Distributed Double Spending Prevention

Distributed Double Sp ending Prev en tion ⋆ Jaap-Henk Ho epman TNO Information and Communication T ec hnology P .O. Bo x 1416, 9701 BK Groningen, The N etherlands jaap-henk. hoepman@tno. nl and Institute for Computing and Information Sciences Radb oud Universi ty Nijmegen P .O. Bo x 9010, 6500 GL Nijmegen, the Netherlands jhh@cs.ru. nl Abstract. W e study th e problem of pr eventing d ouble sp ending in elec- tronic paymen t sc h emes in a distr ibute d fashion. This problem occu rs, for instance, when the spen ding of electronic coins needs to b e controll ed by a large collection of nodes (e.g., in a p eer-to-p eer (P2P) system) in- stead of one central bank. Contrary to th e commonly held b elief that this is fun d amen tally imp oss ible, w e p ropose several solutions that do ac hieve a reasonable level of d ou b le sp ending prevention, and analyse their efficiency u n der v arying assumptions. 1 In tro duction Many electronic paymen t schemes exist. F or a n ov erview, we refer to Asok an et al. [ AJSW97 ] or O’Ma ho n y et al. [ OPT97 ]. Some of those a re coin based, where some bitstring lo cally stor ed by a user repr esen ts a certain fixed v alue. Coin b ased systems run the risk that many copies of the same bitstring are sp en t at different merc han ts. Therefore, these systems need to inco r pora te double sp ending prev ent ion o r detection tec hniques. T o pr event do uble sp ending, a central bank is usually assumed which is inv olved in each and every tr ansaction. In off-line s cenarios (where such a connection to a central bank is not av ailable), double s pending dete ction techniques are use d that will discov er double sp ending at some later time, a nd that allow one to find the p erp etrator of this illegal activity . A ma jor dra wback o f double spending detection techniques is the risk that a disho nest user sp ends a single co in a million times in a shor t perio d of time befor e b eing detected. This is es pecially a problem if suc h a user cannot b e punished fo r such b ehaviour a fterw ards, e.g ., fined, penalised judicially , or be ing kick e d from the system per manen tly . ⋆ This researc h is/w as p artial ly supp orted by the research program Sentinels ( www.sentin els.nl ), p ro ject JASON (NIT.6677). S en tinels is b eing fin anced by T echnology F oundation STW, the Neth erla nds O rganization for Scientific Researc h (NWO), and t he Du tc h Ministry of Economic Affairs. Id: double-sp ending.tex 18 2008-02-06 14:01:34Z jhh 2 Jaap-Henk Ho epman Recently , the use of electronic pa yment like systems has b een propos ed 1 to counter SP AM [ Hir02 ] or to enfo r ce fairness among user s o f p eer-to-p eer (P2P) net works [ YGM03 , VCS03 , GH05 ]. In such systems it is unreasonable to as s ume a central b ank, either b e c ause it does not exist, or b ecause it w ould g o a gainst the design philo soph y of the system (as is the case for P2P netw orks). A t first sight it then appe a rs to b e impossible to preven t do uble s pending. This w o uld limit the usefulness of such approa c hes b ecause of the rapid double sp ending problem describ ed ab o ve: user s can easily rejoin a P2P system under a different alias and contin ue their ba d practises forever. In [ GH05 ] we wro te: W e note that for any system offering off-line currency , do uble-spending pr evention is generally s p eaking not possible, unless extra assumptions (e.g., sp ecial tamp er pro of ha rdw are) are made. In that pap er, in fac t, w e were not considering a co mpletely off-line system, but a decent ralised system without a central bank instead. The differe nce turns out to b e decisive. In a truly o ff-line system (wher e the rec eiv er of a coin has no net work a ccess to p erform any kind of chec king, and where the sp ender of a coin is not forced to adhere to a secur it y p olicy throug h some kind of tamp er pro of hardware [ SS99 ]) the chances o f double sp ending preven tion are slim. W e so on after realised, ho wev e r , that the situation is not so bad in an on-line but decentralised system without a central ba nk . The crucial observ ation is that it may be imp ossible, or very expensive, to preven t every pos sible double sp ending o f a coin (i.e., a deterministic a pproach ), but that it may very w ell b e p ossible to pr ev en t that a particular co in is double sp en t many t imes , using efficient randomised techniques. Even such a weak er guarantee limits the da mage an adversary ca n do. In other words, the main paradigm shift is the realis ation that double s pending a single coin t wice is not so bad, but sp ending it a h undred times sho uld b e impossible. Of course, such a pr obabilistic and limited security prop erty may not be strong enough for the protection of ‘r eal’ money . It may , how e v er, b e quite work able for currencies us e d to enforce fairness among P2 P users. In this pap er we study se veral such techniques for distributed double sp ending preven tion. W e fo cus in this pa per on metho ds to distribute the tasks of the central bank over (a subset o f ) the no des in the system. An extreme c a se w ould b e the distribution o f the central bank ov e r all no des in the s ystem, making everyone a clerk w orking for the bank. This would lead to an enormous communication ov erhead, as all n no des in the s y stem would hav e to b e contacted fo r each and every transac tio n. W e study tec hniques to reduce the size of such clerk sets, mainly in pro babilistic wa ys, while still keeping rea sonable double-sp ending preven tion guara n tee s . 