Nothing Special   »   [go: up one dir, main page]
Skip to main content
Springer Nature Link
Log in

On the Malleability of Bitcoin Transactions

  • Conference paper
  • First Online:
Financial Cryptography and Data Security (FC 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8976))

Included in the following conference series:

Abstract

We study the problem of malleability of Bitcoin transactions. Our first two contributions can be summarized as follows:

  1. (i)

    we perform practical experiments on Bitcoin that show that it is very easy to maul Bitcoin transactions with high probability, and

  2. (ii)

    we analyze the behavior of the popular Bitcoin wallets in the situation when their transactions are mauled; we conclude that most of them are to some extend not able to handle this situation correctly.

The contributions in points (i) and (ii) are experimental. We also address a more theoretical problem of protecting the Bitcoin distributed contracts against the “malleability” attacks. It is well-known that malleability can pose serious problems in some of those contracts. It concerns mostly the protocols which use a “refund” transaction to withdraw a financial deposit in case the other party interrupts the protocol. Our third contribution is as follows:

  1. (iii)

    we show a general method for dealing with the transaction malleability in Bitcoin contracts. In short: this is achieved by creating a malleability-resilient “refund” transaction which does not require any modification of the Bitcoin protocol.

This work was supported by the WELCOME/2010-4/2 grant founded within the framework of the EU Innovative Economy (National Cohesion Strategy) Operational Programme. Moreover, Łukasz Mazurek is a recipient of the Google Europe Fellowship in Security, and this research is supported in part by this Google Fellowship.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    For a short description of Bitcoin and the non-standard transactions see Sect. 2.

  2. 2.

    This is because Bitcoin uses the Elliptic Curve Digital Signature Algorithm (ECDSA) that has the property that for every signature \(\sigma = (r,s) \in \{1,\ldots ,N-1\}^2\) the value \(\sigma ' = (r,N-s)\) is also a valid signature on the same message and with respect to the same key as \(\sigma \).

  3. 3.

    An example of such a fork was experienced by the Bitcoin community in March 2013, when it was caused by a bug in a popular mining client software update [11]. Fortunately it was resolved manually, but it is still remembered as one of the moments when Bitcoin was close to collapse.

  4. 4.

    The protocol of [3] was secure only under the assumption that the Bitcoin is modified to prevent the malleability attacks.

  5. 5.

    In the original Bitcoin documentation this is called “simplified \(T_{x}\)”.

  6. 6.

    Technically in Bitcoin \([T_{x}]\) is not directly passed as an argument to \(\pi '_{i}\). We adopt this convention to make the exposition clearer.

  7. 7.

    In our experiments we used addresses 13eb7BFXgHeXfxrdDev1ehrBSGVPG6obu8 and 115g32FHp77hQpuuWpw8j8RYKPvxD1AXyP.

  8. 8.

    Typical Bitcoin client maintains about 8 connections.

  9. 9.

    More precisely it connects to the nodes maintained by mining pools GHash.IO and Eligius.

  10. 10.

    In fact, the BitGo administrators reacted to our experiments by contacting us directly.

  11. 11.

    The malleability problem occurs in Step 3 when Party \(\mathsf {A}\) generates Tx2 (the contract) which spends Tx1, and then asks \(\mathsf {B}\) to sign it and send it back. This happens before Tx1 is included in the block chain and hence if later the attacker succeeds in posting a mauled version Tx1\('\) of Tx1 on the block chain, then the transaction Tx2 becomes invalid.

  12. 12.

    The malleability problem is visible in Step 3, where the refund transaction T2 is created. This transaction depends on the transaction T1 that is not included in the block chain at the time when both parties sign it (in Steps 3 and 4).

  13. 13.

    The problem occurs in Steps 4 and 7, where the “refund_bet” and “refund_reveal” transactions are signed before theirs input transactions “bet” and “reveal” are broadcast.

  14. 14.

    The problem is visible in Step 2 of the \( Commit \) phase of this protocol (the \( Fuse ^\mathsf {A}\) and \( Fuse ^\mathsf {B}\) transactions are created before their input transaction \( Commit \) appears on the block chain).

  15. 15.

    Such transactions are called hash locked in the Bitcoin literature. Notice that having an output script, which requires only preimages and no signatures is not secure, because anyone who notices in the network a transaction trying to redeem such output script learns the preimages and can try to redeem this output script on his own. In our case the output script of the transaction \(T_0\) requires also a signature of A, but we omit it (\(\ldots \)) to simplify the exposition.

