nach oben

Erschienen in:

2015 | OriginalPaper | Buchkapitel

On the Malleability of Bitcoin Transactions

verfasst von : Marcin Andrychowicz, Stefan Dziembowski, Daniel Malinowski, Łukasz Mazurek

Erschienen in: Financial Cryptography and Data Security

Verlag: Springer Berlin Heidelberg

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

We study the problem of malleability of Bitcoin transactions. Our first two contributions can be summarized as follows:

(i)

we perform practical experiments on Bitcoin that show that it is very easy to maul Bitcoin transactions with high probability, and

(ii)

we analyze the behavior of the popular Bitcoin wallets in the situation when their transactions are mauled; we conclude that most of them are to some extend not able to handle this situation correctly.

The contributions in points (i) and (ii) are experimental. We also address a more theoretical problem of protecting the Bitcoin distributed contracts against the “malleability” attacks. It is well-known that malleability can pose serious problems in some of those contracts. It concerns mostly the protocols which use a “refund” transaction to withdraw a financial deposit in case the other party interrupts the protocol. Our third contribution is as follows:

(iii)

we show a general method for dealing with the transaction malleability in Bitcoin contracts. In short: this is achieved by creating a malleability-resilient “refund” transaction which does not require any modification of the Bitcoin protocol.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Nächstes Kapitel Trends, Tips, Tolls: A Longitudinal Study of Bitcoin Transaction Fees

For a short description of Bitcoin and the non-standard transactions see Sect. 2.

This is because Bitcoin uses the Elliptic Curve Digital Signature Algorithm (ECDSA) that has the property that for every signature \(\sigma = (r,s) \in \{1,\ldots ,N-1\}^2\) the value \(\sigma ' = (r,N-s)\) is also a valid signature on the same message and with respect to the same key as \(\sigma \).

An example of such a fork was experienced by the Bitcoin community in March 2013, when it was caused by a bug in a popular mining client software update [11]. Fortunately it was resolved manually, but it is still remembered as one of the moments when Bitcoin was close to collapse.

The protocol of [3] was secure only under the assumption that the Bitcoin is modified to prevent the malleability attacks.

In the original Bitcoin documentation this is called “simplified \(T_{x}\)”.

Technically in Bitcoin \([T_{x}]\) is not directly passed as an argument to \(\pi '_{i}\). We adopt this convention to make the exposition clearer.

In our experiments we used addresses 13eb7BFXgHeXfxrdDev1ehrBSGVPG6obu8 and 115g32FHp77hQpuuWpw8j8RYKPvxD1AXyP.

Typical Bitcoin client maintains about 8 connections.

More precisely it connects to the nodes maintained by mining pools GHash.IO and Eligius.

In fact, the BitGo administrators reacted to our experiments by contacting us directly.

The malleability problem occurs in Step 3 when Party \(\mathsf {A}\) generates Tx2 (the contract) which spends Tx1, and then asks \(\mathsf {B}\) to sign it and send it back. This happens before Tx1 is included in the block chain and hence if later the attacker succeeds in posting a mauled version Tx1\('\) of Tx1 on the block chain, then the transaction Tx2 becomes invalid.

The malleability problem is visible in Step 3, where the refund transaction T2 is created. This transaction depends on the transaction T1 that is not included in the block chain at the time when both parties sign it (in Steps 3 and 4).

The problem occurs in Steps 4 and 7, where the “refund_bet” and “refund_reveal” transactions are signed before theirs input transactions “bet” and “reveal” are broadcast.

The problem is visible in Step 2 of the \( Commit \) phase of this protocol (the \( Fuse ^\mathsf {A}\) and \( Fuse ^\mathsf {B}\) transactions are created before their input transaction \( Commit \) appears on the block chain).

