Proof-of-stake has been proposed as a more energy-efficient alternative consensus protocol to proof-of-work for cryptocurrencies. In proof-of-work, miners need to solve a computational puzzle in order to earn the right to create a block and receive the associated financial rewards. The amount of blocks that they mine is, hence, proportional to their computational power. In contrast, the idea behind PoS is that participants mine a fraction of blocks that is proportional to the relative amount of coins they own. One crucial component of PoS consensus protocols is their leader election (caucus, ), used to decide which participants will get to create the next block. Although leader election protocols have been studied widely in the traditional field of distributed systems, the setting of blockchains – which are decentralized and provide financial rewards for block creation – poses new challenges that are paramount to the security of the whole consensus protocol. For example, leader election protocols must be fair, in the sense that miners must be elected proportionally to their power (stake or compute resources); this is to ensure they are compensated fairly for their investment and to prevent Sybil attacks. They should also be private, i.e., no actor should be able to guess the next leader until they broadcast their block with a proof-of-eligibility; this prevents denial-of-service (DoS) attacks against the next leader. Many attempts have been made to design an adequate leader election protocol, such as using hash functions (daian2019snow, ; caucus, ) or coin tossing protocols (kiayias2017ouroboros, ). Another method that has been adopted by many protocols (algorand, ; praos, ; nakamoto-pos, ; praos, ) is the use of verifiable random functions (VRFs) (micali1999verifiable, ).
Most leader election protocols used in blockchains are private but probabilistic (algorand, ; praos, ; daian2019snow, ), meaning that one leader will privately be elected on expectation, but it could be that zero or several leaders are elected in some rounds. Probabilistic Leader Elections (PLEs) can be problematic since having multiple leaders elected in a round leads to different views or forks in the system. Ouroboros (kiayias2017ouroboros, ) proposed a leader election where exactly one leader is elected per round. However, the election is not private and exposes the leader to DoS attacks.
. Although current SSLEs are more complex to implement than, for example, PLEs based on VRFs, they intuitively improve the security of PoS blockchains because they reduce the probability of honest forks. However, there is no formal proof of this statement and, if true, the exact gain in security that they achieve, compared to PLEs, has yet to be quantified.
In this work, we perform a comparison between SSLEs and PLEs and investigate the gain in security against private attacks, where the adversary grows a private chain of blocks so as to outpace the honest chain. Focusing our analysis on private attacks, and not general adversaries, is motivated by the work of Dembo et al. (dembo2020everything, ), who showed that private attacks are the worst attack in longest-chain blockchains, in the sense that the true security threshold of a longest-chain protocol is the same as the security threshold against private attacks.
We start our analysis by considering leader elections that have access to a perfect source of randomness in Section 4, before considering randomness that is derived from the blockchain itself – as is the case for many PoS longest-chain protocols (praos, ; nakamoto-pos, ; praos, ) – and the resulting grinding attack in Section 5. We find that, with perfect randomness, the persistence parameter (or settlement time) against private attacks in a synchronous network is decreased by roughly against a 33% or 25% adversary. In the grinding case, the security threshold is higher by 10 percentage points in the SSLE case (36%) than in the PLE case (26%) and the persistence parameter is decreased by roughly 70%. Although it is not surprising that SSLEs perform better than PLEs in longest-chain blockchains, we did not expect to see such significant improvements.
These results are very encouraging and could motivate the switch from PLE to SSLE in current PoS blockchains. Since SSLEs are still less efficient than PLEs, quantifying the gain in security is paramount for evaluating fairly the trade-offs between the two. We leave a full analysis of PoS with SSLE in a partially synchronous network and against all possible attacks as future work. Whether with SSLE or PLE, obtaining an exact formula for the security of the protocol against any adversary (i.e., the probability of breaking the consensus) is an open and non-trivial problem. All the known analyses that consider a general adversary are based on bounds that would not be useful for our comparison, and hence a general adversary is beyond the scope of this work.
Lastly, we note that our analysis does not make use of the secret property of the SSLE (that protects against DoS attacks), and thus the results would hold for a public single leader election as well.
2. Related work
Previous works have proposed formal analyses of PoS blockchains based on PLEs (linearconsistency, ; nakamoto-pos, ; posat, ). In most of them, the proof revolves around finding a special block that guarantees security of the protocol and bounding the probability that this type of block does not appear in a sequence of consecutive blocks. For example, Kiayias et al. (kiayias2020consistency, ) consider Catalan blocks, Bagaria et al. (nakamoto-pos, ) and Deb et al. (posat, ) consider Nakamoto blocks, Daian et al. (daian2019snow, ) consider pivot point. In (nakamoto-pos, ), the interpretation given for that special block is that no private chain started by the adversary at any point in time before that block will be able to catch up with any chain that includes that block at any point in the future. They show that any attack can be modelled as a composition of private attacks.