References

  1. bips/bip-0065.mediawiki. http://github.com/bitcoin/bips/blob/master/bip-0065.mediawiki. Accessed on 10 December 2014

  2. bitcoinj library homepage. http://bitcoinj.github.io. Accessed on 20 October 2014

  3. Andrychowicz, M., Dziembowski, S., Malinowski, D., Mazurek, Ł.: Fair two-party computations via bitcoin deposits. In: Böhme, R., Brenner, M., Moore, T., Smith, M. (eds.) Financial Cryptography and Data Security. Lecture Notes in Computer Science, pp. 105–121. Springer, Berlin Heidelberg (2014)

    Google Scholar 

  4. Andrychowicz, M., Dziembowski, S., Malinowski, D., Mazurek, L.: Secure multiparty computations on bitcoin. In: 2014 IEEE Symposium on Security and Privacy (SP), May (2014)

    Google Scholar 

  5. Back, A., Bentov, I.: Note on fair coin toss via bitcoin (2013). http://www.cs.technion.ac.il/7Eidddo/cointossBitcoin.pdf

  6. Bentov, I., Kumaresan, R.: How to use bitcoin to design fair protocols. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part II. LNCS, vol. 8617, pp. 421–439. Springer, Heidelberg (2014)

    Google Scholar 

  7. Bentov, I., Kumaresan, R.: How to use Bitcoin to design fair protocols. Cryptology ePrint Archive, Report 2014/129 (2014). http://eprint.iacr.org/2014/129. Accepted to ACM CCS 2014

  8. Bitcoin.org. Developer reference. http://bitcoin.org/en/developer-reference. Accessed on 20 October 2014

  9. Bitcoin.org. List of bitcoin wallets. http://bitcoin.org/en/choose-your-wallet. Accessed on 20 October 2014

  10. Boldyreva, A., Cash, D., Fischlin, M., Warinschi, B.: Foundations of non-malleable hash and one-way functions. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 524–541. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  11. Vitalik, B.: Bitcoin network shaken by blockchain fork, March 2013. Bitcoin Magazine. http://bitcoinmagazine.com/3668/bitcoin-network-shaken-by-blockchain-fork

  12. Canetti, R., Lindell, Y., Ostrovsky, R., Sahai, A.: Universally composable two-party and multi-party secure computation. In: 34th Annual ACM Symposium on Theory of Computing, pp. 494–503. ACM Press (2002)

    Google Scholar 

  13. Decker, C., Wattenhofer, R.: Bitcoin transaction malleability and mtgox. In: Kutyłowski, M., Vaidya, J. (eds.) ICAIS 2014, Part II. LNCS, vol. 8713, pp. 313–326. Springer, Heidelberg (2014)

    Google Scholar 

  14. Dodis, Y., Wichs, D.: Non-malleable extractors and symmetric key cryptography from weak secrets. In: Mitzenmacher, M. (ed.) 41st Annual ACM Symposium on Theory of Computing, pp. 601–610. ACM Press (2009)

    Google Scholar 

  15. Dolev, D., Dwork, C., Naor, M.: Nonmalleable cryptography. SIAM J. Comput. 30(2), 391–437 (2000)

    Article  MATH  MathSciNet  Google Scholar 

  16. Dziembowski, S., Kazana, T., Obremski, M.: Non-malleable codes from two-source extractors. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 239–257. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  17. Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system. Consulted 1, 28 (2008)

    Google Scholar 

  18. Weisenthal, J.: Bitcoin just completely crashed as major exchange says withdrawals remain halted, Business Insider (2014). http://www.businessinsider.com/mtgox-statement-on-withdrawals-2014-2

  19. Bitcoin Wiki. Contracts. http://en.bitcoin.it/wiki/Contracts. Accessed on 20 October 2014

  20. Bitcoin Wiki. Main page. http://en.bitcoin.it/. Accessed on 20 October 2014

  21. Bitcoin Wiki. Transaction malleability. http://en.bitcoin.it/wiki/Transaction_Malleability. Accessed on 20 October 2014

  22. Wuille, P.: Bitcoin improvement proposal: dealing with malleability. http://github.com/bitcoin/bips/blob/master/bip-0062.mediawiki. Accessed on 20 October 2014

Download references

Author information

Authors and Affiliations

  1. University of Warsaw, Warsaw, Poland

    Marcin Andrychowicz, Stefan Dziembowski, Daniel Malinowski & Łukasz Mazurek

Authors
  1. Marcin Andrychowicz
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Stefan Dziembowski
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Daniel Malinowski
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Łukasz Mazurek
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Łukasz Mazurek .

Editor information

Editors and Affiliations

  1. Leibniz Universität, Hannover, Germany

    Michael Brenner

  2. Carnegie Mellon University, Pittsburgh, Pennsylvania, USA

    Nicolas Christin

  3. Carnegie Mellon University, Pittsburgh, Pennsylvania, USA

    Benjamin Johnson

  4. New Jersey Institute of Technology, Newark, New Jersey, USA

    Kurt Rohloff

Rights and permissions

Reprints and permissions

Copyright information

© 2015 International Financial Cryptography Association

About this paper

Cite this paper

Andrychowicz, M., Dziembowski, S., Malinowski, D., Mazurek, Ł. (2015). On the Malleability of Bitcoin Transactions. In: Brenner, M., Christin, N., Johnson, B., Rohloff, K. (eds) Financial Cryptography and Data Security. FC 2015. Lecture Notes in Computer Science(), vol 8976. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-48051-9_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-48051-9_1

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-662-48050-2

  • Online ISBN: 978-3-662-48051-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation