TransactionLockingandMasternodeConsensus:

AMechanismforMitigatingDoubleSpendingAttacks
Documentversion:2,publishedSeptember22nd,2014

EvanDuffieldevan@darkcoin.io
HolgerSchinzelholger@darkcoin.qa
FernandoGutierrezgutierrezf@gmail.com

Abstract. Bitcoin and other cryptographic currencies use a distributed system

called the blockchain to gain consensus across the network [Nielsen13]. To
protect against double spending attacks, vendors and other merchants usually
wait for confirmation from a block that the transaction being sent was valid. A
double spend is where an attacker sends two competing transactions, one of
thempromisedtoamerchant(oranyotherparty),theotherbacktohimself.

In Bitcoin a standard confirmation event on average takes 10 minutes.

Depending on the needed level of security required, a merchant can require
multipleoftheseevents,takingbetween30and60minutesintotal.

In this paper, we explore a solution to a long standing issue with Bitcoin and
other cryptographic currencies, the ability to enable instant validation of
paymentswithouthavingtowaitforblockchainconfirmation.

1 Introduction

Inventedin2009,Bitcoin[Nakamoto09]isadecentralizedpeertopeerpaymentsystemcreated
bySatoshiNakamoto.Bitcoinhasbeensteadilygainingpopularitysinceitsintroductionin2009
andhasbeenadoptedsuccessfullybymanymerchants[Reuters14].WhileBitcoinhasbeen
greatlysuccessful,ithasonemainsignificantdisadvantagetoitslargestcompetitor,credit
cards.Inpointofsaletransactions,creditcardscanhavenearlyinstantaneousauthorizationof
payment,whereastogetfinalityinaBitcointransactiononemustwaitforblockchain
confirmation.WithCreditCards,anauthorityiscontactedtowhenmakingapurchasethat
resultsinabuyersmoneybeinghelduntilitclearslater.Incontrast,Bitcoinclientsblindly
propagatemessagestheybelievearecorrectwhilegettingnofeedbackfromthenetwork.

DarkcoinisaprivacycentriccryptocurrencybasedontheworkofSatoshiNakamotoand
includesvariousimprovementstothetechnologyfirstimplementedintheBitcoinclient.These
improvementsincludeenhancedprivacyfeaturesandanetworkthatisincentivizedtoprovide
services[Duffield14].

Inthispaperwewillintroducethemasternodenetworkasobservernetwork,utilisinga
distributedconsensusandlockingalgorithmTXlockingtosecureunconfirmedtransactions.
Theobservernetworkreportsontransactionsgrantingtheyafinalizedstatusimmediatelyafter
theiroriginalpropagation.Furtherwewilldiscussattackvectorsandhowthemasternode
networkwillmitigatethese.

2 Masternode Network

MasternodeswereoriginallyintroducedtoDarkcoinasengineeringefforttosupportthemixing
processusedinDarkcoinsDarkSendimplementation.Theoriginalrequirementswere
describedinApril2014byEvanDuffield:

ThesenodesarethefoundationofDarkSend,alltransactionswillberoutedthroughthese
nodes.Eachmasternoderequiresthat1000DRKbekeptonthenodeandeachtimethatnodeis
selectedthenetworkwilldedicate10%[Asofthiswriting,therewardhasbeenchangedto20%]
ofthatblocktothesenodes.Ifyouarerunningamasternodeyouneedtobefairlyfamiliarwith
networkadministrationandsecuringyourhost.[Masternodes]

WhenrunningaMasternode,usersstoretheDarkcoinassomethingakintocollateral,although
unliketraditionalcollateral,theDarkcoinneverleavestheuserspossessionandhasnochance
ofbeingforfeited.Itcanbemovedorspentatanytimebytheuserdoingsosimplyremoves
theMasternodefromserviceandmakesitineligibletoreceiverewards.

AnadditiontothecoreprotocolismadetosupportasecondP2Pnetwork,whichpropagates
messagessynchronizingalistofallknownMasternodesacrossthenetwork.Inresult,allclients
onthenetworkknowaboutallMasternodesandcanutilizetheirservicesatanytime.

