Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bitcoin Double Spending Attack Karame, Androulaki & Capkun Presented by Subhro Kar CSCE 715, Fall 2013.

Published byArthur Montgomery Modified over 9 years ago

Similar presentations

Presentation on theme: "Bitcoin Double Spending Attack Karame, Androulaki & Capkun Presented by Subhro Kar CSCE 715, Fall 2013."— Presentation transcript:

1 Bitcoin Double Spending Attack Karame, Androulaki & Capkun Presented by Subhro Kar CSCE 715, Fall 2013

2 Requirements of Digital Currencies New methods of purchases requiring new methods of payments. Security of payments. Non ambiguous but preferably anonymous mapping between services/products and payments for them. Non repudiation

3 Types of Digital Currencies Credit/Debit cards Echecks Moneygram/Moneypack and similar services E-gold Bitcoin/Litecoin/Namecoin

4 What is Bitcoin? Crypto currency Has no central controlling authority Secure Non reversible Anonymous Based on Proof of Work

5 Bitcoin Operations Peers transfer coins to each other Each peer holds a wallet which is designated by a wallet ID A transaction is formed by digitally signing hash of all previous transactions where the specific bitcoin in question was used previously. Any peer can verify a transaction.

6 Bitcoin Transactions An electronic coin is a chain of digital signatures Each owner transfers the coin to the next by digitally signing a hash of the previous transactions and the public key of the next owner adding these to the end of the coin. A payee can verify the signature to verify the chain of ownership.

7 Bitcoin Transactions

8 Bitcoin Transactions and Double spending problems The problem however remains that a payee can not verify that the owners did not double spend this coin. The problem could be removed by designing a central coin issuing authority, but that again makes Bitcoin reliant on a central authority.

9 Bitcoin blocks and verification Transactions are included in Bitcoin blocks that are broadcasted to the entire network Bitcoin relies on a hash based Proof-of-Work (PoW) scheme to detect double spending on the same Bitcoin

10 Proof of Work The proof-of-work involves scanning for a value that when hashed, such as with SHA-256, the hash begins with a number of zero bits. The average work required is exponential in the number of zero bits required and can be verified by executing a single hash.

11 Proof of Work in Bitcoin Proof-of-work is implemented by incrementing a nonce in the block until a value is found that gives the block's hash the required zero bits. Once the CPU effort has been expended to make it satisfy the proof-of-work, the block cannot be changed without redoing the work. As later blocks are chained after it, the work to change the block would include redoing all the blocks after it.

12 Managing the size of block chain Once the latest transaction in a coin is buried under enough blocks, the spent transactions before it can be discarded to save disk space. To facilitate this without breaking the block's hash, transactions are hashed in a Merkle Tree [7][2][5], with only the root included in the block's hash. Old blocks can then be compacted by stubbing off branches of the tree.

13

14 Bitcoin block generation Peers work to find a nonce value that when hashed with the Merkle hash of all valid and received transactions, the hash of the previous block and a timestamp is below a given target value. When such a nonce is found, peers then include the hash and additional fields which can then be verified by all peers on the network.

15 Bitcoin block generation Upon successful generation of a block, the generating peer is awarded 50 Bitcoins and the whole system is re-primed. The resulting block is broadcasted on the network which after verification is added to the block chain by all clients.

16 Block verification A user only needs to keep a copy of the block headers of the longest proof-of-work chain, which he can get by querying network nodes until he's convinced he has the longest chain, and obtain the Merkle branch linking the transaction to the block it's timestamped in. He can't check the transaction for himself, but by linking it to a place in the chain, he can see that a network node has accepted it, and blocks added after it further confirm the network has accepted it.

17 A bitcoin transaction

18 The attack scenario A bitcoin transaction is accepted only if majority of the clients in the network mark it as valid. As per the design of bitcoin, a transaction requires about 10 mins in the best case before it is included in a block and broadcasted for confirmation. If a merchant client accepts a transaction initially and later on gets refusal from majority of peers in the network, the attack is successful.

19 Block generation time It is possible for transactions to be delayed further depending on the difficulty of the hash being currently calculated. The complexity of the hash is adjusted based on the generation time of the previous hash.

20 Block generation times

21 Attacker Model A malicious client A forms the core of the attack model Let us assume A is trying to spend a coin B at a merchant V which she had already spend earlier. The attack will succeed if V accepts the bitcoin but can’t redeem it later on.

22 Attacker Model A requires at least another helper peer to succeed with the attack. We assume that the helper is H. The attack has a greater chance of succeeding if multiple helper peers are present in other parts of the planet.

23 The Attack A connects to V and creates a transaction T 1 with B. Since A and V are in the same network, V receives T 1 almost immediately. Since bitcoin clients accept all connections, the transaction is received.

24 The Attack A few seconds later A connects to H and transfers the same bitcoin B to H in transaction T 2. As per our assumption H is on the other side of the globe, so there is a good chance H does not know about T 1 which A had with V using B.

25 The Attack H immediately starts broadcasting T 2 in its local network and starts waiting for confirmation.

26 Success of the Attack The attack mentioned in the previous slides will succeed if: the time required for V to receive T 1 is shorter than that for T 2 the number of hosts which had included T 2 in its blockchain should be in majority.