1 America Online and Y aho o announce introduction of electronic p ostage for email messages (”Posta ge is Due for Companies S en ding E-Mail”, New Y ork Times, F ebru- ary 5, 2006). Distributed Double Sp ending Preven tion 3 Next to a deterministic a pproach, ther e ar e tw o fundamentally different wa ys to c o nstruct the cler k sets in a proba bilistic manner. The most efficient metho d — yielding the smallest cler k s ets — uses the unqiue identifier o f a coin to limit the po ssible mem b ers of the clerk set in adv a nce. In th is mo del, certain clerks attract certain co ins, making it fa r mor e likely that double spending is detected. The dr a wback is that given a particular co in these clerks are known b eforehand. This means the adversary has adv a nce knowledge re g arding the clerks that it needs to bribe in orde r to b e able to double s p end a par ticular coin. In certain situations this may b e undesirable. Therefor e we also study the less efficient ca se where the clerks are selected uniformly at r andom. 1.1 Our results W e prove the following results, where n is the total num b er of no des, f is the total n umber of dishonest no de s , d is the n umber of dishonest nodes that ma y be cor rupted b y the adversary after they join the netw ork, and s is the security parameter (see Section 2 for details). Deterministic do uble sp ending pr ev en tion can b e achiev ed with clerk sets of size 2 p n ( f + 1). Using rando misation double sp ending ca n b e prevented with clerk sets o f size a t least q ns log e (1 − f /n ) . If w e require t hat double sp ending only needs to b e detected when a single co in is double spent at least r times 2 we need clerk s e ts o f size at leas t √ 2 ns r when f = 1 (i.e., if o nly the double-sp ender itself is disho nest) and q ns log e (1 − f /n ) r , when f > 1. Note that it is indeed interesting to consider the f = 1 case se p erately , because it corresp onds to the situation where nodes in the cler k sets hav e no incentiv e to colla b orate with the double sp ender to let him get aw ay undetected, and is closely rela ted to the selfish but rationa l mo dels used in game theoretic analysis of security pro tocols (cf. [ IML05 ]). Finally we prov e that making use o f th e coin iden tifier to cons tr uct coin sp ecific clerk spaces of size β at least d + s log(( n − d ) / ( f − d )) clerk s ets sampled from this spac e of size a t least β r log e ( s + 1 + log ( r + 2 )) s uffice to detect a coin t hat is double sp en t a t least r times. These res ults tell us the following. Deterministically , clerk sets that hav e √ nf no des suffice. F or any re a sonable f this is unw or k able. Using ra ndomisation, p n/ (1 − f /n ) is go o d enough. F or decent fr a ctions of faulty no de s (e.g., f /n = 1 / 2) this stays O ( √ n ). When we rela x the double sp ending detection requirement and allow upto r double spending s to be undetected, cler k sets can be further reduced by a √ r factor. Finally , if we use information stored in the coin, the size of the cler k sets becomes indep enden t of the size of the netw o rk, dep ending only on the in verse ratio n / f o f faulty nodes, and the n umber of corrupta ble no des d . 2 r denotes t h e num ber of times a coin is double spent. T o b e p recis e, when a node sp en ds the same coin x times, then r = x − 1. 4 Jaap-Henk Ho epman 1.2 Related researc h The deter ministic v aria n t of distributed double sp ending preven tion, i.e., the one where double sp ending is always pr ev en ted, is equiv alent to the pro ble m of distributing a da tabase ov er n nodes, f of which may b e faulty . Quo r um systems (cf. [ MR98 , MR WW01 ]) hav e b een studied as an abstraction of this problem, to increasing the av ailability and efficiency of replica ted data. A quorum system is a set of subse ts (ca lled quor ums) of ser v ers suc h that every t wo subsets intersect. This in tersection property guarant ees that if a write-op eration is per formed at one quorum, and later a read-oper ation is p e rformed at another quorum, then there is some server that o bserves both op erations and therefore is able to provide the up-to-date v a lue to the rea der. The cler k sets in our work corres pond to the quorums in that line of r esearch. W e do no te how ever that the relaxa tio n of allowing upto r double sp endings to occ ur is not cov ered b y the w ork on quorum systems. Our approach is in a sense a dual to the one a dv oc a ted by Jare c k i and Odlyzko [ JO97 ] ( and similarly by Y aco bi [ Y ac99 ]), in which double spending is preven ted probabilistically a nd efficiently by chec king a paymen t with the c entr al bank only with some proba bilit y (instead of alwa ys). 