Professional Documents
Culture Documents
AMechanismforMitigatingDoubleSpendingAttacks
Documentversion:2,publishedSeptember22nd,2014
EvanDuffieldevan@darkcoin.io
HolgerSchinzelholger@darkcoin.qa
FernandoGutierrezgutierrezf@gmail.com
In this paper, we explore a solution to a long standing issue with Bitcoin and
other cryptographic currencies, the ability to enable instant validation of
paymentswithouthavingtowaitforblockchainconfirmation.
1 Introduction
Inventedin2009,Bitcoin[Nakamoto09]isadecentralizedpeertopeerpaymentsystemcreated
bySatoshiNakamoto.Bitcoinhasbeensteadilygainingpopularitysinceitsintroductionin2009
andhasbeenadoptedsuccessfullybymanymerchants[Reuters14].WhileBitcoinhasbeen
greatlysuccessful,ithasonemainsignificantdisadvantagetoitslargestcompetitor,credit
cards.Inpointofsaletransactions,creditcardscanhavenearlyinstantaneousauthorizationof
payment,whereastogetfinalityinaBitcointransactiononemustwaitforblockchain
confirmation.WithCreditCards,anauthorityiscontactedtowhenmakingapurchasethat
resultsinabuyersmoneybeinghelduntilitclearslater.Incontrast,Bitcoinclientsblindly
propagatemessagestheybelievearecorrectwhilegettingnofeedbackfromthenetwork.
DarkcoinisaprivacycentriccryptocurrencybasedontheworkofSatoshiNakamotoand
includesvariousimprovementstothetechnologyfirstimplementedintheBitcoinclient.These
improvementsincludeenhancedprivacyfeaturesandanetworkthatisincentivizedtoprovide
services[Duffield14].
Inthispaperwewillintroducethemasternodenetworkasobservernetwork,utilisinga
distributedconsensusandlockingalgorithmTXlockingtosecureunconfirmedtransactions.
Theobservernetworkreportsontransactionsgrantingtheyafinalizedstatusimmediatelyafter
theiroriginalpropagation.Furtherwewilldiscussattackvectorsandhowthemasternode
networkwillmitigatethese.
2 Masternode Network
MasternodeswereoriginallyintroducedtoDarkcoinasengineeringefforttosupportthemixing
processusedinDarkcoinsDarkSendimplementation.Theoriginalrequirementswere
describedinApril2014byEvanDuffield:
ThesenodesarethefoundationofDarkSend,alltransactionswillberoutedthroughthese
nodes.Eachmasternoderequiresthat1000DRKbekeptonthenodeandeachtimethatnodeis
selectedthenetworkwilldedicate10%[Asofthiswriting,therewardhasbeenchangedto20%]
ofthatblocktothesenodes.Ifyouarerunningamasternodeyouneedtobefairlyfamiliarwith
networkadministrationandsecuringyourhost.[Masternodes]
WhenrunningaMasternode,usersstoretheDarkcoinassomethingakintocollateral,although
unliketraditionalcollateral,theDarkcoinneverleavestheuserspossessionandhasnochance
ofbeingforfeited.Itcanbemovedorspentatanytimebytheuserdoingsosimplyremoves
theMasternodefromserviceandmakesitineligibletoreceiverewards.
AnadditiontothecoreprotocolismadetosupportasecondP2Pnetwork,whichpropagates
messagessynchronizingalistofallknownMasternodesacrossthenetwork.Inresult,allclients
onthenetworkknowaboutallMasternodesandcanutilizetheirservicesatanytime.
UnlikeGnutella[Gnutella]whichusesahierarchicalnetworkofclientnodeandsupernodes,
whereclientnodesonlymakeaconnectiontoonesupernode(figure1),Masternodesand
normalpeersareequalintheirconnectionbehaviour,formingaclassicalP2Pnetwork.
