Open in app

Sign in

Write

Sign in

Double Spending Protection in the Concordium Blockchain

Bernardo David
Concordium
Published in
6 min readMay 6, 2020

Double spending is a situation where a potentially malicious cryptocurrency user transfers the same coin to two different users at the same time. In this article, we talk about how double spending is avoided in modern cryptocurrencies and how Concordium's finality feature adds a new layer of efficient and robust protection against this attack.

Introduction

Imagine that an attacker who owns a single coin is able to convince two different users of a cryptocurrency that they have received that same coin as payment.

An attacker who can do this gets to spend double the amount of coins they own, which is why we call this attack a double spending.

If this unfortunate situation happens, not only does the adversary get an unfair advantage but eventually it will be necessary to determine which of the honest users gets to keep the transferred coin, meaning that one of the users ends up without that coin even though they both thought they were now its rightful owners.

This is a very serious issue when a cryptocurrency is used in the real world to pay for goods and services, since a merchant who falls victim of a double spending might end up without its payment.

Solving double spending in a robust yet efficient way has been one of the main goals of research on cryptocurrencies ever since the first digital cash systems [C82] were proposed.

In these first systems, the goal was to obtain a digital representation of cash bills with the same anonymity and authenticity guarantees of fiat money. This meant that a merchant who received a digital coin as payment from a user was supposed to immediately contact the central bank who issued the coin in order to verify that it was not fake and could still be spent.

This verification procedure would achieve three things:

  • Keep secret the identity of the user making the payment (not even the bank knew who made the payment)
  • Invalidate the digital coin used in the payment so that double spending would not be possible anymore
  • Give the merchant a new digital coin that could again be anonymously spent

The advent of Bitcoin [N08] and other decentralized permissionless cryptocurrencies gave rise to a totally new challenge in preventing double spending.

While eliminating the central bank as a single point of failure and a bottleneck is certainly a big advantage, it forced researchers to re-imagine double spending protection as it was known.

The answer came as the novel blockchain consensus protocols, which can be used to keep track of financial transactions (and their order) without relying on a central authority. However, this flexibility came at the cost of speed in processing coin transfers, since users must wait a considerable amount of time before getting a strong guarantee that they are not subject to double spending.

Blockchains and Double Spending

Intuitively, in a cryptocurrency system, a blockchain serves as a public ledger where coin transfers are stored in such a way that they become immutable and accessible to all users once they are written.

However, in practice not everything that is written to a blockchain becomes immutable, at least not immediately. It might be the case that the blockchain forks into multiple versions that are only equal up to a certain block, after which the remaining blocks contain different and possibly conflicting information.

For both Proof-of-Work [GKL15] and Proof-of-Stake [DGKR18] blockchains, we can show that eventually all honest users following the blockchain protocol choose one of these alternative chain as the honest one.

While this helps all honest agree on a single version of the chain, it also means that the information in the alternative discarded versions is lost.

An attacker who wants to do a double spending attack can first force a fork to happen and then place each of two conflicting transactions transferring the same coin to two different users in one of two different versions of the chain.

By executing this attack in a clever way, the attacker might make each user believe that the version of the chain containing the transaction that gives them the coin is the one that will be ultimately adopted by all parties, considering the transfer to be concluded.

However, one of these versions of the blockchain will be eventually discarded, meaning that the user who received the coin according to the transaction written in that chain no longer owns the coin. In order to solve this problem, before accepting a transaction as payment, users must make sure this transaction is indeed part of a block that has become immutable and will not be discarded later.

Fortunately, for any block B in a blockchain, we can prove that the higher the number of blocks added to the chain after block B, the higher the chance that block B has become immutable [GKL15][DGKR18]. On the other hand, in order to get a strong enough guarantee that a block has indeed become immutable and that the transactions that it contains will not be discarded, we need to wait for many new blocks to be added to the chain after the block containing the transaction we are interested in.

In practice, we might need to wait for hours before we can have a strong enough assurance that a transaction is indeed confirmed (meaning that we can trust this transaction has become immutable).

Using Finality Against Double Spending

A big difference between Concordium and other blockchain based cryptocurrencies is that Concordium's blockchain has a feature called finality, which is implemented by the Afgjort Finality Layer [DMM+19] and discussed in more details in this article.

In a nutshell, finality allows us to be 100% certain that a block has become immutable after a certain procedure is completed, even if not many blocks are added to the chain after this block.

The way finality is implemented in the Concordium blockchain, the finalization procedure is constantly executed on one of the latest blocks add to the chain by a finalization committee (chosen among the blockchain users who want to participate in this process).

Once this procedure is completed, some information is added to this block and it becomes finalized, meaning that all users can be sure that this block and all the blocks that come before it in the blockchain are now immutable.

We can achieve very strong protection against double spending using finality as a tool.

Basically, all transactions contained in the blocks that come before the latest finalized block are 100% guaranteed to be confirmed (meaning they are indeed immutable).

Moreover, we get this guarantee as soon as the latest finalization procedure is completed, which all users can detect and verify. Users conducting high value and sensitive transactions can choose to always wait for a finalized block to appear after the block containing their transactions before considering them to be confirmed, which will give them 100% certainty that the transaction is immutable.

On the other hand, users who do not require such a strong assurance, can still rely on the standard blockchain protocol security guarantees [GKL15][DGKR18] to determine how many blocks should be added after the block containing their transactions before they consider a transaction to be finalized.

Conclusion

The double spending problem has been an important issue since the first cryptocurrencies, which chose a centralized model in order to solve it. Although decentralized and permissionless blockchain based cryprocurrencies gave us much higher reliability and scalability, solving double spending in this setting also meant waiting longer for transactions to be confirmed.

Using its new finality features [DMM+19], Concordium solves this problem with unprecedented robustness without sacrificing efficiency while keeping the same strong blockchain security guarantees [GKL15][DGKR18] that have become an industry standard.

References

[C82] Blind Signatures for Untraceable Payments. David Chaum. CRYPTO 1982.
[N08] Bitcoin: A peer-to-peer electronic cash system. Satoshi Nakamoto. 2008. URL: https://bitcoin.org/bitcoin.pdf
[GKL15] The Bitcoin Backbone Protocol: Analysis and Applications. Juan A. Garay, Aggelos Kiayias, Nikos Leonardos. EUROCRYPT 2015.
[DGKR18] Ouroboros Praos: An Adaptively-Secure, Semi-synchronous Proof-of-Stake Blockchain. Bernardo David, Peter Gazi, Aggelos Kiayias, Alexander Russell. EUROCRYPT 2018.
[DMM+19] Afgjort: A Partially Synchronous Finality Layer for Blockchains. Thomas Dinsdale-Young, Bernardo Magri, Christian Matt, Jesper Buus Nielsen, Daniel Tschudi. https://eprint.iacr.org/2019/504

Join Concordium in our different channels:

Twitter: https://twitter.com/ConcordiumNet

Telegram: https://t.me/concordium_official

Reddit: https://www.reddit.com/r/Concordium_Official

Developers Hub: https://development.concordium.com/tech

Gitter: https://gitter.im/concordium_official/community

Discord: https://discord.gg/xWmQ5tp

Learn more: https://concordium.com

Double Spending
Blockchain
Cryprocurrencies
Finality
Concordium

--

--

Bernardo David
Concordium

Written by Bernardo David

2 Followers
Writer for

Researcher working on blockchains and multiparty computation (MPC). Associate Professor at the ITU, Copenhagen and Scientific Advisor to Concordium. bmdavid.com

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams