That's why waitin for confirmations the move. Math don't lie, fam. 11. Conclusion We just laid out a whole system for electronic cash that don't need nobody to trust. No banks, no middlemen, no suits callin the shots. We kicked off with the classic setup: coins built from digital signatures. That give you ironclad control over who own what—straight ownership on lock. But it fall short without a fix for double-spendin. So we fixed that. We built a peer-to-peer network that use proof-of-work to carve out a public, unchangeable history of every transaction. Once honest nodes hold the majority of CPU power, it become damn near impossible for any attacker to rewrite the past. The deeper it get buried, the more work it take to touch it. Math make it secure. This network tough as hell 'cause it simple and unstructured. Nodes do they thing all at once, barely coordinatin. Ain't no need to know who anybody is—messages just get broadcast best effort, no fancy routing. Nodes dip out and pop back in whenever, and when they return, they just grab the longest proof-of-work chain and accept that as the gospel of what went down while they was gone. They vote with they CPU muscle: Accept a valid block? Start buildin the next one on top. Reject a shady block? Don't touch it, don't extend it. That's the consensus. Any rules, any incentives, any changes we need? They get enforced right through this mechanism. No central vote. No boss. Just power and math decidin what's real. We built electronic money that run on its own, stay honest as long as the majority stay honest, and let anybody send value direct to anybody else, no trust required. That's the vision. No more relyin on institutions. Just code, proof, and people choosin to keep it real. Welcome to the future, fam. We did that. References [1] W. Dai, "b-money," http://www.weidai.com/bmoney.txt, 1998. [2] H. Massias, X.S. Avila, and J.-J. Quisquater, "Design of a secure timestamping service with minimal trust requirements," In 20th Symposium on Information Theory in the Benelux, May 1999. [3] S. Haber, W.S. Stornetta, "How to time-stamp a digital document," In Journal of Cryptology, vol 3, no 2, pages 99-111, 1991. [4] D. Bayer, S. Haber, W.S. Stornetta, "Improving the efficiency and reliability of digital time-stamping," In Sequences II: Methods in Communication, Security and Computer Science, pages 329-334, 1993. [5] S. Haber, W.S. Stornetta, "Secure names for bit-strings," In Proceedings of the 4th ACM Conference on Computer and Communications Security, pages 28-35, April 1997. [6] A. Back, "Hashcash - a denial of service counter-measure," http://www.hashcash.org/papers/hashcash.pdf, 2002. [7] R.C. Merkle, "Protocols for public key cryptosystems," In Proc. 1980 Symposium on Security and Privacy, IEEE Computer Society, pages 122-133, April 1980. [8] W. Feller, "An introduction to probability theory and its applications," 1957

satoshi nigggamoto a genius

satoshi nigggamoto a genius