1.3 Structure of the pap er The pap er is o r ganised as follows. W e first describ e the mo del a nd the ba s ic system architecture in Section 2 . This fix es the wa y coins are represented and sp en t among no des, and descr ibes ho w cle r k sets are used to detect double sp ending. This a rc hitecture is indep enden t of how the clerk sets a re c onstructed. Different construction methods yield different p erformance, as des cribed in the sections following. It is exac tly these c om binatorial cons tr uctions that ar e the main contributions of this pap er. W e analyse the performa nce of fixe d clerk sets in Section 3 , followed by the analysis of randomly chosen clerk s ets in Section 4 . Next, in Sectio n 5 , we study what happ ens if we allow co ins to b e double sp e nd more often, up t o a certain limit r . Then, in section 6 w e discuss w ays to further reduce the size of the clerk sets by making use of informa tion in the coin. W e conclude with a thoroug h discussion of our results in Sect. 7 . 2 Mo del and notation W e assume a distributed system consisting o f n no des, at most f of which a r e dishonest. The dishonest no des are under the co n tr o l of the adversary . If the system is a p eer-to-p eer (P2P ) ov erlay netw ork, the nodes receive a ra ndom ident ifier when joining. This identifier is not under the control of the adversary . The adversary may , how ever, be able to c o mpromise d out o f the f dishonest Distributed Double Sp ending Preven tion 5 no des after joining the netw or k, i.e., it may compro mise at most d no des for which it knows the P2P identifier 3 . Each no de owns a pair of public and priv a te keys. A signature [ m ] i of no de i on a mess a ge m can b e verified by all other no des. W e let log denote th e logarithm base 2. The system handles co ins, that are uniquely identified by a coin iden tifier cid . V alid coin identifiers cannot ’easily ’ b e gener ated b y no des themselves. No des can distinguish v alid coins fr o m in v alid ones. A detailed discus s ion o n how no des initially obtain such co ins lies outside the scope of this pa per. But to ar gue the viability of our a pproach, w e briefly ment ion the following t wo options. Coins could, for instance , be distributed initially by a central a utho r it y . In this case, the coin identifier incorp orates a dig ital signature from this author it y . Or they could be generated by the no des themselves by finding collisions in a hash function h (cf. [ GH05 ]). Then, the coin identifier contains the pa ir x, y s uch that h ( x ) = h ( y ). No des communicate by exchanging messa g es. W e as sume a co mpletely con- nected net work, or a s uitable ro uting ov erlay . The net work is asynchronous. In particular, co ins may b e spent concurr en tly . The net work is sta tic: no no des join or leav e the netw ork once the sy s tem runs. All in a ll these ar e quite strong a s sumptions (a static netw ork, with a netw o rk wide PKI, and a point-to-p oin t communication s ubstrate), but not unrea sonably so. In a n y case, they allow us to fo cus o n the main research issue: the combina- torial a nalysis of distributing the ta sk of an otherwise cent ralised bank over the no des of a distributed sys tem, such that double sp ending is preven ted. The a dv e rsary tries to double sp end a single coin at lea st r times (when a no de sp ends a s ingle coin x times, then r = x − 1). W e say the system is secure with security parameter s if the adversar y must p erform an exp ected O (2 s ) amoun t of work in order to b e successful. W e sho w t his b y pro ving that the probability of success for the adversary for a sing le try is at most 2 − s . W e note that we do not co ns ider denial of ser v ice attac ks, for ex ample at- tacks where the clerk sets receiv e p olluted infor mation from disho ne s t no des to inv alida te coins held by honest no des. 2.1 Distributing the bank Throughout the paper w e as sume the fo llo wing system ar c hitecture to distribute the bank ov er the no des in the ne tw ork. A co in is uniquely determined b y its c o in-id cid . Sp ending a co in c i transfers ownership of that coin from a sender s to a r eceiv er r . W e use the fo llowing metho d (also de picted in Figur e 1 ): the receiv er sends a nonce z to the sender, who then