Figure1:AP2Psupernodenetwork
Figure2:DarkcoinMasternodeNetwork
Runningtheappropriatepeersoftware(wallet)andmatchingtherequirements(staticIP,1000
DRKvin)actuallyeachnode/peercanturnintoamasternode.
AlbeittheoriginalintentionofMasternodeswastofacilitatethemixingofcoins,havinganetwork
ofincentivizedpeersopensthepossibilityforfurtherapplications.
3 Transaction Locking
Inlargescaledistributedsystems(likeDarkcoin)itisacommonproblemhowtoensurethat
onlyonepeeracrossalargenumberofpeersactsonaresource(coins).Solutionstothat
challengeinvolvedifferentkindsofconsensusalgorithmslikee.g.Paxos[Chandra07].
Bitcoinusesproofofworktomaintainconsensusthroughoutitsnetworkofpeers.Duetoits
technicalparametersthislimitsthespeedatwhichatransactioncanbeconsideredconfirmed
andsafeagainstdoublespendattacks.
Todecreasethetimeatransactionneedstobeconfirmeditspossibletolowertheblock
generationtime.whichhasthedrawbackofblockchainbloatandhasalowerboundaryof~30
secondsduetonetworklatency.
Weareproposingtocombinetheproofofworkalgorithmwithanimplementationofadistributed
lockmanager(DLM)whichwillutilisethemasternodenetwork:TransactionLocking.
IncontrasttoChubby[Burrows06]whichisprovidinglocksonfileresources,wewillbe
implementingaframeworkforlockingDarkcoininputs.
LocallywhenusingDarkcoin,theclientcanlockinputsinthewalletfrombeingusedelsewhere.
InmostcasesthisisdoneinspecificimplementationsthatusetheRPCAPIoftheclientto
makemanualtransactions.
Theconceptoftransactionlockingcanbefurtherextendedtolockinputsacrosstheentire
network,ratherthanjustlocallylikemostcryptocurrencyimplementations.Suchan
implementationmustovercomeconsensusissuesandraceconditionstosuccessfullystop
doublespendingattacks.
3.1 Solution To Double Spending via Transaction Locking
Inmostimplementationsitisrecommendedthatmerchantshavesomeformofdoublespending
protection.Thiscanbeaccomplishedbyhavingclientsactingasanobserveronthenetwork
andreportingbacktothemerchantwhentheyseedoublespendingattacks[Karame12].Inour
solutionweproposeusingthemasternodenetworkasobserversandextendingtheprotocolto
giveasetofmasternodestheabilitytobetheauthorityontransactions.
Transactionlockingisaconceptwhereaclientsendsthenetworkanintentiontolockfundsfrom
aspecificinputtoaspecificoutput(ormultipleofeach).Thisisdonebyrelayinganobject
consistingofafulltransactionandthelockingcommand.Theuserwillsignamessageusingthe
input(s),andrelaythemessagethroughoutthenetwork.
TransactionLock:(txlock,CTransaction,nBlockHeight,SignedMessage)
LockingmessageswillpropagateacrossthewholeDarkcoinnetworkandreachallclients.
Oncethelockhasreachedeveryone,asetofdeterministicallyselectedmasternodeswillforma
consensus.Next,uponasuccessfulconsensus,amessagewillbebroadcastedacrossthe
networkandatthispointallclientswillrespectthelockonthefunds.
Byutilizingthemasternodenetwork,wecangainadegreeofcertaintythatthetransactionin
questionisvalidandwillbeacceptedintotheblockchainafterthat.Immediatelyafterthe
propagationofalock,theselectedmasternodeswillbegintovoteonthevalidityofthe
transactionlock.
IfconsensusisreachedonalockbytheMasternodenetwork,allconflictingtransactionswould
berejectedthereafter,unlesstheymatchedtheexacttransactionIDofthelockinplace.Clients
wouldbetaskedwithclearingoutconflictinglocksandpossiblyreversingattackertransactions.
Thiswouldonlyhappeninacasewhereanattackersubmittedmultiplelockstothenetworkat
onceandthenetworkformedconsensusononebutnottheother.
