Bitcoin Double Spending Attack Karame, Androulaki & Capkun ...

Bitcoin Double Spending Attack Karame, Androulaki & Capkun ...

Bitcoin Double Spending Attack Karame, Androulaki & Capkun Presented by Subhro Kar CSCE 715, Fall 2013 Requirements of Digital Currencies New methods of purchases requiring new methods of payments.

Security of payments. Non ambiguous but preferably anonymous mapping between services/products and payments for them. Non repudiation Types of Digital Currencies

Credit/Debit cards Echecks Moneygram/Moneypack and similar services E-gold Bitcoin/Litecoin/Namecoin

What is Bitcoin?

Crypto currency Has no central controlling authority Secure Non reversible Anonymous Based on Proof of Work Bitcoin Operations Peers transfer coins to each other

Each peer holds a wallet which is designated by a wallet ID A transaction is formed by digitally signing hash of all previous transactions where the specific bitcoin in question was used previously. Any peer can verify a transaction. Bitcoin Transactions An electronic coin is a chain of digital signatures

Each owner transfers the coin to the next by digitally signing a hash of the previous transactions and the public key of the next owner adding these to the end of the coin. A payee can verify the signature to verify the chain of ownership. Bitcoin Transactions

Bitcoin Transactions and Double spending problems The problem however remains that a payee can not verify that the owners did not double spend this coin. The problem could be removed by designing a central coin issuing authority, but that again makes Bitcoin reliant on a central authority.

Bitcoin blocks and verification Transactions are included in Bitcoin blocks that are broadcasted to the entire network Bitcoin relies on a hash based Proof-of-Work (PoW) scheme to detect double spending on the same Bitcoin Proof of Work The proof-of-work involves scanning for a value

that when hashed, such as with SHA-256, the hash begins with a number of zero bits. The average work required is exponential in the number of zero bits required and can be verified by executing a single hash. Proof of Work in Bitcoin Proof-of-work is implemented by incrementing a nonce in the block until a value is found that gives the block's hash the required

zero bits. Once the CPU effort has been expended to make it satisfy the proof-of-work, the block cannot be changed without redoing the work. As later blocks are chained after it, the work to change the block would include redoing all the blocks after it. Managing the size of block chain Once the latest transaction in a coin is buried under enough blocks, the spent transactions before it can be discarded to save disk space. To facilitate this

without breaking the block's hash, transactions are hashed in a Merkle Tree [7] [2][5], with only the root included in the block's hash. Old blocks can then be compacted by stubbing off branches of the tree. Bitcoin block generation Peers work to find a nonce value that when hashed with the Merkle hash of all valid and received transactions, the hash of the previous block and a timestamp is below a given target

value. When such a nonce is found, peers then include the hash and additional fields which can then be verified by all peers on the network. Bitcoin block generation Upon successful generation of a block, the generating peer is awarded 50 Bitcoins and the whole system is re-primed.

The resulting block is broadcasted on the network which after verification is added to the block chain by all clients. Block verification A user only needs to keep a copy of the block headers of the longest proof-of-work chain, which he can get by querying network nodes until he's convinced he has the longest chain, and obtain the Merkle branch linking the transaction to the block it's timestamped in.

He can't check the transaction for himself, but by linking it to a place in the chain, he can see that a network node has accepted it, and blocks added after it further confirm the network has accepted it. A bitcoin transaction The attack scenario A bitcoin transaction is accepted only if majority of the clients in the network mark it as valid.

As per the design of bitcoin, a transaction requires about 10 mins in the best case before it is included in a block and broadcasted for confirmation. If a merchant client accepts a transaction initially and later on gets refusal from majority of peers in the network, the attack is successful. Block generation time It is possible for transactions to be delayed

further depending on the difficulty of the hash being currently calculated. The complexity of the hash is adjusted based on the generation time of the previous hash. Block generation times Attacker Model A malicious client A forms

the core of the attack model Let us assume A is trying to spend a coin B at a merchant V which she had already spend earlier. The attack will succeed if V accepts the bitcoin but cant redeem it later on.

