publication . Preprint . 2013

How to deal with malleability of BitCoin transactions

Andrychowicz, Marcin; Dziembowski, Stefan; Malinowski, Daniel; Mazurek, Łukasz;
  • Published: 11 Dec 2013
Abstract
BitCoin transactions are malleable in a sense that given a transaction an adversary can easily construct an equivalent transaction which has a different hash. This can pose a serious problem in some BitCoin distributed contracts in which changing a transaction's hash may result in the protocol disruption and a financial loss. The problem mostly concerns protocols, which use a "refund" transaction to withdraw a deposit in a case of the protocol interruption. In this short note, we show a general technique for creating malleability-resilient "refund" transactions, which does not require any modification of the BitCoin protocol. Applying our technique to our previo...
Subjects
free text keywords: bepress|Physical Sciences and Mathematics|Computer Sciences, Computer Science - Cryptography and Security
17 references, page 1 of 2

1. M. Andrychowicz, S. Dziembowski, D. Malinowski, and Ł. Mazurek. Fair Two-Party Computations via the BitCoin Deposits. Cryptology ePrint Archive, 2013.

2. M. Andrychowicz, S. Dziembowski, D. Malinowski, and Ł. Mazurek. Secure Multiparty Computations on BitCoin. Cryptology ePrint Archive, 2013. http://eprint.iacr.org/2013/784.

3. Adam Back and Iddo Bentov. Note on fair coin toss via bitcoin, 2013. http://www.cs.technion.ac.il/˜idddo/cointossBitcoin.pdf.

4. S. Nakamoto. Bitcoin: A peer-to-peer electronic cash system, 2008.

1. A holds the key pair A and B holds the key pair B.

2. A knows the secret sA, B knows the secret sB , both players know the hashes hsA = H (sA) and hsB = H (sB).

3. There are four unredeemed transactions T1A, T2A and T1B , T2B, which can be redeemed with the keys A and B respectively, each having the value of d B.

1. A draws a random string rA and B draws a random string rB.

2. The parties execute CS.Commit(A, B, d, t, rA) and CS.Commit(B, A, d, t, rB) using T1A and T1B respectively. The former execution will be denoted CSA and the latter CSB . Recall that the parties quit the whole NewSCS protocol if they detect the misbehavior of the other party during one of the CS.Commit executions.

3. Both players compute the body of the transaction Commit using T2A and T2B as inputs.

4. A signs the transaction Commit and sends the signature to B.

5. B signs the transaction Commit and broadcasts it.

6. Both parties wait until the transaction Commit is confirmed.

7. If the transaction Commit does not appear on the blockchain until the time t − 3maxBB, where maxBB is the maximal possible delay between broadcasting the transaction and including it in the blockchain, then A immediately redeems the transaction T2A and after T2A is redeemed she opens her CSA commitment and quits the protocol. Analogously, if A did not send her signature to B until the time t − 3maxBB, then B opens his CSB commitment and quits the protocol.

8. A and B broadcast the transactions Open A and Open B respectively, what reveals the secrets sA and sB.

17 references, page 1 of 2
Powered by OpenAIRE Open Research Graph
Any information missing or wrong?Report an Issue
publication . Preprint . 2013

How to deal with malleability of BitCoin transactions

Andrychowicz, Marcin; Dziembowski, Stefan; Malinowski, Daniel; Mazurek, Łukasz;