Ifnoconsensusisreached,standardconfirmationwillberequiredtoassurethatatransactionis
valid.
Aspecialdeterministicalgorithmisusedtodetermineapseudorandomorderingofthe
masternodes.Byusingthehashfromtheproofofworkforeachblock,securityofthis
functionalitywillbeprovidedbytheminingnetwork.
PseudoCode,forselectingamasternode:
For(mastenodeinmasternodes){
n=masternode.CalculateScore()
if(n>best_score){
best_score=n
winning_node=masternode
}
}
CMasterNode::CalculateScore(){
n1=GetProofOfWorkHash(nBlockHeight)//getthehashofthisblock
n2=x11(n1)//hashthePOWhashtoincreasetheentropy
n3=abs(n2masternode_vin)
returnn3
}
Ineachroundofvoting,awinningMasternodeischosentocarryoutDarksendtransactions.
Thisprocessiscarriedoutbytheindividualnodesacrossthenetworkindependentlyusingthe
Masternodeelectionalgorithm.ThisalgorithmchoosesawinningnodeforDarksend,butthereis
alsoarunnerup,third,fourth,fifthplace,etc.
Utilizingthiscode,wecanmakeadeterministiclistoftheMasternodesthatwillactasthe
authorityforthetransactionlock.Thesewillbethesamenodesacrossthenetworkandtheywill
voteonthevalidityofthetransactionlockinquestion.Foreachblock,acompletelydifferentlist
of10nodeswillbechosentobetheauthority.
Figure3:GainingConsensusonTransactionLocksviatheMasternodeNetwork
Inordertosecurethenetworkfromattack,wemustmitigateattackssuchas:
Sybilattack
Finneyattack
Transactionlockraceattack
Multipleconsensusmessages
Theprobabilityofwinningtheelectionwillbe1inNMasternodes.Currentlythenetworkis
supportedby895Masternodes.EachMasternodehasaprobabilityof1inNofwinningthe
election.Thereforetoattackthenetwork,itwillrequiretheelectionprocesstoselectallofthe
attackersMasternodes.
Wewillconsiderattackonthetransactionlockingsystembypurchasingmasternodesinorder
torigthevotingsystem.Forsimplicitywewilluseanetworkconsistingof1000masternodes.
CurrentlytheDarkcoinnetworkhas895activeMasternodes.
Probabilitiesofattackcanbecalculatedbythechanceofamasternodebeingselectedasthe
winningnodeforagivenblock(1/1000).Tosubvertthesystemanattackerwouldrequire
operatingalltenmasternodesthatwonagivenelection.
Atacostof1000DRKpermasternode,itsexpensivetoattempttoattackthetransactionlocking
system.Togainaprobabilityof1.72%ofbeingselectedforaspecificblock,onehastocontrol
oftheMasternodenetwork(seeTable1formoreinformation).Togaincontrolofofthe
network,anattackerwouldneedtopurchase2000masternodes(requiringthepurchaseof2
millionDarkcoin).
AttackerControlled
Masternodes/Total
Masternodes
Probabilityofsuccess
((r i ))/(t i )))
n
i=1
( 1 ( 1
DarkcoinRequired
10/1010 3.44e24 10,000DRK
100/1100 2.52e11 100,000DRK
1000/2000 9.55e03 1,000,000DRK
2000/3000 1.72e02 2,000,000DRK
Table1.TheprobabilityofasuccessfulattackgiventheattackercontrolsNNodes.
Where:
nisthelengthofthechainofmasternodes
tisthetotalnumberofmasternodesinthenetwork
risthenumberofroguemasternodescontrolledbytheattackeranditis n
Theselectionofmasternodesisrandom
ConsideringthelimitedsupplyofDarkcoin(4.6millionatthetimeofwriting)andthelowliquidity
availableonthemarket,itbecomesanimpossibilitytoattainalargeenoughtosupplyto
succeedatsuchanattack.
Inthecaseofanattackerattemptingtorigthevotingsysteminfavorofthewrongtransaction
lock(i.e.thelockthatisntpropagatedacrosstherestofthenetwork),thenetworkwillforman
irreversiblelockcausingthetransactiontothemerchanttobeinvalidated.Themerchantsclient
inquestionwillpermanentlyshowanunconfirmedtransactionduetoadoublespendandwill
nevershowthetransactionwasinstantlyvalidated.
4.2 Finney Attacks
InaFinneyAttack
9
,anattackerminesablocksnormally,intheblockheistryingtominehe
includesatransactionwherehesendscoinsbacktohimself.Whenhesuccessfullyfindsa
block,hedoesnotbroadcasttheblock,butinsteadhesendscoinstoamerchantforgoodsor
services.Immediatelyafterthegoodsorserviceshavebeenproducedandbeforethenetwork
hasproducedthenextblocktheattackerbroadcastshisblockoverridingthepaymenthejust
made.
TostopaFinneyAttackfromsucceeding,thenetworkmustbecapableofrejectingblocksthat
violateexistingtransactionlocks.Theymustalsobeabletodifferentiatebetweenatransaction
lockonagiventransactionandasuccessfullylockedtransactionviatheMasternodenetwork
lockingconsensussystem.Onlywhentheelectedmasternodeshaverelayedthelockforthe
giventransactionisittobeconsideredsuccessfullylockedandablockwithaconflicting
transactionrejected.
Inatransactionlockingraceattackaclientwouldsubmittwocompetinglockstothenetwork.
Onepromisingmoneytothemerchantandtheothertohimself.Toimprovetheprobabilityofa
successfulattack,theattackerwouldsubmitatransactionlockingcommanddirectlytothe
electedmasternodesmakingsuretheypropagatethatthemerchantwillreceivethemoneywhile
atthesametimepropagatingacompetinglocktosendthemoneybacktotheirownwallet.
Inanattacklikethisone,thenetworkwouldbesplitbetweentwovalidtransactionsuntilthe
winningmasternodespropagatedtheirvotesforthecorrectlock.Allclientsonthenetworkwould
thenremovetheinvalidtransactionandtakethevalidoneintotheirmemorypool.Thiswould
happenveryquickly,inthematterofafewsecondsinmostcases.
AnincompletelockhappenswhentheMasternodenetworklacksconsensusaboutaspecific
lock.Alackofconsensuscouldhappeninrarecasessuchasaroguemasternodethatrefuses
tovotewhenithasaconsensustaskorlossofnetworktraffic.Incaseslikethese,nofinalized
lockwillbeformedandthenetworkwillgainconsensusviastandardconfirmation.
Ifattackersgaincontrolofthe10Masternodesforagivenblockandpropagatemultiple
conflictingmessages,thenetworkmustappropriatelyhandletheconflict.Forexample,an
attackerthatcontrolsalargeportionofmasternodesmightpropagateamessagetoMerchantB
andnowhereelse,whilepropagatingamessagestomanyothernodesspendingtheinputsback
tohimself.
Inthiscaseitissuggestedthatconflictingmessageswillcanceleachotheroutandclientswait
fornormalblockconfirmation.
5 Further work
Manyimpressivefeaturesbecomepossibleafterimplementingthetransactionlockingsystem
andconsensussystemintotheDarkcoinnetwork.Theseincludeacompletelybackwards
compatiblearchitectureandinstantaneoustransactionsfromclienttoclientwithoutwaitingfora
confirmation.
5.1 Transaction Lock Compatibility Mode
Toenablebackwardscompatibilitywithallexistingsoftware(exchanges,pools,etc),clientswill
defaulttoshowing24hoursofconfirmationsoftransactionsthathavebeensuccessfullylocked.
ThiswillprovideallservicesusingDarkcointobenefitfrominstanttransactionswithouthavingto
implementanythingspecific.