UnlikeGnutella[Gnutella]whichusesahierarchicalnetworkofclientnodeandsupernodes,
whereclientnodesonlymakeaconnectiontoonesupernode(figure1),Masternodesand
normalpeersareequalintheirconnectionbehaviour,formingaclassicalP2Pnetwork.

Figure1:AP2Psupernodenetwork

Figure2:DarkcoinMasternodeNetwork

Runningtheappropriatepeersoftware(wallet)andmatchingtherequirements(staticIP,1000
DRKvin)actuallyeachnode/peercanturnintoamasternode.

AlbeittheoriginalintentionofMasternodeswastofacilitatethemixingofcoins,havinganetwork
ofincentivizedpeersopensthepossibilityforfurtherapplications.

3 Transaction Locking

Inlargescaledistributedsystems(likeDarkcoin)itisacommonproblemhowtoensurethat
onlyonepeeracrossalargenumberofpeersactsonaresource(coins).Solutionstothat
challengeinvolvedifferentkindsofconsensusalgorithmslikee.g.Paxos[Chandra07].

Bitcoinusesproofofworktomaintainconsensusthroughoutitsnetworkofpeers.Duetoits
technicalparametersthislimitsthespeedatwhichatransactioncanbeconsideredconfirmed
andsafeagainstdoublespendattacks.

Todecreasethetimeatransactionneedstobeconfirmeditspossibletolowertheblock
generationtime.whichhasthedrawbackofblockchainbloatandhasalowerboundaryof~30
secondsduetonetworklatency.

Weareproposingtocombinetheproofofworkalgorithmwithanimplementationofadistributed
lockmanager(DLM)whichwillutilisethemasternodenetwork:TransactionLocking.

IncontrasttoChubby[Burrows06]whichisprovidinglocksonfileresources,wewillbe
implementingaframeworkforlockingDarkcoininputs.

LocallywhenusingDarkcoin,theclientcanlockinputsinthewalletfrombeingusedelsewhere.
InmostcasesthisisdoneinspecificimplementationsthatusetheRPCAPIoftheclientto
makemanualtransactions.

Theconceptoftransactionlockingcanbefurtherextendedtolockinputsacrosstheentire
network,ratherthanjustlocallylikemostcryptocurrencyimplementations.Suchan
implementationmustovercomeconsensusissuesandraceconditionstosuccessfullystop
doublespendingattacks.
3.1 Solution To Double Spending via Transaction Locking

Inmostimplementationsitisrecommendedthatmerchantshavesomeformofdoublespending
protection.Thiscanbeaccomplishedbyhavingclientsactingasanobserveronthenetwork
andreportingbacktothemerchantwhentheyseedoublespendingattacks[Karame12].Inour
solutionweproposeusingthemasternodenetworkasobserversandextendingtheprotocolto
giveasetofmasternodestheabilitytobetheauthorityontransactions.

Transactionlockingisaconceptwhereaclientsendsthenetworkanintentiontolockfundsfrom
aspecificinputtoaspecificoutput(ormultipleofeach).Thisisdonebyrelayinganobject
consistingofafulltransactionandthelockingcommand.Theuserwillsignamessageusingthe
input(s),andrelaythemessagethroughoutthenetwork.

TransactionLock:(txlock,CTransaction,nBlockHeight,SignedMessage)

LockingmessageswillpropagateacrossthewholeDarkcoinnetworkandreachallclients.
Oncethelockhasreachedeveryone,asetofdeterministicallyselectedmasternodeswillforma
consensus.Next,uponasuccessfulconsensus,amessagewillbebroadcastedacrossthe
networkandatthispointallclientswillrespectthelockonthefunds.

3.1 Masternode Locking Authority and Consensus

Byutilizingthemasternodenetwork,wecangainadegreeofcertaintythatthetransactionin
questionisvalidandwillbeacceptedintotheblockchainafterthat.Immediatelyafterthe
propagationofalock,theselectedmasternodeswillbegintovoteonthevalidityofthe
transactionlock.

IfconsensusisreachedonalockbytheMasternodenetwork,allconflictingtransactionswould
berejectedthereafter,unlesstheymatchedtheexacttransactionIDofthelockinplace.Clients
wouldbetaskedwithclearingoutconflictinglocksandpossiblyreversingattackertransactions.
Thiswouldonlyhappeninacasewhereanattackersubmittedmultiplelockstothenetworkat
onceandthenetworkformedconsensusononebutnottheother.