Dembo et al. (dembo2020everything, ) considered three different types of longest-chain blockchain protocols: proof-of-work, proof-of-stake, and proof-of-space, and showed that in all three cases the true security threshold of the protocol (i.e., the security threshold when considering all attacks) is exactly the same as the security threshold of the private attack. They also prove that the private attack is the worst attack in the synchronous proof-of-work case. In the case of PoS protocols, based on the fact that other attacks do not appear in the security threshold, they conjecture that these attacks should have at least the same exponent as the private attack. Even though this conjecture is left open, we decide in this paper to focus on the private attack and leave a full analysis as future work. While this limits the generality of our work, we believe that, due to the conjecture above, studying the private attack alone gives a good proxy for the security of PoS longest-chain protocols. Furthermore, this simplifying assumption allows us to get exact bounds, as opposed to the loose bounds obtained by other analyses (daian2019snow, ; nakamoto-pos, ; posat, ; linearconsistency, ), usually based on Chebyshev’s inequality or similar inequalities. Loose bounds on the probability of successful attacks would not be sufficient to meaningfully quantify the difference between SSLE and PLE in longest-chain PoS blockchains as even if one bound is smaller than the other, this does not say anything about how the exact probabilities compare. Simplifying our model to only consider private attacks alleviates this problem as it allows us to get closed-form solutions that we are meaningfully able to compare.
3. Background, Model, and Definitions
We start by giving some background on PoS blockchains before presenting our model. Because we limit our adversary to private attacks, we will consider a rather simplistic model and abstract away most of the blockchain concepts.
3.1. Proof-of-stake blockchains
A blockchain is a digital distributed ledger of transactions. Transactions are grouped into blocks that are chronologically ordered in a linked chain. In a PoS system, participants – also called miners or validators– are eligible to create blocks based on their relative stake, as measured from the number of coins that they own. In longest-chain protocols, eligible miners create their block and append it to the longest chain of blocks that they are aware of, i.e., the new block should link to the block atop the longest existing chain of blocks.
Briefly, the protocol works as follows. Whenever miners receive a block, they add it to their local view. At each round, they run a leader election protocol that randomly decides their eligibility for that round, proportionally to their stake. For now we assume access to a perfect random beacon (ben1985collective, ) that emits a random number at the beginning of each round. This beacon is then given as an input to the leader election. If they are elected in that round, miners create a block on top of their longest chain and broadcast their block to the network. In the case where there exist two chains of the same length, e.g., if more than one leader was elected in the previous round, miners break the tie in a random way. In our model, we will ignore the content of the blocks as well as associated reward or financial incentives.
Informally, a blockchain should verify two security properties (dembo2020everything, ): (1) persistence, meaning that once a block has been confirmed by an honest miner, it should stay in the chain of that miner indefinitely i.e., it is not possible for an adversary to revert the chain of an honest miner, except for the last blocks; and (2) liveness, meaning that new blocks should be appended to the chain continually, even in the presence of an adversary.
One important parameter in longest-chain blockchains is the persistence parameter – or settlement time – , which, informally, represents the number of rounds after which an honest miner will consider a block confirmed, i.e., after which it will stay in the chain forever.
3.2. Private attacks
Private attacks are a specific type of attack on longest-chain blockchains, in which an adversary keeps its blocks private (instead of sending them to the rest of the miners) and does not mine on other participants’ blocks. In other words, the adversary is creating its own chain, parallel to the honest chain. The adversary succeeds if it can create a private chain longer than the honest chain. If that is the case, it will broadcast its chain to the rest of the players, forcing them to abandon their own chain and mine on top of the adversarial chain. It is clear that this attack will almost surely be successful if the adversary can mine blocks at a rate faster than the rest of the players. In PoS blockchains, this rate is proportional to the relative amount of stake that one owns. Hence this attack will succeed if the adversary owns more than half of the total stake. If not, then there exists a time after which this attack becomes very unlikely to succeed.
We consider a set of participants, a fraction of which are controlled by an adversary performing a private attack as specified above. The remaining participants are honest and follow the protocol. Time is divided into discrete time-steps. We assume that we have access to a broadcast algorithm and we consider a synchronous model meaning that each message, i.e., block, sent by an honest participant reaches everyone after at most time steps with . We consider a round-based protocol that relies on an underlying leader election mechanism as defined below. We assume that the duration of each round is strictly more than , such that any message sent by any honest participant at the beginning of a round will be received before the end of that round. We assume that we have access to a perfect random beacon that emits new randomness at the beginning of each round. We will relax this assumption in Section 5.
For simplicity, we consider a flat model, meaning that each miner accounts for one unit of stake and that the set of participants is static.
3.3.2. Leader Election
Every PoS protocol uses a leader election to decide which miners are eligible to create blocks. In this paper, we treat it as a black box algorithm that takes as input a random number and a set of participants and outputs a (potentially empty) set of leaders. We consider two types of leader election: Single Secret Leader Election (SSLE) (ssle, ), where exactly one leader is elected per round, and Probabilistic Leader Election (PLE) (algorand, ), where one leader is elected per round on expectation. This means that, when using a PLE, there could be multiple leaders or no leader at all in a round. We denote and the number of adversarial and honest leaders elected at round , respectively.
