Topic: Making double spending economically unattractive (Read 1157 times)

The following is an improvement on the above idea; the description here is self contained.

• A new opcode is introduced. Instead of OP_DUP OP_HASH160 OP_EQUALVERIFY OP_CHECKSIG this should give a new standard transaction, where OP_CHECKSIG is replaced with the new opcode
• There are two ways to empty an such an account. First, it is possible to create a transaction which empties it immediately, and distributes the money evenly to the miners of the next 100 blocks. Second, one can withdraw it to a normal account, but that will take 10 blocks (i.e., think of it this way: a normal withdrawal needs to be announced 10 blocks before it can be executed).
• If a transaction of the first kind (distributing to the miner) is in a block which is at most 9 blocks later than a transaction of the second kind, the transaction distributing is valid, and the other transaction becomes a NOP.
  

Now, suppose I want to spend 1 bitcoin from account A without waiting for confirmations. I have 100 bitcoins on an account with the new opcode. I will give the vendor a transaction which of the second kind, which I manufactor that it becomes only valid if one can find a double spend of A.

If I now want to double spend A, I will lose 100 BTC to the miners.

I wasn't thinking too much about alt coins: the idea was that currently we're telling people they cannot use bitcoins for immediate transactions, and I just wondered whether anything can be done about that.


I think we should keep in mind that if double spending becomes an actual problem one might do something about it. An alternative coin for studying it would be interesting, but I personally don't plan to implement one now.

Is this an idea for a alternative coin or something? I only ask this because the amount of double spends under normal circumstances is zero. I think the only real double spend happened during the blockchain fork.

I might be wrong but Bitcoin is not suffering from any double spend issues and the developers are best focusing their efforts into fixing real problems with Bitcoin.

However if your idea can be incorporated into a alternative coin that did not require massive amounts of useless work to support the security of the network, then you might be onto something...

By "users" I simply mean people who use the system. While you cannot know what user knows what address, and not every address maps to a single user, nevertheless there are people using it.


The old transactions would still be there, there would just be one more transaction type.

Essentially, the idea allows you to say: "I promise not to double spend the input of this transaction. If you catch me doing it, please pay this large fee to the miner."

There are no users in bitcoin - only addressees and I'm not sure that all double spend attempts are malicious. Isn't it possible to attempt double spend during blockchain fork under "normal usage" - not willingly?

Dear All,

I was thinking about an approach to prevent double spending, and I
think I found approach which I wondered about.  The approach assumes
that the miners are not trying to double spend. Nevertheless, I think
the approach makes double spending attacks much harder.

I want to set up a system with one goal in mind: If a user tries to
double spend, then *both* transaction will land in the blockchain in a
special way, which makes the user lose money. As a side goal: the
vendor should get his money even if the user tries to double spend.

More concretely, one could do this as follows: one would allow a new
transaction format, in which each outgoing address gets two amounts; a
"normal amount", and a "double spending amount". Such a transaction
would be considered valid only under two conditions: (1) there are
exactly two outgoing addresses, (2) the fee implied by the "double
spending amounts" is *more* than two times the fee implied by the
normal amounts.  A miner can then include a transaction T in this new
format in two different ways into a block.

  (A) Like a normal transaction, in which case the transaction is
      processed as normal; the amounts will be the "normal amount"s.

  (B) As a special "double spent transaction". In order to do this,
      the miner has to include another transaction T', which is not
      executed, but only serves as a proof that the creator of the
      transaction tried to double spend the money. Transaction T must
      be a transaction of the above kind here, but T' can be any
      transaction.

      In such a case, the transactions in T are executed with the
      "double spending amount". If there is money remaining, then it
      is split in 2 equal parts (up to some fixed rounding). Half goes
      to the miner, half goes to the address containing the *smallest*
      output in "normal amount" in T'. We will see in a moment why.

Suppose now a vendor V with address wants to accept bitcoins from
a buyer B with address . Suppose B wants to pay "val" to V, and add
transaction fee "fee". Given a transaction, the vendor will watch the
network for a few seconds, and check for double spendings.  Then, the
vendor accepts transaction T if it looks as follows:

(1) An incoming amount of I, I >= 3*val + 3*fee
(2) Two outgoing adresses; one is , and another one, call it .
    There are no other outgoing addresses or entries.
(3) The "normal amount" and the "double spending amount" to are
    exactly equal to val.
(4) The "normal amount" to is strictly bigger than val
(5) The "double spending amount" to is at most I - 3*val - 2*fee

In case a miner sees an attempt at double spending, he is supposed to
do the following.  First, pick the transaction Tmax with highest fee
in the double spending values. Second, take as a proof of double
spending the first alternative transaction Tfirst seen. Then, publish
these two transactions, Tmax with proof Tfirst. Note that the system
is set up such that this gives the miner the maximum profit.

Suppose now that V accepts transaction T which a user tried to double
spend, creating transactions T, T1, T2,... I claim that if transaction T
was the first one sawn by the miner, then V gets the money.

(A) Transaction T is processed as normal
(B) Transaction Ti is processed as normal
(C) Transaction T is a double spent transaction, Ti its proof
(D) Transaction Ti is a double spent transaction, T its proof

In case the miner uses (A), he gets fee. In case he uses (C), he gets
at least val+fee, because the difference between the left over part in
the double spending amounts of T is at least 2*val+2*fee.
Thus, we can assume that he uses (B) or (D) only if he gets also at
least 2*val+2*fee. Since (D) is always more valuable to the miner than
(B) -- otherwise the transaction Ti isn't valid -- he will use (A),
(D), or (C), in which case V gets his money.

There is another case: Ti could be a transaction in old style
format. In this case, the miner cannot use (D). So it might be
advantageous for the miner to use (B), and V will not get his money --
however, B still spends at least val+fee in fees, so this should not
happen too often (the vendor might want to increase the gap in T
somewhat so that B spends even more).

There would still be the issue what to do when some miners try to help
double spending; this isn't trivial and might be a real problem, but
still I think the system would be an improvement already: right now, a
double spending attack is something I can run on my own, however, I
don't have the computational power to do serious mining -- and
besides, if I did I wouldn't try to cheat vendors for US$20. Also,
maybe one can do something about that.

tl;dr Why not make transactions which have two values for each outgoing address, where the second one can only be used if the user tried to double spend?