Bitcoin Double Spending Attack Karame, Androulaki & Capkun Presented by Subhro Kar CSCE 715, Fall 2013 Requirements of Digital Currencies New methods of purchases requiring new methods of payments.
Security of payments. Non ambiguous but preferably anonymous mapping between services/products and payments for them. Non repudiation Types of Digital Currencies
Credit/Debit cards Echecks Moneygram/Moneypack and similar services E-gold Bitcoin/Litecoin/Namecoin
What is Bitcoin?
Crypto currency Has no central controlling authority Secure Non reversible Anonymous Based on Proof of Work Bitcoin Operations Peers transfer coins to each other
Each peer holds a wallet which is designated by a wallet ID A transaction is formed by digitally signing hash of all previous transactions where the specific bitcoin in question was used previously. Any peer can verify a transaction. Bitcoin Transactions An electronic coin is a chain of digital signatures
Each owner transfers the coin to the next by digitally signing a hash of the previous transactions and the public key of the next owner adding these to the end of the coin. A payee can verify the signature to verify the chain of ownership. Bitcoin Transactions
Bitcoin Transactions and Double spending problems The problem however remains that a payee can not verify that the owners did not double spend this coin. The problem could be removed by designing a central coin issuing authority, but that again makes Bitcoin reliant on a central authority.
Bitcoin blocks and verification Transactions are included in Bitcoin blocks that are broadcasted to the entire network Bitcoin relies on a hash based Proof-of-Work (PoW) scheme to detect double spending on the same Bitcoin Proof of Work The proof-of-work involves scanning for a value
that when hashed, such as with SHA-256, the hash begins with a number of zero bits. The average work required is exponential in the number of zero bits required and can be verified by executing a single hash. Proof of Work in Bitcoin Proof-of-work is implemented by incrementing a nonce in the block until a value is found that gives the block's hash the required
zero bits. Once the CPU effort has been expended to make it satisfy the proof-of-work, the block cannot be changed without redoing the work. As later blocks are chained after it, the work to change the block would include redoing all the blocks after it. Managing the size of block chain Once the latest transaction in a coin is buried under enough blocks, the spent transactions before it can be discarded to save disk space. To facilitate this
without breaking the block's hash, transactions are hashed in a Merkle Tree  , with only the root included in the block's hash. Old blocks can then be compacted by stubbing off branches of the tree. Bitcoin block generation Peers work to find a nonce value that when hashed with the Merkle hash of all valid and received transactions, the hash of the previous block and a timestamp is below a given target
value. When such a nonce is found, peers then include the hash and additional fields which can then be verified by all peers on the network. Bitcoin block generation Upon successful generation of a block, the generating peer is awarded 50 Bitcoins and the whole system is re-primed.
The resulting block is broadcasted on the network which after verification is added to the block chain by all clients. Block verification A user only needs to keep a copy of the block headers of the longest proof-of-work chain, which he can get by querying network nodes until he's convinced he has the longest chain, and obtain the Merkle branch linking the transaction to the block it's timestamped in.
He can't check the transaction for himself, but by linking it to a place in the chain, he can see that a network node has accepted it, and blocks added after it further confirm the network has accepted it. A bitcoin transaction The attack scenario A bitcoin transaction is accepted only if majority of the clients in the network mark it as valid.
As per the design of bitcoin, a transaction requires about 10 mins in the best case before it is included in a block and broadcasted for confirmation. If a merchant client accepts a transaction initially and later on gets refusal from majority of peers in the network, the attack is successful. Block generation time It is possible for transactions to be delayed
further depending on the difficulty of the hash being currently calculated. The complexity of the hash is adjusted based on the generation time of the previous hash. Block generation times Attacker Model A malicious client A forms
the core of the attack model Let us assume A is trying to spend a coin B at a merchant V which she had already spend earlier. The attack will succeed if V accepts the bitcoin but cant redeem it later on.
Attacker Model A requires at least another helper peer to succeed with the attack. We assume that the helper is H. The attack has a greater chance of succeeding if
multiple helper peers are present in other parts of the planet. The Attack A connects to V and creates a transaction T1 with B. Since A and V are in the
same network, V receives T1 almost immediately. Since bitcoin clients accept all connections, the transaction is received. The Attack A few seconds later A
connects to H and transfers the same bitcoin B to H in transaction T2. As per our assumption H is on the other side of the globe, so there is a good chance H does not know about T1 which A had with V using B.
The Attack H immediately starts broadcasting T2 in its local network and starts waiting for confirmation. Success of the Attack The attack mentioned in the previous slides will
succeed if: the time required for V to receive T1 is shorter than that for T2 the number of hosts which had included T2 in its blockchain should be in majority. Prevention of Double Spending Attack Unfortunately, there is no way to prevent this attack as the problem of time lag between a
transaction and its acceptance lies in the protocol. Can contain a damage of a fraudulent transaction by limiting the number of bitcoins transferred in an unverified transaction. Alternative currencies and prevention of double spending attacks Alternate currencies like Litecoin, Namecoin and
PrimeCoin has been developed which has a shorter block generation time. Because SHA-256 is not used in any of the other currencies, the block generation is CPU bound. Therefore, the complexity of PoW remains under a threshold. References Nakamoto, Satoshi. Bitcoin: A Peer-to-Peer
Electronic Cash System. Karame, Ghassan O, Androulaki, Elli, Capkun, Srdjan, Two bit coins at the Price of One? Double-Spending Attacks on Fast Payments in Bitcoin Bitcoin wiki, https://en.bitcoin.it/wiki/Category:Technical
Weight and balance calculations and adjustments are performed by the pilot or supporting ground crew and verified by the pilot. If the ground crew performs this task, then the information is delivered to the pilot on a piece of paper...
Animal Farm, it is situationally ironic that an animal killed a human being; showing how the morals of animalism can be corrupted easily. Most animals can't read but the pigs can read well, giving the pigs the most power among...
Teaching and supporting pupils with dyslexia Presentation 1:Dyslexia: Understanding and supporting reading * ... The Simple View of Reading word recognition difficulties PowerPoint Presentation …and the same letters can be pronounced differently in different words There are many words that...
Consonants are imploded - vowels are pure but not overdone - Jazz is performed in a speech vernacular - not choral diction. Implode T's, D's, sometimes p's, b'sesp at end of a word -- No aspirated T's == Encourage students...
* RRAA Design Short-term statistics to handle random loss mobility Adaptive RTS to handle collision * Short-term Statistics based Rate Adaptation Short-term statistics: Loss ratio over estimation window (20~100ms) Channel coherence time Exploit short-term opportunistic gain Threshold-based rate change: if...
50-200 Ft. 2,500 Ft. 5,000 Ft. ... Economic trends indicate America's tight oil and gas resources remain viable even at oil prices in the 40-50 $/Bbl range. Long term (3-5 yrs from initial production) well production - uncertainties remain. New...
CamKIIa and CREB are required for LTP Mechanisms of Learning and Memory Synaptic Kinase activation Nuclear CREB activation A D1 NMDA CaMKII AMPA CREB Ca cAMP PDE Cyclase Gene replacement and transgenic animals Some genes are identified through mutant analysis...
Ready to download the document? Go ahead and hit continue!