Attacker Model A requires at least another helper peer to succeed with the attack. We assume that the helper is H. The attack has a greater chance of succeeding if

multiple helper peers are present in other parts of the planet. The Attack A connects to V and creates a transaction T1 with B. Since A and V are in the

same network, V receives T1 almost immediately. Since bitcoin clients accept all connections, the transaction is received. The Attack A few seconds later A

connects to H and transfers the same bitcoin B to H in transaction T2. As per our assumption H is on the other side of the globe, so there is a good chance H does not know about T1 which A had with V using B.

The Attack H immediately starts broadcasting T2 in its local network and starts waiting for confirmation. Success of the Attack The attack mentioned in the previous slides will

succeed if: the time required for V to receive T1 is shorter than that for T2 the number of hosts which had included T2 in its blockchain should be in majority. Prevention of Double Spending Attack Unfortunately, there is no way to prevent this attack as the problem of time lag between a

transaction and its acceptance lies in the protocol. Can contain a damage of a fraudulent transaction by limiting the number of bitcoins transferred in an unverified transaction. Alternative currencies and prevention of double spending attacks Alternate currencies like Litecoin, Namecoin and

PrimeCoin has been developed which has a shorter block generation time. Because SHA-256 is not used in any of the other currencies, the block generation is CPU bound. Therefore, the complexity of PoW remains under a threshold. References Nakamoto, Satoshi. Bitcoin: A Peer-to-Peer

Electronic Cash System. Karame, Ghassan O, Androulaki, Elli, Capkun, Srdjan, Two bit coins at the Price of One? Double-Spending Attacks on Fast Payments in Bitcoin Bitcoin wiki,

Recently Viewed Presentations

  • Forces of Flight and Stability Forces on an

    Forces of Flight and Stability Forces on an

    Weight and balance calculations and adjustments are performed by the pilot or supporting ground crew and verified by the pilot. If the ground crew performs this task, then the information is delivered to the pilot on a piece of paper...
  • POINTLESS Round 1 Round 2 Finish Words with

    POINTLESS Round 1 Round 2 Finish Words with

    The car is started by Gavin. Pasta used to be made by Mum for Mia. Jenny is going to kiss him. Gavin starts the car. Mum used to make pasta for Mia. 26. 27. 24. 21. 56. 2. We asked...
  • Thesis Review What are the components of a

    Thesis Review What are the components of a

    Animal Farm, it is situationally ironic that an animal killed a human being; showing how the morals of animalism can be corrupted easily. Most animals can't read but the pigs can read well, giving the pigs the most power among...
  • The Inclusion Development Programme Teaching and supporting pupils

    The Inclusion Development Programme Teaching and supporting pupils

    Teaching and supporting pupils with dyslexia Presentation 1:Dyslexia: Understanding and supporting reading * ... The Simple View of Reading word recognition difficulties PowerPoint Presentation …and the same letters can be pronounced differently in different words There are many words that...
  • Vocal Jazz 101: Teaching Jazz Style to Singers

    Vocal Jazz 101: Teaching Jazz Style to Singers

    Consonants are imploded - vowels are pure but not overdone - Jazz is performed in a speech vernacular - not choral diction. Implode T's, D's, sometimes p's, b'sesp at end of a word -- No aspirated T's == Encourage students...
  • Robust Rate Adaptation in 802.11 networks Starsky H.Y.

    Robust Rate Adaptation in 802.11 networks Starsky H.Y.

    * RRAA Design Short-term statistics to handle random loss mobility Adaptive RTS to handle collision * Short-term Statistics based Rate Adaptation Short-term statistics: Loss ratio over estimation window (20~100ms) Channel coherence time Exploit short-term opportunistic gain Threshold-based rate change: if...
  • Fracking Safety & Economics November 9, 2017 America

    Fracking Safety & Economics November 9, 2017 America

    50-200 Ft. 2,500 Ft. 5,000 Ft. ... Economic trends indicate America's tight oil and gas resources remain viable even at oil prices in the 40-50 $/Bbl range. Long term (3-5 yrs from initial production) well production - uncertainties remain. New...
  • NeuroAnatomic and Genetic Approaches to Memory Formation

    NeuroAnatomic and Genetic Approaches to Memory Formation

    CamKIIa and CREB are required for LTP Mechanisms of Learning and Memory Synaptic Kinase activation Nuclear CREB activation A D1 NMDA CaMKII AMPA CREB Ca cAMP PDE Cyclase Gene replacement and transgenic animals Some genes are identified through mutant analysis...