 # Proof of logarithmic stake in block-chain cash system

A proof of balance plus transaction fees block-chain cash system as well as a proof of logarithmic stake block-chain system are proposed. Securities of both systems are analysed.

## Authors

##### This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

## 1 Introduction

In 2009, Satoshi Nakamoto [Na] introduced the notion of block-chain into P2P cash systems, giving birth to the famous Bitcoin, which is the first P2P cash implemented in practise.

A cash system is a system which issues coins, and in which nodes transfer coins to each other. A P2P cash system is a cash system with a digital signature scheme in which transactions are digitally signed and are broadcast to all nodes. A block-chain cash system with a hash function and a threshold function is a P2P cash system, where transactions are collected into blocks, where the hash of a block is contained in the next block so that the blocks are chained one after another, where only the longest block-chain is considered to correct, where a nonce is added to a block so that

 hash(B)≤threshold(B),∀B,

and where an amount of new coins are rewarded to a block creator.

A block-chain cash system is said to be based on proof of work if

 threshold(B)=MD, ∀B,

where is the scale of the system, and is the difficulty constant of the system.

A block-chain cash system is said to be based on proof of stake if

 threshold(B)=M⋅bal(A;C)+RwdD, ∀B,

where is the scale of the system, is the difficulty constant of the system, is the creator of , is the block-chain after which is chained, is the balance of in , and is the amount of new coins awarded to a block creator.

The block-chain cash system based on proof of stake have been studied by many authors [KN, BGM, NXT, Mi, BPS, DGKR, KRDO]. However, the block-chain cash system based on proof of stake seems vulnerable to long-term attacks, see, e.g. [Bu, Po].

We now propose stake systems. A stake system is a cash system which issues stakes as well as coins, in which nodes transfer coins to each other, and in which transaction fees are paid with coins. A P2P stake system is a stake system with a digital signature scheme in which transactions are digitally signed and are broadcast to all nodes. A block-chain stake system with a hash function , a coin-issue threshold function , and a stake-issue threshold function which is majored by the coin-issue threshold function is a P2P stake system where transactions are collected into blocks, where the hash of a block is contained in the next block so that the blocks are chained one after another, where only the longest block-chain is considered to correct, where a nonce is added to a block so that

 hash(B)≤cointhreshold(B),∀B,

where an amount of new coins are rewarded to a block creator, and where an amount of new stakes are rewarded to a block creator if he has created a block, say , which satisfies

 hash(B)≤stakthreshold(B).

A block-chain cash system may be regarded as a block-chain stake system whose stake-issue threshold is the same as its coin-issue threshold, and in which stakes are never transferred to each other so that the stakes of a node is just the product of and the times he has got rewarded.

A block-chain cash system may also be regarded as a block-chain stake system whose stake-issue threshold is the same as its coin-issue threshold, and in which coins ever used to pay transaction fees lost their stakes so that the stakes of a node is the sum of the part of coins he owned but is never used to pay transaction fees and the part of transaction fees he has paid with coins which is used to pay transaction fees for the first time.

## 2 Constant Stake Systems

A block-chain stake system is called a constant stake system if if

 cointhreshold(B)=MCoinD, ∀B,

and

 stakthreshold(B)=MStakD, ∀B,

where is the scale of the system, and are respectively the coin-issue difficulty constant and the stake-issue difficulty constant of the system.

The block-chain cash system based on proof of work may be regarded as a constant stake system in which . It is easy to see that a constant stake system is as secure as the block-chain cash system based on proof of work.

## 3 Linear Stake Systems

A block-chain stake system is called a linear stake system if

 cointhreshold(B)=M⋅stak(A;C)+StakRwdCoinD, ∀B,

and

 stakthreshold(B)=M⋅stak(A;C)+StakRwdStakD, ∀B,

where is the scale of the system, and are respectively the coin-issue difficulty constant and the stake-issue difficulty constant of the system, is the creator of , is the block-chain after which is chained, is the stake of in , and is the amount of new stakes awarded to a block-creator when the hash of the created block is no greater than the stake-issue threshold.

Though a linear stake system is a little different from a block-chain cash system based on proof of stake, it is still not resistant to long-term attacks.

Let . A stake system is called a radical stake system with equal exponent if

 cointhreshold(B)=M⋅(StakRwd+stak(A,C))aCoinD

and

 stakthreshold(B)=M⋅(StakRwd+stak(A,C))aStakD,

where is the scale of the system, and are respectively the coin-issue difficulty constant and the stake-issue difficulty constant of the system, is the creator of , is the block-chain after which is chained, is the stake of in , and is the amount of new stakes awarded to a block-creator when the hash of the created block is no greater than the stake-issue threshold. We now prove the following.

###### Theorem 4.1

Suppose that a node, who conducts no transactions on stakes with other nodes, is going to build a block-chain alone. Then the expected time for the party to build a block-chain of length in a radical stake system with equal exponent is

 CoinDStakRwdaL−1∑n=0n∑k=01(k+1)a(nk)pkqn−k,

where , and .