s ig ns the coin, to gether with the no nce and the name of th e r eceiv er, sending the result c i +1 = [ c i , z , r ] s 3 This distinction b et w een f and d turns out to b e only significan t in the case where coin identifiers are used to restrict the size of the clerk sets. 6 Jaap-Henk Ho epman sender s receiver r clerk b Generate z ← − − − − nonce z Sp end coin c [ c i ,z ,r ] s − − − − − − − − − → Receive c i +1 . Delete coin c V erify nonce and signature. Obtain B r,c i +1 C = ∅ F oreac h b ∈ B r,c i +1 : c i +1 − − − − − − → Looku p cid ( c i +1 ) in D B b . Insert c i +1 in DB b . C ′ = add C ′ to C . C ′ ← − − − − − { c ∈ D B b | cid ( c ) = cid ( c i +1 ) } when all C ′ receiv ed Accept if c ⇒ c i +1 forall c ∈ C . Fig. 1. Co in sp ending and detection proto col. back to the receiver. W e call c i the immediate pr efix of c i +1 (denoted c i → c i +1 ), and require th at s equals the receiv er of c i (otherwise c i should not ha ve been in the posessio n of s in the firs t place). An unspent coin simply corresp onds to its coin-id cid . c is a prefix of c ′ , denoted c ⇒ c ′ if there is a s e quence of coins c 0 , . . . , c k , k > 0 suc h that c = c 0 , c k = c ′ and c i → c i +1 for a ll 0 ≤ i < k . The coin-id cid ( c ) of a coin equals its sho rtest prefix, or c itself if no prefix exis ts. So called clerk sets are used to verify the v a lidit y of a coin. These clerk sets consist of no des in the netw ork that simulate a bank in a distributed fashion. The selection of no des that a re mem b er o f a clerk set B r,c can be either done deterministically or rando mly , and may depend on b oth the no de r a ccepting the c o in and the coin identifier cid ( c ) o f the coin b eing accepted. T o per form their duties, the no des in a cler k set s tore the histor y of coins. When a receiver r receives a co in c , it first verifies the signature, the no nce, and the sender . It then requests from each clerk in the clerk set B r,c all coins with coin-id cid ( c ) that it stores. A t the same time, the cler ks sto r e c . These t w o steps are one atomic op eration. If all coins r receives from its clerk s e t are prop er pr e fix es of c , it accepts the coin. Otherwise it rejects the coin. W e note that the size of a coin increase s e v ery time it is sp ent, because of the sig nature that must b e added. Similarly , the set of c o ins stored by the clerk sets grows without bo unds . Dealing with these unbounded s pace requiremen ts Distributed Double Sp ending Preven tion 7 falls o utside the scop e of this pap er. W e discuss some w ays to b ound t he s pa ce requirements in Sect. 7 . The r emiander o f this pap er a ssumes the ab ov e proto col for sp ending a co in, and is merely concerned with differen t metho ds for obtaining B r,c i +1 such that double sp ending is prevented. The following prop erty of the sys tem desc r ibed ab o ve is the ba sis for the main results of this pa p er. Pr op erty 2.1. Let j and k b e hones t nodes , and let c be a coin. If B j,c ∩ B k,c contains at lea st o ne honest no de, then no node ca n double sp end a coin with coin-id cid ( c ) at b o th j and k using the proto col describ ed ab ov e. Pr o of. Let x be the honest no de in B j,c ∩ B k,c . If i manages to double spend c at bo th j and k ( j = k is po ssible), x receives a reques t to lo okup (and immediately store) c j = [ c ′ , z j , j ] i from j and c k = [ c ′′ , z k , k ] i from k (with unique nonces z j and z k ) w he r e cid ( c j ) = cid ( c k ), c j 6⇒ c k and c k 6⇒ c j (b y definition of double sp ending). W.l.o.g. assume j makes that request to x fir st. Then j stores c j at D B x befo re k requests all coins with cid ( c ) = cid ( c k ). Then k retrieves c j with c j 6⇒ c k and henc e k do es not a ccept c k . ⊓ ⊔ Observe that the inclus ion of nonces in the coin sp ending phas e is rea lly only necessary to determine the exact no de that double-sp en t the c o in first. 3 Fixed clerk sets: deterministic case W e will now s tudy several metho ds to assign clerk sets to no des. W e star t with the deterministic case wher e each no de is given a fixed clerk set B i . W e assume d = f (in the deterministic case it makes no difference whether the a dv ersary can cor rupt the no des after they join the netw ork or only b efore that: it ca n ensure in advanc e to only double sp end at nodes for which the clerk sets contain no honest no des). If, except for the no de trying to double sp end, there a r e no dishonest no de s , we only need to requir e B i ∩ B j 6 = ∅ (and the double sp ender should not b e the only no de in that intersection). Clea rly , w e ca n set B i = { b } for a ll i and some clerk b . This co incides with the ‘ce ntral bank’ case descr ibed in the intro- duction. In t his pap er we are o f cour s e in terested in the distr ibuted case, where there should be no sing le p oint of failure , and where the load for preven ting double sp ending is evenly distributed ov er al l par ticipating no des. The o ptimal construction of such sets was already studied in the co n tex t of the distribute d match-making problem by Mullender and Vit´ anyi [ MV88 , EFF85 ]. They show that a n assignment of sets exists such tha t | B i | ≤ 2 √ n for all i , while for all i, j B i ∩ B j 6 = ∅ . They also prove a matching lower bo und 4 . Now supp ose we do hav e f dishonest no des. Using the techniques outlined ab o ve, w e arrive at the following b ound. 4 Note that if we s omehow could construct a ‘uniform, randomised’ sel ection of the nod e resp onsible for keeping track of the curren t o wner of a coin, then using this single n ode as th e clerk set for that coin would implement a distribution solution to the problem. This is stu d ied in more detail in section 6 . 8 Jaap-Henk Ho epman Theorem 3.1. Double sp ending is deterministic al ly pr evente d with fix e d clerk sets of size 2 p n ( f + 1) , when ther e ar e a t most f dishonest no des. Pr o of. T o guar an tee detection o f double sp ending we need a t least f + 1 cler ks in the intersection of any tw o cler k sets, hence | B i ∩ B j | > f . One w ay to approach this ex tension is as follows. Cluster the n no de s into gro ups of f + 1 no des e a c h (for simplicity assume f + 1 exactly divides n ). F or the resulting n f +1 so-called super nodes N i , create s up er clerk sets B i as befor e. Now for e a c h original n o de i , let its cle r k set b e the union of the no des in the sup er no des that are a member of its sup er cler k set B i . In o ther words, let j b e a mem b er of sup er no de N i . Then B j = [ N k ∈ B i N k . W e know | B i | = 2 q n f +1 , and that eac h super no de co v ers f + 1 nodes. Hence | B j | ≤ 2 p n ( f + 1). By construction, for any pa ir i, j there is an N k ∈ B i ∩ B j . Hence | B i ∩ B j | > f . ⊓ ⊔ 4 Random clerk sets W e now consider the case where each time a node i receives a coin it g enerates a different random cler k set B i to verify that the coin is not being double sp en t 5 . Now s uppose w e hav e f dis ho nest no des. Aga in we as sume d = f (bec ause the clerk sets a re regene r ated every time a coin is rece iv ed, the adversary gains no adv antage if it is a ble to corrupt some no des rig h t after s y stem initialisation). Theorem 4.1. Double sp ending is pr evente d with ove rwhelming pr ob ability us- ing ra ndom cl erk sets of size at le ast q ns log e (1 − f /n ) . Pr o of. Let B i be given, and randomly construct B j . Let b b e the size of the clerk se ts that we aim to b ound. B j do es not pr e v en t double sp ending if it only contains no des not in B i , unless t hey ar e disho nes t. T o simplify a na lysis, let us assume that in the r andom co nstruction of the s et B j (and the given set B i ) we are sa mpling with replacement. This wa y we ov erestimate the pro babilit y of constructing suc h a bad set (because we do not reduce the pos s ible num b er of bad choices that would o ccur with sa mpling without replacement). W e will then show that ev en with this ov er estimation, this ev ent will o ccur with probability at most 2 − s . 5 Actually , in this case a no de can u se the same randomly generated clerk set through- out, pr ovi de d that d = 0. This is no longer the ca se when we allo w smal l m ultiple sp en dings, analysed in Section 5 . Distributed Double Sp ending Preven tion 9 F or each member x of B j , we should either pic k a no de not in B i (with probability n − b n ), or if we do (with proba bility b n ), this no de s hould b e dishonest. Each no de in B i has probability f n to b e disho nest. Hence Pr [ x is bad] = n − b n + b n f n . Then Pr [ B j is bad] =  Pr [ x is bad]  b =  n − (1 − f /n ) b n  b . With (1 − 1 x ) x < e − 1 , th e latter can be bo unded from above by e − 1 − f /n n b 2 . W e require Pr [ B j is ba d] ≤ 2 − s . This is achiev ed when e − 1 − f /n n b 2 < 2 − s . T ak ing lo garithms and rearr anging prov es the theorem. ⊓ ⊔ This improv es the deter ministic cas e, where we hav e a √ f depe ndence on f . 5 When coins get sp en t more oft en Clearly , the problem of double sp ending be c o mes mo r e pr e ssing when co ins are double sp en t (muc h) mor e than once. W e will now sho w that this can b e pre- ven ted with hig h probability with even small c le r k sets. Note that multiple double sp ending only helps reducing the size of the clerk sets in the r a ndomised ca se: in the de ter ministic case either the firs t double spe nding is preven ted straight aw ay , or no double sp ending is pr ev en ted a t all. Let r be the nu mber of times a s ingle coin is double sp en t by the same node 6 W e first co ns ider the fa ilur e free case, i.e., except for th e no de trying to double sp end, ther e are no dishonest no des. This cas e capture s the