We model the PLE case as follows: at each round, every player “tosses their own coin” (using the randomness given by the random beacon) to determine their eligibility; each player wins with probability . In practice, this is achieved using a verifiable random function (micali1999verifiable, ): each player uses the VRF to compute their own random number; if it falls below a threshold, they are elected leader. An adversary controlling a fraction
of the players will thus have a number of leaders that follows a Binomial distribution withtrials and success probability , seeing as they get to toss a coin for each of the players they control. We assume that the number of participants
is big and hence the number of adversarial leaders elected can be approximated as a Poisson distribution with parameter. Similarly, the number of honest participants elected in a round follows a Poisson distribution with parameter . Furthermore, the number of adversarial and honest leaders are independent from each other.
In the SSLE case, exactly one of the players is elected, hence the number of adversarial leaders follows a Bernoulli distribution with parameter. However, the number of adversarial and honest leaders are not independent. In particular, the number of honest leaders is the complement of the number of adversarial leaders, i.e., for every .
In this paper, where we consider a static adversary that performs a private attack, we ignore some of the practical requirements for leader elections in PoS blockchains (such as unpredictability and secrecy) that are not relevant to the model.
3.3.3. Security games
We consider an adversary mounting a private attack against the honest players. Accordingly, we define the following games that capture whether or not the adversary succeeds in a private attack according to the assumptions above.
Definition 3.1 (-PLE Private Game).
The PLE private game with parameters is defined as follows: at each round a number of adversarial leaders and of honest leaders are selected at random from, respectively, Poisson distributions of parameters and . We say that the adversary wins the PLE private game of length and power if the number of rounds with non-zero adversarial leaders is greater than or equal to the number of rounds with non-zero honest leaders, i.e.:
Definition 3.2 (-SSLE Private Game).
The SSLE private game with parameters is defined as follows: at each round , exactly one leader is elected. This leader is adversarial () with probability and honest () with probability . We say that the adversary wins the SSLE private game of length and power if the number of rounds with adversarial leaders is greater than or equal to the number of rounds with honest leaders, i.e.:
We now define the persistence parameter of the games, parametric in , that intuitively represents the number of rounds after which the adversary cannot win the private game, except with probability .
Definition 3.3 (persistence parameter).
We say that is the persistence parameter of the SSLE, resp. PLE, private game if the probability that there exists any such that the adversary wins the SSLE, resp. PLE, game of length is .
In order to study the private games, we define the concept of gap, already introduced by Blum et al. (linearconsistency, ).
Definition 3.4 (Gap).
The gap at round is the difference between the number of adversarial rounds and honest rounds in rounds 1 to . Let and denote, respectively, the gap in the PLE and SSLE private games of parameters . For , we have:
If we consider a general analysis that applies to both settings (SSLE and PLE), we simply write and talk about the private game. It is clear that the adversary wins the private game of length if and only if . In the next section, we will study the behaviour of the gap. We are specifically interested in the probability that the adversary wins the PLE and SSLE games for any , .
Before this, we briefly explain why the PLE and SSLE private games are an accurate description of the private attack in PoS systems. In the SSLE case, since there is exactly one leader per round and the network is synchronous, it is clear that the honest chain will be exactly the same length as the number of honest rounds and the adversarial chain will be at most the same length as the number of adversarial rounds.
In the PLE case, however, there could be honest forks due to multiple honest leaders being elected in the same round. If that happens, and since we consider a synchronous network, the longest chain will still increase by one even if some of the blocks at that round are being abandoned. Even in the worst case where there are multiple longest chains for several rounds, each of them will still be as long as the number of honest rounds. Similarly, in the adversarial case, even if the adversary has more than one block on one round, it can only append one block per round and, hence, its longest chain is bounded by the number of eligible rounds.
In this section we prove our main theorems, Theorem 4.5 and 4.6, where we express for the probability that an adversary succeeds in winning the private game for any length greater than or equal to . This probability corresponds to the value for the corresponding persistence parameter . We will then compare the persistence parameter in the SSLE and PLE cases.
SSLE and PLE games as biased random walks
In the SSLE game, it is straightforward to see that the gap will increase by one with probability and decrease by one with probability .
In the PLE game, there are two events in which the gap will not change. The first event is when no leader is elected. The second event is when an honest leader is elected at the same round as an adversarial leader. We call these events null events and denote the probability that they happen.
On the other hand having multiple adversarial leaders and no honest leader is equivalent to having exactly one adversarial leader since the gap will grow by one at that round regardless of the exact number of adversarial leaders and vice versa for honest leaders. We note the probability that an adversary is the unique leader in a round - which does not depend on - and the probability that the honest players are unique leaders. The PLE game can be modeled as a random walk that increases by one with probability , decreases by one with probability and stays the same with probability . Since and are independent, we have:
And similarly: .
We now move on to prove our first lemma. For the rest of the paper, for and , we note
Lemma 4.1 ().
For every and :
We already noted that is a random walk such that
The proof of the lemma follows from standard results on random walks and can be found in (proba-random-walk, ). Briefly, for : . We note the number of times that increased by one and the number of times that decreased by one. If for , we have and hence . There are exactly different ways to reach , starting from and hence . ∎
We now look at the equivalent lemma, in the PLE case.
Lemma 4.2 ().
For every and :
If , there can be between 0 and null slots (i.e., slots where the gap does not change from the previous step); hence, we have:
We start by assuming that there exist exactly null events in the PLE game. After removing the null events from the PLE game, the remaining slots are either fully adversarial or fully honest; this is equivalent to an SSLE game of length . The power of the adversary in this new SSLE game needs to be adjusted, accounting for the fact that null events have been removed. Hence the equivalent SSLE game has parameters and due to the independence of each round. We thus have the following:
Following standard results on Binomial distribution we have that , hence:
This result can also be derived using the multinomial distribution. ∎
Having computed the probability that the gap is equal to some value , and in order to study the persistence parameter, we are also interested in the probability that the gap, starting at some negative value , goes back up to zero. In blockchain terms, if the adversarial chain is behind the honest chain by blocks, we compute the probability that it eventually catches back.
Lemma 4.3 ().
For , if in round , for , then the probabilities that ever reaches for any in the SSLE and PLE cases are:
We start by considering the PLE case. The probability that reaches 0 starting from a position for is the same as the probability that ever reaches M when starting at 0 (i.e., has a net increase of M).
Let’s note . Then we have ( needs to have net increase of 1). Furthermore, we have since either increases straight away by one (with probability ), or decreases by one (with probability ) in which case needs to increase by 2 to have a net increase of 1, or stays the same (with probability ) in which cases still needs to increase by 1.
We have , with . Hence, satisfies: . The solutions to this equation are . Because , the random walk is transient with drift towards , hence . This means that and .
The analysis in the SSLE case works the same but with , and . We then have . The two solutions of this equation are 1 and . Since , we have: .
Interestingly, since is increasing on , we notice that for , . Starting from , the adversary is, hence, more likely to catch up the honest chain in the SSLE case than in the PLE case. However, this does not say anything about whether the adversary is more likely to win the private game of length as one process may be decreasing faster than the other. We shall now compute the expected value of the gap in both cases to get a sense of their evolution.
Intuitively, since longest-chain protocols have been proven secure for an adversary that has less than half of the power (dembo2020everything, ), the gap should decrease with time. The longer the chain is, the harder it is for an adversary to catch up with the honest chain and hence the bigger their disadvantage is, and hence their gap. In the next lemma, we prove that the expected gap is linear in and that the linear coefficient is bigger for the SSLE than PLE gap, and, therefore, the disadvantage of the adversary grows faster in the SSLE case, consistently with the intuition that SSLE is more secure. Figure 0(a) show this coefficient for different values of .
Lemma 4.4 ().
For every and :
Let denote a random walk that has a probability of going up by 1, a probability of going down by 1 and a probability of staying the same in each round. Additionally we assume .
It is trivial to verify that is a martingale. Since martingales have constant expectations, we have and hence . We apply this result to and . In the SSLE case, and in the PLE case . This proves the result. ∎
We now move on to prove the main result that gives the probability of success of the adversary in the SSLE game.
Theorem 4.5 ().
The probability that the adversary wins the SSLE game for any length greater or equal than is:
For readability, in this proof we note instead of . We start by noting that for every . There are two scenarios where the adversary can have a private chain longer than the honest chain for a length of at least : either the gap at is positive, or the gap is negative and the adversary catches up in the future (i.e., the gap reaches 0 in the future). This gives us the following:
We now move on to prove the result in the PLE case.
Theorem 4.6 ().
The probability that the adversary wins the PLE private game for any length greater or equal than is:
We use the same technique as in the previous theorem.
In order to compare these two probabilities, we plot them for different values of and . In Figure 1, we see that, as expected, SSLE performs much better than PLE: the adversary wins the PLE game with higher probability than the SSLE game. To cite a few concrete examples, for 300 and a 33% adversary, the probability of success drops from to (Figure 0(e)). For and the persistence parameter is in the SSLE case and 550 in the PLE case. For a blockchain where one block is emitted every 30 seconds, breaking persistence with probability would roughly occur once every million years.
For all the values of that we plotted, we see that, at least for big enough, the probability of violating persistence is exponential (as the graph is linear in logarithmic scale), meaning that it is of the form for in both the PLE and SSLE cases – for different values of that we denote and . We remark that this form is consistent with the bound found by Gazi et al. (gazi2020tight, ) and Li et al. (li2020close, ) in the context of Bitcoin and is tighter than the one of from Dembo et al. (dembo2020everything, ) which is based on a looser inequality (as they consider every attack possible).