Proof. Note that, after the node has built

blocks, the probability for him to be rewarded with stakes

times is . So the expected time for the node to chain the -th block is

 n∑k=0CoinD(k+1)a⋅StakRwda(nk)pkqn−k
 =CoinDStakRwdan∑k=01(k+1)a(nk)pkqn−k.

It follows that the expected time for the node to build a long block-chain of length is

 CoinDStakRwdaL−1∑n=0n∑k=01(k+1)a(nk)pkqn−k.

The theorem is proved.

###### Corollary 4.2

Suppose that a node, who conducts no transactions on stakes with other nodes, is going to build a block-chain alone. Then the expected time for the party to build a block-chain of length in a radical stake system with equal exponent in which is

 CoinDStakRwdaL−1∑n=01(n+1)a.

Proof. As , we have and , and hence

 n∑k=01(k+1)a(nk)pkqn−k=1(n+1)a.

The corollary now follows.

###### Lemma 4.3

We have

 n∑k=01(k+1)a(nk)pkqn−k≤1p⋅1−qn+1(n+1)a.

Proof. We have

 n∑k=01(k+1)a(nk)pkqn−k
 =1(n+1)an∑k=0(n+1)a(k+1)a(nk)pkqn−k
 ≤1(n+1)an∑k=0n+1k+1(nk)pkqn−k
 ≤1p⋅1−qn+1(n+1)a.

The lemma is proved.

###### Corollary 4.4

Suppose that a node, who conducts no transactions on stakes with other nodes, is going to build a block-chain alone. Then the expected time for the party to build a block-chain of length in a radical stake system with equal exponent is no greater than

 StakDStakRwdaL−1∑n=01(n+1)a.

The above corollary says that a node, who conducts no transactions on stakes with other nodes and is going to build a block-chain alone, gets no faster if he doesn’t add a new block to the block-chain until the hash of the block is no greater than the stake-issue threshold.

###### Theorem 4.5

Suppose that a party with nodes is going to build a block-chain. Assume that the party conducts no transactions on stakes with nodes outside the party. Let be the proportion of stakes of the -th node. Then the expected time for the party to build a block-chain of length in a radical stake system with equal exponent is no greater than

 E((m∑i=1Xai)−1)CoinDStakRwdaL∑n=1n∑k=01(k+1)a(nk)pkqn−k,

where , , and is the expectation of .

Proof. Note that, after the party has built blocks, the probability that the party is rewarded with stakes times is . Let be the time for the party creates the -th block with the unit time being the time for a CPU to perform one operation. Then

 P(T=t)=n∑k=0(nk)pkqn−k∑→xf(→x)(α(→x)t−1−α(→x)t),

where

is the probability mass function of the random variable

, and

 α(→x)=m∏i=1(1−(1+kxi)aStakRwdaCoinD).

So the expected time for the node to chain the -th block is

 n∑k=0(nk)pkqn−k∑→xf(→x)CoinDm∑i=1(kxi+1)a⋅StakRwda

Note that

 kx+1≥(k+1)x, 0≤x≤1.

So the expected time for the node to chain the -th block is no greater than

 ≤CoinDStakRwdan∑k=01(k+1)a(nk)pkqn−k∑→xf(→x)∑mi=1xai.

The theorem is proved.

Note that

 E((m∑i=1Xai)−1)<1.

Therefore by the above theorems, it is very difficult for an attacker to build the longest block-chain alone. To get a sense of the degree of the difficulty an attacker would face when he started to build the longest chain, we prove the following lemma.

###### Lemma 4.6

Let be the proportion of stakes of the -th node in a party with nodes. Let . Suppose that the probability mass function of vanishes at all points for which

 |{i∣xi>1m}|

Then

 E((m∑i=1Xai)−1)≤1c.

Proof. Note that,

 m∑i=1xai≥c whenever |{i∣xi>1m}|≥cma.

So

 E((m∑i=1Xai)−1)≤E(1c)≤1c.

The lemma is proved.

## 5 Logarithmic Stake Systems

A stake system is called a logarithmic stake system if

 cointhreshold(B)=M⋅log2(StakRwd+stak(A,C))CoinD

and

 stakthreshold(B)=M⋅log2(StakRwd+stak(A,C))StakD,

where is the scale of the system, and are respectively the coin-issue difficulty constant and the stake-issue difficulty constant of the system, is the creator of , is the block-chain after which is chained, is the stake of in , and is the amount of new stakes awarded to a block-creator when the hash of the created block is no greater than the stake-issue threshold. We now prove the following.

###### Theorem 5.1

Suppose that a node, who conducts no transactions on stakes with other nodes, is going to build a block-chain alone. Then the expected time for the party to build a block-chain of length in a logarithmic stake system is

 =CoinDL−1∑n=0n∑k=01log2(k+1)+log2StakRwd(nk)pkqn−k,

where , and .

Proof. Note that, after the node has built blocks, the probability for him to be rewarded with stakes times is . So the expected time for the node to chain the -th block is

 n∑k=0CoinDlog2(k+1)+log2StakRwd(nk)pkqn−k
 =CoinDn∑k=01log2(k+1)+log2StakRwd(nk)pkqn−k.

