Dear All,
I was thinking about an approach to prevent double spending, and I
think I found approach which I wondered about. The approach assumes
that the miners are not trying to double spend. Nevertheless, I think
the approach makes double spending attacks much harder.
I want to set up a system with one goal in mind: If a user tries to
double spend, then *both* transaction will land in the blockchain in a
special way, which makes the user lose money. As a side goal: the
vendor should get his money even if the user tries to double spend.
More concretely, one could do this as follows: one would allow a new
transaction format, in which each outgoing address gets two amounts; a
"normal amount", and a "double spending amount". Such a transaction
would be considered valid only under two conditions: (1) there are
exactly two outgoing addresses, (2) the fee implied by the "double
spending amounts" is *more* than two times the fee implied by the
normal amounts. A miner can then include a transaction T in this new
format in two different ways into a block.
(A) Like a normal transaction, in which case the transaction is
processed as normal; the amounts will be the "normal amount"s.
(B) As a special "double spent transaction". In order to do this,
the miner has to include another transaction T', which is not
executed, but only serves as a proof that the creator of the
transaction tried to double spend the money. Transaction T must
be a transaction of the above kind here, but T' can be any
transaction.
In such a case, the transactions in T are executed with the
"double spending amount". If there is money remaining, then it
is split in 2 equal parts (up to some fixed rounding). Half goes
to the miner, half goes to the address containing the *smallest*
output in "normal amount" in T'. We will see in a moment why.
Suppose now a vendor V with address wants to accept bitcoins from
a buyer B with address . Suppose B wants to pay "val" to V, and add
transaction fee "fee". Given a transaction, the vendor will watch the
network for a few seconds, and check for double spendings. Then, the
vendor accepts transaction T if it looks as follows:
(1) An incoming amount of I, I >= 3*val + 3*fee
(2) Two outgoing adresses; one is , and another one, call it .
There are no other outgoing addresses or entries.
(3) The "normal amount" and the "double spending amount" to are
exactly equal to val.
(4) The "normal amount" to is strictly bigger than val
(5) The "double spending amount" to is at most I - 3*val - 2*fee
In case a miner sees an attempt at double spending, he is supposed to
do the following. First, pick the transaction Tmax with highest fee
in the double spending values. Second, take as a proof of double
spending the first alternative transaction Tfirst seen. Then, publish
these two transactions, Tmax with proof Tfirst. Note that the system
is set up such that this gives the miner the maximum profit.
Suppose now that V accepts transaction T which a user tried to double
spend, creating transactions T, T1, T2,... I claim that if transaction T
was the first one sawn by the miner, then V gets the money.
(A) Transaction T is processed as normal
(B) Transaction Ti is processed as normal
(C) Transaction T is a double spent transaction, Ti its proof
(D) Transaction Ti is a double spent transaction, T its proof
In case the miner uses (A), he gets fee. In case he uses (C), he gets
at least val+fee, because the difference between the left over part in
the double spending amounts of T is at least 2*val+2*fee.
Thus, we can assume that he uses (B) or (D) only if he gets also at
least 2*val+2*fee. Since (D) is always more valuable to the miner than
(B) -- otherwise the transaction Ti isn't valid -- he will use (A),
(D), or (C), in which case V gets his money.
There is another case: Ti could be a transaction in old style
format. In this case, the miner cannot use (D). So it might be
advantageous for the miner to use (B), and V will not get his money --
however, B still spends at least val+fee in fees, so this should not
happen too often (the vendor might want to increase the gap in T
somewhat so that B spends even more).
There would still be the issue what to do when some miners try to help
double spending; this isn't trivial and might be a real problem, but
still I think the system would be an improvement already: right now, a
double spending attack is something I can run on my own, however, I
don't have the computational power to do serious mining -- and
besides, if I did I wouldn't try to cheat vendors for US$20. Also,
maybe one can do something about that.
tl;dr Why not make transactions which have two values for each outgoing address, where the second one can only be used if the user tried to double spend?