situation where no des in the cle r k sets hav e no incentiv e to co llabor ate with the double sp ender to le t him get aw ay undetected, a nd is c lo sely related to the selfish but r ational mo dels used in ga me theoretic analysis of secur ity proto cols (cf. [ IML05 ]). Theorem 5.1. When only the owner of a c oin is dishonset, double sp ending of a single c oin at le ast r times is pr evente d with overwhelming pr ob ability using r andom clerk sets of size b such that b > √ 2 ns r + 1 (or b > n − 1 r +1 ). Pr o of. Let B i be the set used for the verification of the coin when it is sp en t for the i -th time. Let q b e the node double sp ending. There are r + 1 such sets if the co in is double sp e n t r times. If double sp ending is not detected one of those r times, the a dv ersary w ins . This happens when B i ∩ B j contains at most the double sp ender q itself, for all pairs i , j . The probability that this happ ens is computed as follo ws (where w e a ssume ( r + 1) b ≤ n or else such a collection of sets simply do es not exis t). 6 Recall that when a no de sp ends the same coin x t imes, th en r = x − 1. 10 Jaap-Henk Ho epman After constructing th e i -th set s uch that no ne of the i s ets (each with b mem b ers) do mutu ally intersect except on the double sp ender q , there are at most n − i ( b − 1) no des to c ho ose from for the i + 1 -th set, a nd the probability that this set do es not in ters ect the i other s exc e pt o n q b ecomes a t most  n − i ( b − 1) b  /  n b  . Expanding binomials to their factorial representation, and cancelling fa c torials in nominators and denominator s, w e conclude that this is less than  n − i ( b − 1 ) n − b + 1  b . Hence Pr [double sp ending not d etected] ≤ r Y i =1  n − i ( b − 1) b   n b  ≤ r Y i =1  n − i ( b − 1) n − b + 1  b . F urther simplification using a − b n a + b n ≤ a 2 n 2 shows tha t this is b ounded fr o m ab o ve by  n − r +1 2 ( b − 1) n − b + 1  r b . W e want this latter expre s sion to b e neglig ible, i.e., less than 2 − s . Inv erting fractions and taking logar ithms this le a ds to the inequa lity rb log  n − b + 1 n − r +1 2 ( b − 1)  > s . Using ( r + 1) b ≤ n we see n − b +1 n − r +1 2 ( b − 1) ≤ 2. Using this, a nd the fact that log(1 + x ) ≥ x for all x betw een 0 and 1, we hav e log  n − b + 1 n − r +1 2 ( b − 1)  ≥  r − 1 2 ( b − 1) n − r +1 2 b  Hence we require rb  r − 1 2 ( b − 1) n − r +1 2 b  > s Simplifying this prov es the theo r em. ⊓ ⊔ Next, we consider the case when there ar e at most f > 1 disho nest no des. Theorem 5.2. Double sp ending of a single c oin at le ast r times is pr evente d with overwhelming pr ob ability using r andom clerk sets of size a t le ast q ns log e (1 − f /n ) r . Pr o of. Again, let ther e b e r + 1 sets B i , ea c h used for the verification of the coin when it is s pent for the i -th time. Let F denote the set of fault y no des. If double sp ending is not detected one of tho se r + 1 times, the adversary wins. This happ ens when ( B i ∩ B j ) \ F = ∅ , for all i, j . Distributed Double Sp ending Preven tion 11 W e are go ing to estimate t he pr obabilit y that this happens b y o nly considering B 1 ∩ B j \ F = ∅ for all j 6 = 1. Then Pr [double sp ending not detected] < ( Pr [ B 1 ∩ B j \ F = ∅ ]) r <  Pr [ x 6∈ B 1 ∨ x ∈ F ] b  r , where in the last step we consider arbitr ary x a nd sa mple with replacement. This latter probability is, like the pro of in Theorem 4.1 Pr [ x is bad] = n − b n + b n f n . Pro ceeding similar to that pro of, we obtain b > q ns log e (1 − f /n ) r . ⊓ ⊔ The b ound a ppears not to be tight ( in fact it is worse than Theor em 5.1 b y a factor √ r ) b ecause we only estimated the probability that no clerk set intersects with the first clerk set, th us greatly exagg erating the success of the adversary . Sim ulations suggest t hat the size o f the clerk sets b is indeed in versely propor - tional to the num b er of clerk sets r ev en when faulty no des exist. 6 Coin-specific clerk sets Up till now, we hav e a s sumed that clerk sets are constructed independent of the coin that needs to be chec k ed. This is a r estriction. In fact, we will now s ho w that under certa in circumstances, the us e of the coin identifier in the co ns truction o f the clerk sets may help reducing the size of the cle r k sets even further. In previo us work on digital k arma [ GH05 ] we inv e s tigated the desig n o f a decentralised curr e ncy for P2 P netw orks with double- spending dete ction . W e show ed the following r esult, g iven an ass ig nmen t o f β no des derived from a coin ident ifier cid by B cid = { h i ( cid ) mo d n | 1 ≤ i ≤ β } (where we ignore the p ossibility of collisio ns for the moment) where h is a ra ndom hash function. Lemma 6.1 ([ GH05 ]). If β > d + s log(( n − d ) / ( f − d )) , then B cid c ontains only dishonest no des with pr ob ability less t ha n 2 − s . Note that in the pro of of this r esult we use the fact that the a dv ersary co n tr ols at most d no des for whic h it knows membership of a par ticular set B cid ; for all other f − d dishones t no des member ship of this set is entirely r a ndom. Using this new appro ac h as a starting point, we now analyse how frequen t double sp ending of a sing le coin can b e pr ev en ted more efficiently . Clearly , when there are no dishones t no des, the single no de clerk set B cid = { h ( cid ) } suffices to preven t double sp ending (provided o f cour se that the coin is never sp e nt by this particular node itself ). This is a distributed solution b ecause 12 Jaap-Henk Ho epman the hash function distributes the cler k assignment unifor mly ov e r a ll a v ailable no des. Similarly , using the Lemma 6.1 , w e see that using B cid as the cler k set each time coin cid is sp ent, double sp ending is prevented with overwhelming probability as well, even if the adversary gets to cor rupt d o ut of f no des o f his own choosing. This is summarised in the following theorem. Theorem 6.2. Double sp ending is pr evente d with ove rwhelming pr ob ability us- ing clerk sets derive d fr om a c oin identifier, of size at le ast β > d + s log(( n − d ) / ( f − d )) . But w e can do even b etter than that if we are willing to allow a coin to b e double sp en t at most r times. The idea is to start with the coin-sp ecific cler k spa ce B cid of size β , but to use a smaller random subset B i ⊂ B cid of size b as the clerk set to use when sp ending the coin f or the i -th time. Observe that the size o f the clerk space no w is more o r less indep enden t of n : it o nly dep ends on the fraction of dishonest no des. Compar ed to the o riginal randomised clerk s et ca se (see Theorem 4.1 ) when setting d = 0 we s e e that β increases muc h les s rapidly with increas ing fraction of dishonest no des. No te that reducing the sample space in this orig inal case f rom n to sa y n ′ would improve the b ound; how ever, the solution would no longer b e distributed b ecause certain no des never would b ecome members of a clerk set. Theorem 6.3. Double sp ending of a single c oin cid at le ast r times is pr evente d with overwhelming pr ob abili ty using c oin s p e cific clerk sp ac es of size β at le ast d + s log(( n − d ) / ( f − d )) and clerk sets of size b at l e ast β r log e ( s + 1 + log ( r + 2)) Pr o of. Consider an a rbitrary coin with coin identifier cid . Let β = | B cid | . F r om Lemma 6.1 we know that if β > d + s +1 log(( n − d ) / ( f − d )) , then B cid contains no honest no des with neg ligible probability 2 − ( s +1) . Let this coin be double spe nt r > 1 times, and let B i ⊂ B cid be a rando m subset of size b that serves as the cle r k set to use when sp ending the coin for the i -th time. W e will show that w he n B cid contains at least one honest no de x , the probability tha t x is not a member of at leas t tw o sets B i and B j is again at most 2 − ( s +1) . Multiplying these tw o probabilities we can conclude that the adversary can o nly succeed spending the coin r times with probabilit y a t most 2 − s , which prov es the theore m. W e b ound the pr obabilit y tha t x is not a mem b er of a t leas t tw o sets B i and B j as follows. W e hav e Pr [ x 6∈ B i ] = β − 1 β β − 2 β − 1 · · · β − b β − b + 1 = 1 − b β . Call this probability p . Then q = 1 − p = b β . Let X b e a rando m v a riable denoting the num b er o f sets B i of which x is a member . Then Pr [ X ≤ 1] = p r +1 +  r + 1 1  p r q . Distributed Double Sp ending Preven tion 13 Assume for the moment that b > β / 2. Then q > p and hence Pr [ X ≤ 1] ≤ ( r + 2) q p r , which should b e less than 2 − ( s +1) . Substituting the v alues for p and q and using b β ≤ 1, this is achieved when ( r + 2)  1 − b β  r ≤ 2 − ( s +1) . Using (1 − 1 /x ) x ≤ 1 / e and taking logar ithms w e nee d log( r + 2) − r log e b β ≤ − ( s + 1 ) F ro m this the theorem follows. ⊓ ⊔ The pro of of this theorem uses a rather cr ude approximation of the probability that an adversary can cheat. In fact, it is far more likely that a coin sp ecific clerk space contain mor e than one honest no de , mak ing it har der for the adversary to av oid them in the r clerk sets. 7 Conclusions & F urther Researc h Int erestingly , the probability o f p olling the central bank in the sc heme of J arecki and Odlyzko [ JO97 ] is pro portiona l to the amount of the transfer, such that the nu mber of polling mess ages is constan t for a g iv en amount of credit: whether a user sp ends a ll her credit in a few big transactions , or many micro paymen ts doe s not ma tter. T o get a similar pr operty in o ur scheme would require us to change the size of t he clerk sets dep ending on the amoun t of the transa ction (i.e., the v alue of the coin, if there are m ulti v alued c o ins in the s ystem), or to contact