For a fixed and large , the persistence parameter of the SSLE game, , can thus be expressed as follows: , where is the -persistence parameter of the PLE game. Finding the value of and is straightforward by computing a specific value of for some big enough : . We find that the persistence parameter decreases by for a 49% adversary, by roughly for a 33% or 25% adversary, and by for a 10% adversary in the SSLE case compared to the PLE case. The improvement is substantial.
5. Grinding analysis
In the previous section, we have assumed that the random beacon given as input to the leader election at each round came from a perfect source of randomness. Such an assumption can be achieved with a decentralized random beacon (syta2017scalable, ), for example. However most PoS protocols rely on an internal random beacon, which is based on the state of the chain. Such random beacons are vulnerable, to some extent, to grinding attacks where an adversary grinds through the block space in order to bias the randomness and find a value for which an unfair advantage can be extracted. Bagaria et al. (nakamoto-pos, ) studied the security of PoS protocols where the randomness is updated every blocks and the trade-offs between updating the randomness more frequently (and being more vulnerable to grinding) or less frequently (and being more predictable). In this section, we study this specific case and compare the security guarantees of PoS blockchains against private attacks that use grinding in the PLE and SSLE case. We start by presenting this new model in Section 5.1 before moving on to the analysis in Section 5.2.
5.1.1. Random Beacon and Grinding
We assume that the random beacon given as input to the leader election in each round is based on the data in the block created in the previous round. A block created by different miners or a round skipped will all produce different beacons and thus election results in the next round but two blocks created by the same leader at the same round with different content (e.g., different transaction sets) will produce the same random beacon.
As a concrete, simplified, example, we assume that a random beacon is initialized using a multiparty computation protocol (beimel2010protocols, ; ben1985collective, ; cascudo2017scrape, ) at round 0. Randomness at round is then defined as , where is the deterministic signature of the player creating the block in round . In practice a Verifiable Random Function (micali1999verifiable, ) will be used instead of a signature scheme but this does not matter for our analysis. If no block is created at round because the elected leader was offline or no leader was elected (in the PLE case), then the previous randomness is used, i.e., .
This scenario corresponds to in (nakamoto-pos, ) and it could be extended to the more general case where the randomness is updated every blocks instead (i.e., ) as Bagaria et al. (nakamoto-pos, ) showed. In the case where the grinding is more limited but the protocol is more predictable which is an undesirable property (that we ignore in this work). As far as grinding is concerned corresponds to the worst-case scenario.
The grinding works as follows: whenever the adversary is elected leader, it can decide to publish its block or skip the round, thus biasing the randomness. Furthermore, in the PLE case (where the adversary can potentially produce more than one block per round), the adversary could decide which of its blocks to use, if it was elected more than once, or simply skip this round. By trying out different combinations of blocks or skipping rounds, the adversary may find a particular chain where it is luckier and create a longer chain.
5.1.2. Branching Random Walks
Similarly to Bagaria et al. (nakamoto-pos, ), we use the theory of branching random walks to study the problem of grinding. The rest of the assumptions (e.g., about synchronicity) are as presented in Section 3.
We consider the following branching random walk that we note BRW. We first define it using standard branching process vocabulary, before explaining how it relates to grinding and blockchains. As before, time is divided into discrete time steps. An initial ancestor is located at the origin. At each time step a particle gives birth to a random number of children before dying. Each child is randomly scattered through . In the next time-step, each child will give birth to their own children before dying. The process repeats indefinitely. Each particle is independent of the others and verifies the following properties:
Each particle has at least one child. The first child is located at the same position as its parent.
denotes the position of a particle. The other children of the particle, if they exist, are located at position .
The number of children located at position follows a distribution noted Z.
Such a process is illustrated in Figure 2. We will consider two different distributions for . In the first case, will follow a Bernoulli distribution of parameter . There is exactly one particle at height with probability (and 0 otherwise). In this case, each particle will have one child with probability and two children (one at position and one at position ) with probability . We denote by BRW1 the associated branching random walk.
In the second case, follows a Poisson distribution of parameter . There will be particle in position with probability . In this case, each particle has one child with probability and a total of children with probability . We denote by BRW2 this branching random walk.
Intuitively, a particle having exactly one child corresponds to the case where the adversary is not elected leader hence its chain does not increase by one and the child particle stays at the same position as its parent. This happens with probability in the SSLE case and in the PLE case. A particle having more than one child corresponds to the case where the adversary was elected leader in that round, in which case its private chain increases by one and, analogously, the position of the other children increases by one.
In the case where the adversary has of its miners elected leader, then all of them will create a new block with a new random value and thus a new potential chain. Each particle therefore corresponds to a new chain that will grow independently of the other from then on. The maximum position for BRW at time corresponds to the longest chain that the adversary has been able to create by grinding. We are interested in comparing this value with the length of the honest chain.