27 Prevention of Double Spending Attack Unfortunately, there is no way to prevent this attack as the problem of time lag between a transaction and its acceptance lies in the protocol. Can contain a damage of a fraudulent transaction by limiting the number of bitcoins transferred in an unverified transaction.

28 Alternative currencies and prevention of double spending attacks Alternate currencies like Litecoin, Namecoin and PrimeCoin has been developed which has a shorter block generation time. Because SHA-256 is not used in any of the other currencies, the block generation is CPU bound. Therefore, the complexity of PoW remains under a threshold.

29 References Nakamoto, Satoshi. Bitcoin: A Peer-to-Peer Electronic Cash System. Karame, Ghassan O, Androulaki, Elli, Capkun, Srdjan, Two bit coins at the Price of One? Double-Spending Attacks on Fast Payments in Bitcoin Bitcoin wiki, https://en.bitcoin.it/wiki/Category:Technical

Download ppt "Bitcoin Double Spending Attack Karame, Androulaki & Capkun Presented by Subhro Kar CSCE 715, Fall 2013."

Similar presentations

Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Bitcoin: A New Internet Currency Stephen Clayton Senior Economic Education Specialist Federal Reserve Bank of Dallas The opinions expressed are solely.

Bitcoin: A New Internet Currency Stephen Clayton Senior Economic Education Specialist Federal Reserve Bank of Dallas The opinions expressed are solely.
Nathan Krussel.  What is a Crypto Currency  Purpose of Crypto Currency  What is Bitcoin  How does Bitcoin work  Mining BTC  How people perceive.

Nathan Krussel.  What is a Crypto Currency  Purpose of Crypto Currency  What is Bitcoin  How does Bitcoin work  Mining BTC  How people perceive.
Secure Digital Currency: Bitcoin Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See the.

Secure Digital Currency: Bitcoin Amir Houmansadr CS660: Advanced Information Assurance Spring 2015 Content may be borrowed from other resources. See the.
COMS 486 Iowa State University Introduction to Bitcoin A P2P Electronic Cash System.

COMS 486 Iowa State University Introduction to Bitcoin A P2P Electronic Cash System.
Ian Miers Christina Garman | Matthew Green | Avi Rubin Zerocoin: Anonymous Distributed E-Cash from Bitcoin.

Ian Miers Christina Garman | Matthew Green | Avi Rubin Zerocoin: Anonymous Distributed E-Cash from Bitcoin.
Bitcoin. What is Bitcoin? A P2P network for electronic payments Benefits: – Low fees – No middlemen – No central authority – Can be anonymous – Each payment.

Bitcoin. What is Bitcoin? A P2P network for electronic payments Benefits: – Low fees – No middlemen – No central authority – Can be anonymous – Each payment.
Michal Kriziak MA1N0218 Financial Management The Bitcoin Currency.

Michal Kriziak MA1N0218 Financial Management The Bitcoin Currency.
Towards a More Democratic Mining in Bitcoins Goutam Paul R. C. Bose Centre for Cryptology & Security, Indian Statistical Institute Pratik Sarkar Indian.

Towards a More Democratic Mining in Bitcoins Goutam Paul R. C. Bose Centre for Cryptology & Security, Indian Statistical Institute Pratik Sarkar Indian.
Stefan Dziembowski Why do the cryptographic currencies need a solid theory? Forum Informatyki Teoretycznej, Warsaw 30.1.2015.

Stefan Dziembowski Why do the cryptographic currencies need a solid theory? Forum Informatyki Teoretycznej, Warsaw
BITCOIN An introduction to a decentralised and anonymous currency. By Andy Brodie.

BITCOIN An introduction to a decentralised and anonymous currency. By Andy Brodie.
ITIS 6010/8010: Wireless Network Security Weichao Wang.

ITIS 6010/8010: Wireless Network Security Weichao Wang.
20-763 ELECTRONIC PAYMENT SYSTEMS FALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS eCommerce Technology 20-763 Lecture 9 Micropayments I.

ELECTRONIC PAYMENT SYSTEMS FALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS eCommerce Technology Lecture 9 Micropayments I.
J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 4 Data Authentication Part II.

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 4 Data Authentication Part II.
The world’s first decentralized digital currency Meni Rosenfeld Bitcoil 29/11/2012Written by Meni Rosenfeld1.

The world’s first decentralized digital currency Meni Rosenfeld Bitcoil 29/11/2012Written by Meni Rosenfeld1.
Digital Currency Kody Myers. Definition Currency that does not exist in any physical form, but can be used similarly to physical currency while retaining.

Digital Currency Kody Myers. Definition Currency that does not exist in any physical form, but can be used similarly to physical currency while retaining.
Bitcoin (what, why and how?)

Bitcoin (what, why and how?)
BitCoin An overview. Why ? First crypto-currency.

BitCoin An overview. Why ? First crypto-currency.
Clemente-Cuervo et al. A PDA Implementation of an Off-line e-Cash Protocol.

Clemente-Cuervo et al. A PDA Implementation of an Off-line e-Cash Protocol.
Digital Cash. p2. OUTLINE  Properties  Scheme  Initialization  Creating a Coin  Spending the Coin  Depositing the Coin  Fraud Control  Anonymity.

Digital Cash. p2. OUTLINE  Properties  Scheme  Initialization  Creating a Coin  Spending the Coin  Depositing the Coin  Fraud Control  Anonymity.

Similar presentations

Ads by Google