the clerk sets only with a certain probability for each transac tio n. F urther resear c h is necessary to explo re these ideas and to determine their impact o n the efficiency of double sp ending pr ev en tion in a decentralised, distributed currency scheme. The c ur ren t analys is is based o n a few str ong a ssumptions. F or one thing, we assume that the netw o rk is static. T o fully apply our ideas to for instance P2P net works requir es us to take dynamic no de joins and leaves in to acco un t. Also, we assume transmitting coins is an atomic op eration. P robably , the coin tra nsfer proto col b ecomes slig htly mor e inv o lv ed when we need to handle concurrent coin sp ending. Finally , the coin tra nsfer protoco l ass umes tha t coins can gr ow un b ounded in size: with every transfer o f a coin, it g a ins ano ther signatur e. Metho ds to reduce the space co mplexit y should be in vestigated. This is not easy how ever, b ecause the double sp ending preven tion sy stem dep ends on a more or less corr ect notion of time, and aims to reco r d who owns which coin at what time. Prevent ing no des to warp the co ins they own into the future (and thus bypassing all double sp ending preven tion) is no t triv ial. W e do note how ev er, that clerk s only need to stor e the coin with the longest pre fix for a par ticular coin iden tifier. Finally , there a re other interesting a pproaches that might be useful to imple- men t distributed double sp ending preven tion. 14 Jaap-Henk Ho epman One appro ac h is to try to limit the rate at which no des ca n sp end coins in the first place. HashCa sh [ Bac97 ] c o uld b e used to do this. In this setting, a no de wishing to sp end a co in is forced to sp end a non-ne g ligible amount of work first to compute some function, e.g., by finding a collision in a mode r ately strong hashfunction. The receiver of the coin verifies the function re s ult and only accepts the coin when the r esult is co rrect. If a lower bound o n the actua l time needed to compute the function is known (and this is not alwa ys easy given the diversit y of hardware platforms), this implies an upper b ound on the amount of money a coin sp en t (and ther e fo re double sp end). References [AJSW97] Asokan, N., Janson, P. A., Steine r, M., and W aidner, M. The state of the art in electronic payment systems. IEEE Computer 30 , 9 (1997), 28–35. [Bac97] Back, A. Hashcash - a denial of s ervice counter-measure. http://www .cypherspace .org/hashcash , 1997. [EFF85] Erd ¨ os, P., Frankl, P., and F ¨ uredi, Z. F amilies of finite sets in which no set is co vered by the union of r others. Isr ael Journal of Mathemat ics 51 , 1–2 (1985), 79–89. [GH05] Garcia, F. D., and Hoepman, J.-H. Off-line k arma: A decentralized currency for p eer-to-p eer and gri d net works. In 3r d ACNS (New Y ork, NY, USA, 2005), J. I oa nnidis, A. Kerom ytis, and M. Y ung (Eds.), LNCS 3531, Springer, p p. 364–377. [Hir02] Hird, S. T echnical S ol utions for Contro lling Spam. In AUUG2002 (Mel - b ourne, 2002). [IML05] Izmalk ov, S., Mi cali, S., and Le pinski, M. Rational secure compu - tation and ideal mechanism design. In 46th FOCS (2005), IEEE Comp. Soc. Press, pp . 585–595. [JO97] Jarecki, S., and Odl yzko , A. An efficien t micropa yment system b ase d on p robabili stic p ol ling. In 1st Int. Conf. Fin. Crypt. (Anguilla, British W est Ind ies, 1997), R. Hirschfeld (Ed.), LNCS 1318, Sp ringer, pp. 173– 191. [MR98] Malkhi, D., and Reiter, M. Byzantine q uorum systems. Di st ribute d Computing 11 , 4 (1998), 203–213. [MR WW01] Malkhi, D. , Reiter, M., W ool, A., and Wright, R. Probabilistic Quorum Sy stems. Information and Computation 170 , 2 (2001), 184–2 06. [MV88] Mullender, S . J., and V it ´ anyi, P. M. B. Distributed match-making. Algor ithmic a 3 (1988), 367–391. [OPT97] O’Mahony, D., Peirce, M., and Te w ari, H. Ele ctr onic Payment Systems . Artech H ouse, 1997. [SS99] Schneier, B., and Shost ac k, A. Breaking u p is h ard to do: Mo delling securit y th reats for smart cards. In 1st USENIX Worksh. on Smartc ar d T e ch. (Chicago, IL, 1999), US ENIX, pp. 175–185 . [VC S03] Vishnumur thy, V., Chandrakumar, S. , and S irer, E. G. KARMA: a secure economic framew ork for p eer-to-peer resource sharing. In Pr o c. Workshop on the Ec onomics of Pe er-to- Pe er Systems (Berkel ey , California, 2003). P ap ers pu blished on http://www .sims.berkel ey.edu/research/conferences/p2pecon/index.html . Distributed Double Sp ending Preven tion 15 [Y ac99] Y acobi, Y. R isk management for e-cash systems with partial real-time audit. I n 3r d Int. Conf. Fin. Crypt. ( Anguilla, British W est Indies, 1999), M. K. F ranklin (Ed.), LN CS 1648, Springer, pp. 62–71. [YGM03] Y ang, B. , and Garcia-Molina, H. PPa y : micropaymen ts for p eer-to- p eer systems. In 10th CCS (W ashington D.C., USA, 2003), V. Atluri and P . Liu (Eds.), ACM, pp. 300–310.