Honest players do not form a coalition and are not grinding, hence their chain evolves as a random walk that increases by one with probability and stays unchanged with probability . In the SSLE case, we have and in the PLE .
Let denote the maximum position of the generic branching random walk BRW described above at time . When is specified to be a Bernoulli distribution of parameter we will write this process and when is a Poisson distribution of parameter , we will write the corresponding stochastic process . Similarly, we denote by the position of the generic honest random walk at time and will specify or when needed.
The SSLE and PLE grinding games are then defined as follows.
Definition 5.1 (-SSLE Grinding Game).
For and as defined above, we say that the adversary wins the SSLE grinding game of length and power if at timestep , .
Definition 5.2 (-PLE Grinding Game).
For and as defined above, we say that the adversary wins the PLE grinding game of length and power if at timestep , .
As before, we will sometimes refer to simply the grinding game when talking about the generic processes and .
We are interested in comparing the persistence parameter for SSLE compared to PLE and, hence, comparing the probabilities of winning the SSLE grinding game and the PLE grinding game.
Additionally, we are interested in the security threshold of the two grinding games. In the non-grinding case, we already know that the protocol is secure against private attacks if and only if for obvious reasons (i.e., the persistence parameter exists and is finite for every and ). With the grinding attack, an adversary may win an unfair advantage in the private attack and take over the honest chain of any length even with less than half of the stake. For the PLE case, Bagaria et al. (nakamoto-pos, ) proved that the protocol is secure in the case of grinding if and only if for a network delay . In the next section, we first derive the security threshold, i.e., the biggest value such that there exists a finite persistence parameter for every . We then look at the probabilities of winning the game of length for an adversary with power less than and again, compare the two cases.
Before moving on to the analysis, we make one important remark in the SSLE case with grinding. Since the randomness on the honest and adversarial chains are now different, the leader elections on each of these chains become independent. This is unlike the non-grinding case, where we had . The SSLE thus does not act like an SSLE anymore. There could be more than one winner per round, each on a different chain, or no block created at all in some rounds (e.g., if in the adversarial chain the leader elected is honest and in the honest chain the leader elected is adversarial). The SSLE thus acts more like a probabilistic leader election where one leader is elected with probability at each round on each adversarial chain, and one leader is elected with probability on the honest chain. Unlike with the PLE private game, however, there can be at most one leader elected per round on each chain.
5.2.1. Security Threshold
We start by defining the security threshold of the grinding game. Intuitively, the security threshold captures the threshold for which the protocol is secure after a certain length. In other words, the probability of winning the game can be made as small as desired by choosing a long enough length.
Definition 5.3 (Security threshold).
If there exists such that for every , asymptotically a.s. and for , asymptotically a.s., we call such the security threshold of the grinding game.
We note that the above definition does not say anything about the behaviour of the game with power exactly . In order to compute the security threshold in both cases, we use results from Biggins (biggins1976first, , Section 6) that we adapt to our discrete time model. Specifically, Biggins considers a continuous model where particles are scattered through and particles are of different types, whereas we only have one type of particle that is scattered through . Additionally, he considers the minimum position of the branching random walk rather than the maximum. With this mind, we can directly derive the following result:
Similarly following the law of large numbers (applied to the Binomial distribution), we havea.s. Hence, we conclude that a.s. asymptotically if and a.s. asymptotically if . As a consequence, the security threshold corresponds to the case . Based on this observation, we prove the following theorem.
Theorem 5.4 ().
The security threshold of the SSLE, resp. PLE, grinding games are: and .
In order to prove the theorem, we compute the value of . We start by computing .
We first note that this expression is independent of whether the number of blocks (or children at position 1) follows a Bernoulli or Poisson distribution since they both have the same expectation. This is in itself an interesting observation since it means that, asymptotically, both processes and behave similarly (although this is not the case for and ).
We now move on to compute and , which will be equal for both branching random walks since they only depend on .
First, we compute . We have , hence, for , for , so it remains to compute for . We have . Hence is decreasing up until and increasing after this. We therefore have that for , .
Next we compute . We denote for . We have and . Hence is first increasing then decreasing. Furthermore, we have that and hence reaches one exactly once and is the unique solution to for . We thus know that gamma solves the following equation:
In the SSLE case, the threshold corresponds to the case where and, in the PLE case, the threshold corresponds to the case . Hence satisfies the following equation:
The solution can be computed numerically giving .
on the other hand, satisfies the following equation:
which can be solved numerically giving . ∎
The above theorem shows that SSLE significantly increases the security threshold in the grinding private attack. We also remark that the threshold found in the PLE case is similar to the one found by Bagaria et al. (nakamoto-pos, ) (), although there is a slight difference between the models. The reference considers a continuous-time model (i.e., the slot duration is very small) and a delay of propagation of zero. This means that, for example, if two honest leaders were to find a block at milliseconds of interval, where is very small, then these two blocks will be added to the honest chain even though in practice they were found at the same time. In our model, we consider a discrete time model and a synchronous network with a strictly positive delay, and so two blocks found in the same round cannot be added to the same chain.