Ifaclientneedsthedaemontofunctionintheoldway,therewillbeaflagtodisablethismode.
Inanormalsituation,afteraclientreceivesnewfundstoawallet,hewillhavetowaitforone
blockconfirmationinordertospendanyofthenewlyavailablefunds.Wheninstantvalidationis
implementedtheclientwillreactasthoughithasfullconfirmationofatransactionandallowthe
sendingoffundswithnorisktotheuser.Thiswillallowaseriesoftransactionstohappenbefore
ablockeventonthenetworkusingthesameinputs.
6 Conclusion
Bitcoinandcryptocurrenciesrelyheavilyonconfirmationthroughminingtostopdouble
spendingattacks.Although,ahugeaccomplishmentintechnology,itfailstocompetewiththe
nearinstanttransactionspeedofcreditcardsduetotheiruseofacentralizedauthority.
FastvalidationofpaymentsviatransactionlockingandMasternodeconsensuscouldbeusedto
avoidhavingtowaitforconfirmationviaanewblockandreachspeedsnearlyasfastascredit
cards.Inmostcasesatransactionshouldbevalidatedbythenetworkwithinafewsecondsof
originallybeingbroadcasted.
Clientswillrespecttheauthorityofthemasternodenetworkandasaresultthenetworkcan
comeintoconsensuswithoutablockeventhappening.
ByusingtheMasternodenetworkasanauthorityandselectingMasternodesviaadeterministic
algorithmpoweredbasedontheproofofwork,wegainasystemthatgivesuscomparable
transactiontimetoacreditcardtransactionswhilealsobeingtamperresistant,backwards
compatibleandsecure.
Revision History
Version2
RemovedthesectionBlockchainSizeConsiderationsduetosomefeedbackleading
fromusers.Abettermethodofreducingtheblockchainsizeinthefuturewouldbe
Blockchainpruning.
Addedsomeinformationaboutcreditcardauthorizationsandtheanalogyweretryingto
makingbetweenauthorizationsandthefeedbackfromtheconsensusnetwork.
Version1
Initialrelease
References
[Nakamoto09]SatoshiNakamoto(2009),Bitcoin:APeertoPeerElectronicCashSystem
https://bitcoin.org/bitcoin.pdf
[Reuters14]Reuters(2014),AnalysisBitcoinshowsstayingpowerasonlinemerchantschasedigitalsparkle
http://uk.reuters.com/article/2014/08/28/ukusabitcoinretailersanalysisidUKKBN0GS0AQ20140828
[Karame12]GhassanO.Karame,ElliAndroulaki,SrdjanCapkun(2012):TwoBitcoinsatthePriceofOne?
DoubleSpendingAttacksonFastPaymentsinBitcoin
https://eprint.iacr.org/2012/248.pdf
[Masternodes14]EvanDuffield(2014):
https://darkcointalk.org/threads/darkcoinupdatemasternoderequirementsmasternodepayments.225/
[Lo14]StephanieLo,J.ChristinaWang(2014)BitcoinasMoney?
http://www.bostonfed.org/economic/currentpolicyperspectives/2014/cpp1404.pdf
[Nielsen13]MichaelNielsen,HowtheBitcoinprotocolactuallyworks
http://www.michaelnielsen.org/ddi/howthebitcoinprotocolactuallyworks/
[Gnutella03]Chawatheet.al.(2003),MakingGnutellalikeP2PSystemsScalable
http://www.cs.cornell.edu/people/egs/cornellonly/syslunch/fall03/gnutella.pdf
[Chandra07]Chandraet.al.(2007),PaxosMadeLiveAnEngineeringPerspective
http://static.googleusercontent.com/media/research.google.com/en//archive/paxos_made_live.pdf
[Burrows06]MikeBurrows(2006),TheChubbylockserviceforlooselycoupleddistributedsystems
http://static.googleusercontent.com/media/research.google.com/en//archive/chubbyosdi06.pdf