Double-spending is a potential issue in a digital cash system where the same funds are spent to two recipients at the same time. Without any adequate countermeasures, a protocol that doesn’t resolve the problem is fundamentally undermined – users have no way to verify that the funds they’ve received have not already been spent elsewhere.
When it comes to digital cash, ensuring that specific units can’t be duplicated is of paramount importance. The entire system would be undermined if Alice could receive 10 units, copy-and-paste them 10 times, and find herself in possession of 100 units. Similarly, such a scheme can’t work if she can send the same 10 units to both Bob and Carol simultaneously. So, for digital money to function, there must be mechanisms in place to prevent this behavior.
The centralized route is considerably easier to implement than decentralized alternatives. This typically involves one overseer managing the system and controlling the issuance and distribution of units. A good example of a centralized solution to the double-spend problem is that of David Chaum’s eCash.
To issue users with a digital asset mimicking cash (capable of anonymous and peer-to-peer exchange), a bank can use blind signatures – as detailed by cryptographer David Chaum in his 1982 paper Blind Signatures for Untraceable Payments.
In such a context, if a user (let’s call him Dan) wishes to receive $100 in digital cash, he is required to inform the bank first. Provided he has the balance in his account, he will then generate a random number (or many, for smaller denominations). Let’s suppose he produces five numbers, each to be assigned a value of $20. To prevent the bank from tracking specific units, Dan obfuscates the random numbers by adding a blinding factor to each one of them.
He then turns this data over to the bank, which debits his account for $100, and signs messages certifying that each of the five pieces of information is redeemable for $20. Dan can now spend the funds issued by the bank. He goes to Erin’s restaurant, and purchases a meal that costs him $40.
Dan can remove the blinding factor to expose the random number associated with each digital cash ”bill”, which serves as a unique identifier for each unit (much like a serial number). He reveals two of these to Erin, who must now redeem them immediately with the bank to prevent Dan from spending them with another merchant. The bank will check that the signatures are valid, and if everything appears correct, it will credit Erin’s account with $40.
The bills used are now essentially burned, and more must be issued if Erin wishes to spend her new balance in this same way.
The Chaumian eCash setup might be valuable for private transfers. But, it fails in resilience because the bank is a central point of failure. A bill issued is worth nothing in itself, as its value is derived solely from the bank’s willingness to exchange it for dollars. Customers are at the mercy of the bank, and must rely on its goodwill for money to function. This is precisely the problem that cryptocurrency aims to remedy.
Ensuring that funds can’t be double-spent in an ecosystem with no overseer is more challenging. Equally-powerful participants must coordinate around a set of rules that prevent fraud and incentivize all users to act honestly.
The greatest innovation presented in the Bitcoin white paper was a solution to the double-spending problem. Though not referenced as such, Satoshi proposed the data structure now widely known as a blockchain.
A blockchain is really just a database with some unique properties. Participants on the network (referred to as nodes) run specialized software, which enables them to synchronize their copy of the database with their peers. The result is that the entirety of the network can audit the history of transactions dating back to the genesis block. By having the blockchain viewable publicly, it’s easy to detect and prevent fraudulent activity, such as transactions that try to double-spend.
When a user broadcasts a transaction, it is not immediately added to the blockchain – it must first be included in a block through mining. As such, the recipient should only consider the transaction valid after its block is added to the chain. Otherwise, they risk losing the funds, as the sender could spend the same coins elsewhere.
Once the transaction is confirmed, the coins can’t be double-spent, as ownership is assigned to a new user – and the entire network can verify this. It is for this reason that many recommend waiting for multiple confirmations before accepting a payment as valid. Each subsequent block drastically increases the amount of effort required to modify or rewrite the chain (which may occur during a 51% attack).
Let’s revisit the restaurant scenario. Dan returns to the restaurant, and this time notices a Bitcoin Accepted Here sticker on the window. He enjoyed the meal he had last time, so orders it again. It costs him 0.005 BTC.
Erin presents him with a public address to which he must send the funds. Dan broadcasts the transaction, which is essentially a signed message stating that the 0.005 BTC that were in Dan’s possession are now in Erin’s. Without going into too much detail, anyone presented with Dan’s signed transaction can verify that he was indeed in possession of the coins, and therefore had the authority to send them.
As mentioned, though, the transaction is only valid if included in a block that gets confirmed. Accepting unconfirmed transactions is much like accepting the $40 in eCash from the previous example, without immediately cashing it in with the bank – it allows the sender to spend it elsewhere. So, it’s recommended that Erin waits for at least 6 block confirmations (roughly one hour) before accepting Dan’s payment.
Bitcoin is carefully designed to prevent double-spending attacks, at least when the protocol is used as expected. That is, if individuals wait for transactions to be confirmed in a block, there is no easy way for the sender to undo it. To do so, they would need to “reverse” the blockchain, which requires an unrealistic amount of hashing power.
However, there are a handful of double-spending attacks that aim at parties that accept unconfirmed transactions. For low-value purchases, for instance, a merchant may not want to wait for transactions to be included in a block. A busy fast-food restaurant probably can’t afford to stand by as the network processes every purchase. So, if a business enables “instant” payments, they open themselves up to double-spends. Someone might order a burger, pay for it, then immediately send the same funds to their own address. With a higher fee, this new transaction is likely to be confirmed first, and will therefore invalidate the previous one.
There are three popular methods for performing a double-spend:
51% attacks: when a single entity or organization manages to control more than 50% of the hash rate, which allows them to exclude or modify the ordering of transactions. Such an attack is highly unlikely on Bitcoin, but has happened in other networks.
Race attacks: two conflicting transactions are broadcast in succession, using the same funds – but only one transaction gets confirmed. The attacker's goal is to invalidate the payment by only validating the transaction that benefits him (e.g., sending the same funds to an address that he controls). Race attacks require the recipient to accept an unconfirmed transaction as payment.
Finney attacks: an attacker pre-mines one transaction into a block without broadcasting it to the network immediately. Instead, he spends the same coins in another transaction and only then broadcasts his previously mined block, which may invalidate the payment. Finney attacks require a specific sequence of events to occur and are also contingent on the recipient’s acceptance of unconfirmed transactions.
As we can see, a merchant that waits for block confirmations will vastly reduce the risks of becoming a victim of double-spends.
A double-spend allows a user to game an electronic cash system for financial gain, making use of the same funds more than once. Traditionally, a lack of adequate solutions to the problem has stood in the way of progress in the area.
Fortunately, however, the use of blind signatures proposed an interesting solution for centralized financial schemes. Later, the creation of Proof of Work mechanisms and blockchain technology gave birth to Bitcoin as a powerful form of decentralized money – which, in turn, inspired thousands of other cryptocurrency projects.