Distributed Double Spending Prevention

We study the problem of preventing double spending in electronic payment schemes in a distributed fashion. This problem occurs, for instance, when the spending of electronic coins needs to be controlled by a large collection of nodes (eg. in a peer-to-peer (P2P) system) instead of one central bank. Contrary to the commonly held belief that this is fundamentally impossible, we propose several solutions that do achieve a reasonable level of double spending prevention, and analyse their efficiency under varying assumptions.

💡 Research Summary

The paper tackles the problem of preventing double spending in electronic payment systems without relying on a central bank, a scenario common in peer‑to‑peer (P2P) networks. The authors introduce the notion of “clerk sets,” subsets of nodes that collectively act as a distributed bank. When a coin is transferred, the receiver contacts the clerk set associated with that transaction; each clerk stores a history of all coins it has seen. If two transactions involving the same coin reach the receiver, the protocol guarantees that at least one honest clerk will have recorded both, thereby detecting the double spend.

Four main constructions are examined.

1. Deterministic fixed clerk sets: Each node is assigned a pre‑computed clerk set B_i. The requirement that any two clerk sets intersect in at least one honest node leads to a lower bound on the set size of Θ(√n·f), where n is the total number of nodes and f the maximum number of dishonest nodes. This matches known results from distributed matchmaking literature.
2. Randomized clerk sets: For each transaction a clerk set of size q·n·log_e(1−f/n) is chosen uniformly at random. By selecting q appropriately the probability that two disjoint honest clerk sets are chosen can be made ≤2⁻ˢ, where s is a security parameter. Even when half the nodes are faulty (f/n≈0.5) the required set size remains O(√n).
3. Allowing up to r double spends: The model is relaxed so that a coin may be double‑spent up to r times before detection is required. This permits a √r reduction in clerk set size: for f=1 the size becomes √(2ns r), and for f>1 it becomes q·n·s·log_e(1−f/n)·r.
4. Coin‑ID‑specific clerk spaces: By using the unique identifier of a coin to restrict which clerks may be involved, the size of a clerk set can be made independent of the total network size. The required space is β ≥ d + s·log((n−d)/(f−d)), where d is the number of nodes that can be corrupted after joining. A clerk set of size β·r·log_e(s+1+log(r+2)) suffices to detect a coin that has been double‑spent r times.

The authors relate their work to quorum systems in replicated databases, noting that while quorums guarantee intersection, their “r‑relaxed” version is not covered by existing quorum theory. They also contrast their approach with earlier probabilistic bank‑calling schemes (Jarecki & Odlyzko, Yacobi).

The paper assumes a static network, a global public‑key infrastructure, and unbounded storage at clerks; denial‑of‑service attacks and storage‑growth mitigation are left for future work. Under these assumptions, the analysis provides clear trade‑offs: deterministic schemes give strong guarantees at the cost of larger clerk sets, randomised schemes achieve comparable security with smaller sets, and coin‑ID‑based schemes achieve the best scalability, making them the most promising for real‑world P2P electronic cash systems. The authors conclude that further research is needed to relax the static‑network assumption, handle node churn, and address practical storage constraints.