5.2.2. Persistence parameter
In the previous section, we computed the security threshold of the SSLE and PLE grinding games. We therefore know that, for an adversary below that power, we can find a length such that the probability of winning the grinding game of parameter is as small as desired. However, our analysis was only asymptotic and did not give any information about the persistence parameter or the behaviour of the game for a shorter time period. In this section, we study the probability of winning the SSLE and PLE grinding games of length
in order to give an estimate of thepersistence parameter.
We are interested in the variable and especially the event that corresponds to the adversarial chain being longer or equal than the honest chain and hence the adversary winning the grinding game.
We denote . Since, by definition, , we have for . We now define the following recursive formula for :
This equality is explained as follows. We start at time . We denote the number of children at position 1 of the initial particle (i.e., the total number of children is ). The first child stays at position 0, whereas the other children will increase position by one. All of the children generate independent processes similar to their ancestor, except starting at for the first child, and for the other children. The process will not reach at step if and only if none of the processes engendered by the children of the original particle reach . Since all the processes are independent, the probability that the process engendered by the first child never reaches is . For the rest of the children, this probability is . Conditional on the particle having children, the probability that does not reaches by time is equal to .
Adapting the above probabilities to the SSLE grinding game yields the following:
Whereas in the PLE game, it becomes:
We note we have found a recursive formula for that depends on .
Next, we are interested in . We have:
We plot this probability for different values of and in Figure 3. Here, we quickly remark that this probability does not allow us to find the exact persistence parameter as it is not the probability that the adversary violates the persistence of the blockchain for any length greater than but the probability that the adversary wins the game of length exactly . In theory, the probability that the adversary wins the game for any is slightly bigger than the probability we computed as there is always a small chance that an adversary that did not win at length could catch up in the future. In the grinding case, this probability is much more complex to compute than in the previous section. However, the probability that the adversary wins the grinding game of length exactly still provides an interesting proxy measure for the security of the underlying protocol.
In Figure 3 we see that SSLE performs consistently better than PLE in the sense that the probability of winning the grinding game is smaller for SSLE than for PLE. We also notice, as before, that for big enough, this probability can be approximated as . Using the same method as before, we can find that SSLE reduces the persistence parameter by roughly 70% in the case of a 10% adversary and 80% for a 20% adversary. In this case, the improvement is even more drastic than in the private game. Unlike the private game, however, the reduction is more noticeable for a 20% than for a 10% adversary.
It is also interesting to compare the probabilities of winning the private game vs winning the grinding game. We plot these probabilities in Figure 4. In the simple (i.e., non-grinding) case, we compute the probability that the gap is positive instead of using the probability in Section 4, as this matches the probability we have computed in the grinding case. Intuitively, grinding should increase the probability of winning the game of length , which is what we observe for PLE in Figure 3(a), 3(b) and 3(c). However, in the SSLE case, we observe the opposite for a 10 and 20% adversary. As we have discussed before, in the case of grinding, the SSLE game does not act anymore as a single secret leader election since the adversarial and honest chains are now independent as they operate on different random beacons. The SSLE grinding game is thus more similar to the PLE private game than to the SSLE private game, except that the probabilities and should be adapted accordingly. We now define the following game:
Definition 5.5 (-idependent SSLE Private Game).
The independent SSLE private game with parameters is defined as follows: at each round a number of adversarial leaders is selected from a Bernoulli distribution of parameter and a number of honest leaders is selected from an independent Bernoulli distribution of parameter . We say that the adversary wins the PLE private game of length and power if the number of rounds with non-zero adversarial leaders is greater or equal than the number of rounds with non-zero honest leaders, i.e.:
This game is equivalent to a PLE private game, except that we now have and similarly and . We plot the probabilities of winning the independent SSLE private game and compare them to the SSLE grinding game in Figure 3(d), 3(e) and 3(f). We indeed notice that the independent SSLE game performs much better than the grinding game but, surprisingly, also better than the SSLE game. The difference between the independent SSLE and SSLE private games can be explained by the fact that the adversary in the independent game is much less likely to be elected sole leader ( vs ) and, hence, the gap in this case increases less often. The difference between the independent SSLE and PLE is also explained similarly: the probability of the gap increase goes from to . Although the persistence parameter is smaller in this case, it is also expected that there will be rounds with no winner as well as more natural forks (unlike in the SSLE case).
6. Conclusion and Future work
In this work, we have performed a comparison of private attacks against longest-chain PoS protocols that use SSLE and PLE. We have found that the persistence parameter under this specific attack is reduced significantly when using SSLE, by around 25% against a 25 or 33% adversary. We also found that the security threshold against grinding private attacks is higher () in the SSLE case than in the PLE case (). These results are encouraging and should help convince real-world system designers to make the switch to SSLE in their PoS blockchains. For future work, it will be interesting to compare the results based on other attacks (e.g., balance attack (nakamoto-pos, ) or general case), as well as to relax assumptions such as the synchronous network or static adversary.
