applications where they can create their own arbitrary rules for ownership, transaction formats and state
transition functions. A bare-bones version of Namecoin can be written in two lines of code, and other
protocols like currencies and reputation systems can be built in under twenty. Smart contracts, cryptographic
"boxes" that contain value and only unlock it if certain conditions are met, can also be built on top of the
platform, with vastly more power than that offered by Bitcoin scripting because of the added powers of
Turing-completeness, value-awareness, blockchain-awareness and state.
The bitcoin protocol can encompass the global financial transaction volume in all electronic payment systems
today, without a single custodial third party holding funds or requiring participants to have anything more than
a computer using a broadband connection. A decentralized system is proposed whereby transactions are sent
over a network of micropayment channels (a.k.a. payment channels or transaction channels) whose transfer of
value occurs off-blockchain. If Bitcoin transactions can be signed with a new sighash type that addresses
malleability, these transfers may occur between untrusted parties along the transfer route by contracts which,
in the event of uncooperative or hostile participants, are enforceable via broadcast over the bitcoin blockchain
in the event of uncooperative or hostile participants, through a series of decrementing timelocks.
Commerce on the Internet has come to rely almost exclusively on financial institutions serving as trusted third
parties to process electronic payments. While the system works well enough for most transactions, it still
suffers from the inherent weaknesses of the trust based model. Completely non-reversible transactions are not
really possible, since financial institutions cannot avoid mediating disputes. The cost of mediation increases
transaction costs, limiting the minimum practical transaction size and cutting off the possibility for small
casual transactions, and there is a broader cost in the loss of ability to make non-reversible payments for nonreversible services. With the possibility of reversal, the need for trust spreads. Merchants must be wary of their
customers, hassling them for more information than they would otherwise need. A certain percentage of fraud
is accepted as unavoidable. These costs and payment uncertainties can be avoided in person by using physical
currency, but no mechanism exists to make payments over a communications channel without a trusted party.
What is needed is an electronic payment system based on cryptographic proof instead of trust, allowing any
two willing parties to transact directly with each other without the need for a trusted third party. Transactions
that are computationally impractical to reverse would protect sellers from fraud, and routine escrow
mechanisms could easily be implemented to protect buyers. In this paper, we propose a solution to the
double-spending problem using a peer-to-peer distributed timestamp server to generate computational proof of
the chronological order of transactions. The system is secure as long as honest nodes collectively control more
CPU power than any cooperating group of attacker nodes.
Interest and research in distributed consensus systems has increased markedly in recent years, with a central
focus being on distributed payment networks. Such networks allow for fast, low-cost transactions which are
not controlled by a centralized source. While the economic benefits and drawbacks of such a system are
worthy of much research in and of themselves, this work focuses on some of the technical challenges that all
distributed payment systems must face. While these problems are varied, we group them into three main
categories: correctness, agreement, and utility.
By correctness, we mean that it is necessary for a distributed system to be able to discern the difference
between a correct and fraudulent transaction. In traditional fiduciary settings, this is done through trust
between institutions and cryptographic signatures that guarantee a transaction is indeed coming from the
institution that it claims to be coming from. In distributed systems, however, there is no such trust, as the
identity of any and all members in the network may not even be known. Therefore, alternative methods for