Ifnoconsensusisreached,standardconfirmationwillberequiredtoassurethatatransactionis
valid.

3.2 Election Algorithm and Voting

Aspecialdeterministicalgorithmisusedtodetermineapseudorandomorderingofthe
masternodes.Byusingthehashfromtheproofofworkforeachblock,securityofthis
functionalitywillbeprovidedbytheminingnetwork.

PseudoCode,forselectingamasternode:

For(mastenodeinmasternodes){
n=masternode.CalculateScore()

if(n>best_score){
best_score=n
winning_node=masternode
}
}

CMasterNode::CalculateScore(){
n1=GetProofOfWorkHash(nBlockHeight)//getthehashofthisblock
n2=x11(n1)//hashthePOWhashtoincreasetheentropy
n3=abs(n2masternode_vin)

returnn3
}

Ineachroundofvoting,awinningMasternodeischosentocarryoutDarksendtransactions.
Thisprocessiscarriedoutbytheindividualnodesacrossthenetworkindependentlyusingthe
Masternodeelectionalgorithm.ThisalgorithmchoosesawinningnodeforDarksend,butthereis
alsoarunnerup,third,fourth,fifthplace,etc.

Utilizingthiscode,wecanmakeadeterministiclistoftheMasternodesthatwillactasthe
authorityforthetransactionlock.Thesewillbethesamenodesacrossthenetworkandtheywill
voteonthevalidityofthetransactionlockinquestion.Foreachblock,acompletelydifferentlist
of10nodeswillbechosentobetheauthority.

Figure3:GainingConsensusonTransactionLocksviatheMasternodeNetwork

3.3 An Example Transaction

1. User A sends a transaction for 27 DRK for a widget from merchant B
using a locked transaction message.
2. The transaction is propagated to the whole network and eventually reach
a set of elected authority nodes.
3. The authority nodes collectively send messages to the network , forming
a consensus about the validating the transaction and each sign a
"consensus transaction" message, which is propagated to the network.
4. When a node sees all consensus messages, they can consider the
transaction confirmed.
4 Security

Inordertosecurethenetworkfromattack,wemustmitigateattackssuchas:
Sybilattack
Finneyattack
Transactionlockraceattack
Multipleconsensusmessages

4.1 Attacking The Consensus System via Sybil attack

Theprobabilityofwinningtheelectionwillbe1inNMasternodes.Currentlythenetworkis
supportedby895Masternodes.EachMasternodehasaprobabilityof1inNofwinningthe
election.Thereforetoattackthenetwork,itwillrequiretheelectionprocesstoselectallofthe
attackersMasternodes.

Wewillconsiderattackonthetransactionlockingsystembypurchasingmasternodesinorder
torigthevotingsystem.Forsimplicitywewilluseanetworkconsistingof1000masternodes.
CurrentlytheDarkcoinnetworkhas895activeMasternodes.

Probabilitiesofattackcanbecalculatedbythechanceofamasternodebeingselectedasthe
winningnodeforagivenblock(1/1000).Tosubvertthesystemanattackerwouldrequire
operatingalltenmasternodesthatwonagivenelection.

Atacostof1000DRKpermasternode,itsexpensivetoattempttoattackthetransactionlocking
system.Togainaprobabilityof1.72%ofbeingselectedforaspecificblock,onehastocontrol
oftheMasternodenetwork(seeTable1formoreinformation).Togaincontrolofofthe
network,anattackerwouldneedtopurchase2000masternodes(requiringthepurchaseof2
millionDarkcoin).

AttackerControlled
Masternodes/Total
Masternodes
Probabilityofsuccess
((r i ))/(t i )))
n
i=1
( 1 ( 1
DarkcoinRequired
10/1010 3.44e24 10,000DRK
100/1100 2.52e11 100,000DRK
1000/2000 9.55e03 1,000,000DRK
2000/3000 1.72e02 2,000,000DRK

Table1.TheprobabilityofasuccessfulattackgiventheattackercontrolsNNodes.