The authors would like to thank Jorge Soares for his valuable feedback on this paper. D.C. was supported by the MIUR grant ‘Dipartimenti di Eccellenza 2018-2022’ (E11G18000350001).
-  Lecture2: Random walks, reflection and reversal. http://cgm.cs.mcgill.ca/~breed/MATH671/lecture2corrected.pdf.
-  Sarah Azouvi, Patrick McCorry, and Sarah Meiklejohn. Winning the caucus race: Continuous leader election via public randomness. arXiv preprint arXiv:1801.07965, 2018.
-  Vivek Bagaria, Amir Dembo, Sreeram Kannan, Sewoong Oh, David Tse, Pramod Viswanath, Xuechao Wang, and Ofer Zeitouni. Proof-of-stake longest chain protocols: Security vs predictability. arXiv preprint arXiv:1910.02218, 2019.
-  Amos Beimel, Eran Omri, and Ilan Orlov. Protocols for multiparty coin toss with dishonest majority. In Annual Cryptology Conference, pages 538–557. Springer, 2010.
-  Michael Ben-Or and Nathan Linial. Collective coin flipping, robust voting schemes and minima of banzhaf values. In 26th Annual Symposium on Foundations of Computer Science (sfcs 1985), pages 408–416. IEEE, 1985.
-  JD Biggins. The first-and last-birth problems for a multitype age-dependent branching process. Advances in Applied Probability, pages 446–459, 1976.
Erica Blum, Aggelos Kiayias, Cristopher Moore, Saad Quader, and Alexander
The combinatorics of the longest-chain rule: Linear consistency for proof-of-stake blockchains.In Proceedings of the Fourteenth Annual ACM-SIAM Symposium on Discrete Algorithms, pages 1135–1154. SIAM, 2020.
-  Dan Boneh, Saba Eskandarian, Lucjan Hanzlik, and Nicola Greco. Single secret leader election. In Proceedings of the 2nd ACM Conference on Advances in Financial Technologies, pages 12–24, 2020.
-  Ignacio Cascudo and Bernardo David. Scrape: Scalable randomness attested by public entities. In International Conference on Applied Cryptography and Network Security, pages 537–556. Springer, 2017.
-  Dario Catalano, Dario Fiore, and Emanuele Giunta. Efficient and universally composable single secret leader election from pairings.
-  Phil Daian, Rafael Pass, and Elaine Shi. Snow white: Robustly reconfigurable consensus and applications to provably secure proof of stake. In International Conference on Financial Cryptography and Data Security, pages 23–41. Springer, 2019.
-  Bernardo David, Peter Gaži, Aggelos Kiayias, and Alexander Russell. Ouroboros praos: An adaptively-secure, semi-synchronous proof-of-stake blockchain. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 66–98. Springer, 2018.
-  Soubhik Deb, Sreeram Kannan, and David Tse. Posat: Proof-of-work availability andunpredictability, without the work. arXiv preprint arXiv:2010.08154, 2020.
-  Amir Dembo, Sreeram Kannan, Ertem Nusret Tas, David Tse, Pramod Viswanath, Xuechao Wang, and Ofer Zeitouni. Everything is a race and nakamoto always wins. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, pages 859–878, 2020.
-  Peter Gaži, Aggelos Kiayias, and Alexander Russell. Tight consistency bounds for bitcoin. Cryptology ePrint Archive, Report 2020/661, 2020. https://eprint.iacr.org/2020/661.
-  Yossi Gilad, Rotem Hemo, Silvio Micali, Georgios Vlachos, and Nickolai Zeldovich. Algorand: Scaling byzantine agreements for cryptocurrencies. In Proceedings of the 26th Symposium on Operating Systems Principles, pages 51–68, 2017.
-  Aggelos Kiayias, Saad Quader, and Alexander Russell. Consistency of proof-of-stake blockchains with concurrent honest slot leaders. arXiv preprint arXiv:2001.06403, 2020.
-  Aggelos Kiayias, Alexander Russell, Bernardo David, and Roman Oliynykov. Ouroboros: A provably secure proof-of-stake blockchain protocol. In Annual International Cryptology Conference, pages 357–388. Springer, 2017.
-  Jing Li, Dongning Guo, and Ling Ren. Close latency-security trade-off for the nakamoto consensus. CoRR, abs/2011.14051, 2020.
-  Silvio Micali, Michael Rabin, and Salil Vadhan. Verifiable random functions. In 40th annual symposium on foundations of computer science (cat. No. 99CB37039), pages 120–130. IEEE, 1999.
-  Ewa Syta, Philipp Jovanovic, Eleftherios Kokoris Kogias, Nicolas Gailly, Linus Gasser, Ismail Khoffi, Michael J Fischer, and Bryan Ford. Scalable bias-resistant distributed randomness. In 2017 IEEE Symposium on Security and Privacy (SP), pages 444–460. Ieee, 2017.