It follows that the expected time for the node to build a long block-chain of length is

 =CoinDL−1∑n=0n∑k=01log2(k+1)+log2StakRwd(nk)pkqn−k.

The theorem is proved.

###### Corollary 5.2

Suppose that a node, who conducts no transactions on stakes with other nodes, is going to build a block-chain alone. Then the expected time for the party to build a block-chain of length in a logarithmic stake system in which is

 CoinDL−1∑n=01log2(n+1)+log2StakRwd.

Proof. As , we have and , and hence

 n∑k=01log2(k+1)+log2StakRwd(nk)pkqn−k
 =1log2(n+1)+log2StakRwd.

The corollary now follows.

###### Lemma 5.3

We have

 n∑k=01log2(k+1)+log2StakRwd(nk)pkqn−k
 ≤1p⋅1−qn+1log2(n+1)+log2StakRwd.

Proof. Note that

 log2(n+1)+log2StakRwdlog2(k+1)+log2StakRwd≤n+1k+1.

So

 n∑k=01log2(k+1)+log2StakRwd(nk)pkqn−k
 ≤1log2(n+1)+log2StakRwdn∑k=0n+1k+1(nk)pkqn−k
 ≤1p⋅1−qn+1log2(n+1)+log2StakRwd.

The lemma is proved.

###### Corollary 5.4

Suppose that a node, who conducts no transactions on stakes with other nodes, is going to build a block-chain alone. Then the expected time for the party to build a block-chain of length in a logarithmic stake system is no greater than

 StakDL−1∑n=01log2(n+1)+log2StakRwd.

The above corollary says that a node, who conducts no transactions on stakes with other nodes and is going to build a block-chain alone, gets no faster if he doesn’t add a new block to the block-chain until the hash of the block is no greater than the stake-issue threshold.

###### Theorem 5.5

Suppose that a party with nodes is going to build a block-chain. Assume that the party conducts no transactions on stakes with nodes outside the party. Let be the proportion of stakes of the -th node. Then the expected time for the party to build a block-chain of length in a logarithmic stake system is no greater than

 CoinD⋅E((m∑i=1log2(1+Xi))−1)L∑n=1n∑k=0(nk)pkqn−klog2(k+1)+log2StakRwd,

where , , and is the expectation of .

Proof. Note that, after the party has built blocks, the probability that the party is rewarded with stakes times is . Let be the time for the party creates the -th block with the unit time being the time for a CPU to perform one operation. Then

 P(T=t)=n∑k=0(nk)pkqn−k∑→xf(→x)(α(→x)t−1−α(→x)t−1),

where is the probability mass function of the random variable , and

 α(→x)=m∏i=1(1−log2(1+kxi)+log2StakRwdCoinD).

So the expected time for the node to chain the -th block is

 n∑k=0(nk)pkqn−k∑→xf(→x)CoinDm∑i=1(log2StakRwd+log2(kxi+1)).

Note that

 log2(1+kx)≥log2(1+k)×log2(1+x), 0≤x≤1.

So the expected time for the node to chain the -th block is no greater than

 CoinDn∑k=0(nk)pkqn−klog2(k+1)+log2StakRwd∑→xf(→x)∑mi=1log2(1+xi).

The theorem is proved.

Note that

 E((m∑i=1log2(1+Xi))−1)<1.

Therefore by the above theorems, it is very difficult for an attacker to build the longest block-chain alone. To get a sense of the degree of the difficulty an attacker would face when he started to build the longest chain, we prove the following lemma.

###### Lemma 5.6

Suppose that a party with nodes is going to build a block-chain. Assume that the party conducts no transactions with nodes outside the party. Let be the proportion of stakes of the -th node. Let . Suppose that the probability mass function of vanishes at all points for which

 |{i∣xi>1m}|<2clog2m.

Then the expected time for the party to build a long block-chain of length is no greater than

 CoinDcL∑n=1n∑k=0(nk)pkqn−klog2(k+1)+log2StakRwd,

where , and .

Proof. We claim that, if

 |{i∣xi>1m}|≥2clog2m,

then

 m∑i=1(log2StakRwd+log2(kxi+1))≥c(log2StakRwd+log2(k+1)).

First, if , then

 m∑i=1(log2StakRwd+log2(kxi+1))
 ≥mlog2StakRwd
 ≥c(log2StakRwd+log2(k+1)).

Secondly, if , then

 m∑i=1(log2StakRwd+log2(kxi+1))
 ≥mlog2StakRwd+2c(log2m)(log2(k+m)−log2m)
 ≥c(log2StakRwd+log2(k+1)).

The lemma now follows from the proof of Theorem 5.5.

## 6 Conclusion

We have proposed stake system which issues stakes as well as coins. Two subadditive stake systems are studied: the radical stake system and the logarithmic stake system. In both subadditive stake systems, an attacker would find it very difficult to build the longest block-chain alone.