Where:
nisthelengthofthechainofmasternodes
tisthetotalnumberofmasternodesinthenetwork
risthenumberofroguemasternodescontrolledbytheattackeranditis n
Theselectionofmasternodesisrandom

ConsideringthelimitedsupplyofDarkcoin(4.6millionatthetimeofwriting)andthelowliquidity
availableonthemarket,itbecomesanimpossibilitytoattainalargeenoughtosupplyto
succeedatsuchanattack.

Inthecaseofanattackerattemptingtorigthevotingsysteminfavorofthewrongtransaction
lock(i.e.thelockthatisntpropagatedacrosstherestofthenetwork),thenetworkwillforman
irreversiblelockcausingthetransactiontothemerchanttobeinvalidated.Themerchantsclient
inquestionwillpermanentlyshowanunconfirmedtransactionduetoadoublespendandwill
nevershowthetransactionwasinstantlyvalidated.

4.2 Finney Attacks

InaFinneyAttack
9
,anattackerminesablocksnormally,intheblockheistryingtominehe
includesatransactionwherehesendscoinsbacktohimself.Whenhesuccessfullyfindsa
block,hedoesnotbroadcasttheblock,butinsteadhesendscoinstoamerchantforgoodsor
services.Immediatelyafterthegoodsorserviceshavebeenproducedandbeforethenetwork
hasproducedthenextblocktheattackerbroadcastshisblockoverridingthepaymenthejust
made.

TostopaFinneyAttackfromsucceeding,thenetworkmustbecapableofrejectingblocksthat
violateexistingtransactionlocks.Theymustalsobeabletodifferentiatebetweenatransaction
lockonagiventransactionandasuccessfullylockedtransactionviatheMasternodenetwork
lockingconsensussystem.Onlywhentheelectedmasternodeshaverelayedthelockforthe
giventransactionisittobeconsideredsuccessfullylockedandablockwithaconflicting
transactionrejected.

4.3 Transaction Locking Race Attack

Inatransactionlockingraceattackaclientwouldsubmittwocompetinglockstothenetwork.
Onepromisingmoneytothemerchantandtheothertohimself.Toimprovetheprobabilityofa
successfulattack,theattackerwouldsubmitatransactionlockingcommanddirectlytothe
electedmasternodesmakingsuretheypropagatethatthemerchantwillreceivethemoneywhile
atthesametimepropagatingacompetinglocktosendthemoneybacktotheirownwallet.

Inanattacklikethisone,thenetworkwouldbesplitbetweentwovalidtransactionsuntilthe
winningmasternodespropagatedtheirvotesforthecorrectlock.Allclientsonthenetworkwould
thenremovetheinvalidtransactionandtakethevalidoneintotheirmemorypool.Thiswould
happenveryquickly,inthematterofafewsecondsinmostcases.

4.4 Incomplete Locks

AnincompletelockhappenswhentheMasternodenetworklacksconsensusaboutaspecific
lock.Alackofconsensuscouldhappeninrarecasessuchasaroguemasternodethatrefuses
tovotewhenithasaconsensustaskorlossofnetworktraffic.Incaseslikethese,nofinalized
lockwillbeformedandthenetworkwillgainconsensusviastandardconfirmation.

4.5 Multiple Consensus Messages

Ifattackersgaincontrolofthe10Masternodesforagivenblockandpropagatemultiple
conflictingmessages,thenetworkmustappropriatelyhandletheconflict.Forexample,an
attackerthatcontrolsalargeportionofmasternodesmightpropagateamessagetoMerchantB
andnowhereelse,whilepropagatingamessagestomanyothernodesspendingtheinputsback
tohimself.

Inthiscaseitissuggestedthatconflictingmessageswillcanceleachotheroutandclientswait
fornormalblockconfirmation.

5 Further work

Manyimpressivefeaturesbecomepossibleafterimplementingthetransactionlockingsystem
andconsensussystemintotheDarkcoinnetwork.Theseincludeacompletelybackwards
compatiblearchitectureandinstantaneoustransactionsfromclienttoclientwithoutwaitingfora
confirmation.
5.1 Transaction Lock Compatibility Mode

Toenablebackwardscompatibilitywithallexistingsoftware(exchanges,pools,etc),clientswill
defaulttoshowing24hoursofconfirmationsoftransactionsthathavebeensuccessfullylocked.
ThiswillprovideallservicesusingDarkcointobenefitfrominstanttransactionswithouthavingto
implementanythingspecific.