Such transactions are called hash locked in the Bitcoin literature. Notice that having an output script, which requires only preimages and no signatures is not secure, because anyone who notices in the network a transaction trying to redeem such output script learns the preimages and can try to redeem this output script on his own. In our case the output script of the transaction \(T_0\) requires also a signature of A, but we omit it (\(\ldots \)) to simplify the exposition.

bips/bip-0065.mediawiki. http://github.com/bitcoin/bips/blob/master/bip-0065.mediawiki. Accessed on 10 December 2014

bitcoinj library homepage. http://bitcoinj.github.io. Accessed on 20 October 2014

Andrychowicz, M., Dziembowski, S., Malinowski, D., Mazurek, Ł.: Fair two-party computations via bitcoin deposits. In: Böhme, R., Brenner, M., Moore, T., Smith, M. (eds.) Financial Cryptography and Data Security. Lecture Notes in Computer Science, pp. 105–121. Springer, Berlin Heidelberg (2014)

Andrychowicz, M., Dziembowski, S., Malinowski, D., Mazurek, L.: Secure multiparty computations on bitcoin. In: 2014 IEEE Symposium on Security and Privacy (SP), May (2014)

Back, A., Bentov, I.: Note on fair coin toss via bitcoin (2013). http://www.cs.technion.ac.il/7Eidddo/cointossBitcoin.pdf

Bentov, I., Kumaresan, R.: How to use bitcoin to design fair protocols. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part II. LNCS, vol. 8617, pp. 421–439. Springer, Heidelberg (2014)

Bentov, I., Kumaresan, R.: How to use Bitcoin to design fair protocols. Cryptology ePrint Archive, Report 2014/129 (2014). http://eprint.iacr.org/2014/129. Accepted to ACM CCS 2014

Bitcoin.org. Developer reference. http://bitcoin.org/en/developer-reference. Accessed on 20 October 2014

Bitcoin.org. List of bitcoin wallets. http://bitcoin.org/en/choose-your-wallet. Accessed on 20 October 2014

10.

Boldyreva, A., Cash, D., Fischlin, M., Warinschi, B.: Foundations of non-malleable hash and one-way functions. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 524–541. Springer, Heidelberg (2009) CrossRef

11.

Vitalik, B.: Bitcoin network shaken by blockchain fork, March 2013. Bitcoin Magazine. http://bitcoinmagazine.com/3668/bitcoin-network-shaken-by-blockchain-fork

12.

Canetti, R., Lindell, Y., Ostrovsky, R., Sahai, A.: Universally composable two-party and multi-party secure computation. In: 34th Annual ACM Symposium on Theory of Computing, pp. 494–503. ACM Press (2002)

13.

Decker, C., Wattenhofer, R.: Bitcoin transaction malleability and mtgox. In: Kutyłowski, M., Vaidya, J. (eds.) ICAIS 2014, Part II. LNCS, vol. 8713, pp. 313–326. Springer, Heidelberg (2014)

14.

Dodis, Y., Wichs, D.: Non-malleable extractors and symmetric key cryptography from weak secrets. In: Mitzenmacher, M. (ed.) 41st Annual ACM Symposium on Theory of Computing, pp. 601–610. ACM Press (2009)

15.

Dolev, D., Dwork, C., Naor, M.: Nonmalleable cryptography. SIAM J. Comput. 30(2), 391–437 (2000)MATHMathSciNetCrossRef

16.

Dziembowski, S., Kazana, T., Obremski, M.: Non-malleable codes from two-source extractors. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 239–257. Springer, Heidelberg (2013) CrossRef

17.

Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system. Consulted 1, 28 (2008)

18.

Weisenthal, J.: Bitcoin just completely crashed as major exchange says withdrawals remain halted, Business Insider (2014). http://www.businessinsider.com/mtgox-statement-on-withdrawals-2014-2

19.

Bitcoin Wiki. Contracts. http://en.bitcoin.it/wiki/Contracts. Accessed on 20 October 2014

20.

Bitcoin Wiki. Main page. http://en.bitcoin.it/. Accessed on 20 October 2014

21.

Bitcoin Wiki. Transaction malleability. http://en.bitcoin.it/wiki/Transaction_Malleability. Accessed on 20 October 2014

22.

Wuille, P.: Bitcoin improvement proposal: dealing with malleability. http://github.com/bitcoin/bips/blob/master/bip-0062.mediawiki. Accessed on 20 October 2014

Titel: On the Malleability of Bitcoin Transactions
verfasst von: Marcin Andrychowicz
Stefan Dziembowski
Daniel Malinowski
Łukasz Mazurek
Verlag: Springer Berlin Heidelberg
Buch: Financial Cryptography and Data Security
Print ISBN: 978-3-662-48050-2

Electronic ISBN: 978-3-662-48051-9

Copyright-Jahr: 2015
DOI: https://doi.org/10.1007/978-3-662-48051-9_1

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"