Ifaclientneedsthedaemontofunctionintheoldway,therewillbeaflagtodisablethismode.

5.2 No Wait Client-To-Client Transactions

Inanormalsituation,afteraclientreceivesnewfundstoawallet,hewillhavetowaitforone
blockconfirmationinordertospendanyofthenewlyavailablefunds.Wheninstantvalidationis
implementedtheclientwillreactasthoughithasfullconfirmationofatransactionandallowthe
sendingoffundswithnorisktotheuser.Thiswillallowaseriesoftransactionstohappenbefore
ablockeventonthenetworkusingthesameinputs.

6 Conclusion

Bitcoinandcryptocurrenciesrelyheavilyonconfirmationthroughminingtostopdouble
spendingattacks.Although,ahugeaccomplishmentintechnology,itfailstocompetewiththe
nearinstanttransactionspeedofcreditcardsduetotheiruseofacentralizedauthority.

FastvalidationofpaymentsviatransactionlockingandMasternodeconsensuscouldbeusedto
avoidhavingtowaitforconfirmationviaanewblockandreachspeedsnearlyasfastascredit
cards.Inmostcasesatransactionshouldbevalidatedbythenetworkwithinafewsecondsof
originallybeingbroadcasted.

Clientswillrespecttheauthorityofthemasternodenetworkandasaresultthenetworkcan
comeintoconsensuswithoutablockeventhappening.

ByusingtheMasternodenetworkasanauthorityandselectingMasternodesviaadeterministic
algorithmpoweredbasedontheproofofwork,wegainasystemthatgivesuscomparable
transactiontimetoacreditcardtransactionswhilealsobeingtamperresistant,backwards
compatibleandsecure.

Revision History

Version2
RemovedthesectionBlockchainSizeConsiderationsduetosomefeedbackleading
fromusers.Abettermethodofreducingtheblockchainsizeinthefuturewouldbe
Blockchainpruning.
Addedsomeinformationaboutcreditcardauthorizationsandtheanalogyweretryingto
makingbetweenauthorizationsandthefeedbackfromtheconsensusnetwork.

Version1
Initialrelease

References

[Nakamoto09]SatoshiNakamoto(2009),Bitcoin:APeertoPeerElectronicCashSystem
https://bitcoin.org/bitcoin.pdf

[Reuters14]Reuters(2014),AnalysisBitcoinshowsstayingpowerasonlinemerchantschasedigitalsparkle
http://uk.reuters.com/article/2014/08/28/ukusabitcoinretailersanalysisidUKKBN0GS0AQ20140828

[Karame12]GhassanO.Karame,ElliAndroulaki,SrdjanCapkun(2012):TwoBitcoinsatthePriceofOne?
DoubleSpendingAttacksonFastPaymentsinBitcoin
https://eprint.iacr.org/2012/248.pdf

[Duffield14]EvanDuffield(2014):Darkcoin:Peer toPeerCrypto CurrencywithAnonymousBlockchain

TransactionsandanImprovedProof of WorkSystem
https://www.darkcoin.io/downloads/DarkcoinWhitepaper.pdf

[Masternodes14]EvanDuffield(2014):
https://darkcointalk.org/threads/darkcoinupdatemasternoderequirementsmasternodepayments.225/

[Lo14]StephanieLo,J.ChristinaWang(2014)BitcoinasMoney?
http://www.bostonfed.org/economic/currentpolicyperspectives/2014/cpp1404.pdf

[Nielsen13]MichaelNielsen,HowtheBitcoinprotocolactuallyworks
http://www.michaelnielsen.org/ddi/howthebitcoinprotocolactuallyworks/

[Gnutella03]Chawatheet.al.(2003),MakingGnutellalikeP2PSystemsScalable
http://www.cs.cornell.edu/people/egs/cornellonly/syslunch/fall03/gnutella.pdf

[Chandra07]Chandraet.al.(2007),PaxosMadeLiveAnEngineeringPerspective
http://static.googleusercontent.com/media/research.google.com/en//archive/paxos_made_live.pdf

[Burrows06]MikeBurrows(2006),TheChubbylockserviceforlooselycoupleddistributedsystems
http://static.googleusercontent.com/media/research.google.com/en//archive/chubbyosdi06.pdf