1 Introduction
In 2009, Satoshi Nakamoto [Na] introduced the notion of blockchain as well as the notion of proof of work into P2P cash systems, giving birth to the famous Bitcoin, which is the first P2P cash implemented in practise.
A cash system is a system in which nodes transfer coins to each other. A P2P cash system is a cash system in which transactions as well as datum built on transactions are broadcast to all nodes. A transaction is a collection of the following components: time of the blocktransaction, address of the payee, amount of payment, transaction fees, unspent transactions, the change, and signature of the payer.
A blockchain system is a P2P cash system where transactions are collected into blocks, where blocks are chained one after another, and where only the longest blockchain is considered to be the correct one.
A block in a blockchain system is a collection of the following components: time of the block, hash of the previous block, new transactions added to the block, address of the block creator, nonce such that the hash of the block begins with a number of zero bits.
Let be a natural number. A proof of work system with target difficulty is a blockchain system where block must satisfy satisfies the threshold:
Here denotes the number of leading zero bits of .
The expected time for a CPU to find a POW block is And the expected time for CPUs to find a POW block is Therefore it is very difficult for the adversary to build the longest blockchain unless he has more CPUs than the honest party.
The simplest proof of stake system is the proof of balance system. A proof of balance system with target difficulty is a blockchain system where block chained after blockchain by node must satisfy the threshold:
where is the balance of node in blockchain .
The expected time for a party to find a POB block chained to blockchain is where is the balance of the party in blockchain . Suppose that the party transfers no coins to nodes outside the party, and assume that the transaction fees paid by the party in every block is a constant, say . Then the expected time for the party to build a long POB blockchain of length is where is the coins rewarded to a block creator. Thus, the expected time for a party without spending to build a long POB blockchain of length is It follows that, the adversary who never spends his coins can build a long blockchain secretely which in a long run, would outpace the blockchain maintained by the honest party. The same philosophy can be applied to attack other kinds of proof of stake systems, see, e.g. [Bu, Po].
In this paper we present a proof of spending system. In this system the expected time for a node to create a block is inverse proportional to the total amount of the coins it has spent in history. We shall see that, in the proof of spending system, the adversary trying to build a longest blockchain would earn nothing.
2 Proof of Spending
We now present a proof of spending system.
The proof of spending system with target difficulty is a blockchain system where block chained after blockchain by node must satisfy the threshold:
where is the total amount of coins spent by node in blockchain .
We call a block in a proof of spending system a PSP block. One can prove the following.
Lemma 2.1
The expected time for a party to find a PSP block chained after blockchain is where is the amount of coins spent by the party in blockchain .
We now prove the following.
Lemma 2.2
Suppose that a party is going to build a long PSP blockchain, and assume that no nodes outside the party would transfer coins to the party. Then the coins spent per block by the party is where is the amount of transaction fees per coin.
Proof. Suppose that the contrary is true. Let be the amount of coins spent per block by the party Then whenever the party produces a PSP block, the balance of the party decreases at least by . This would forbid the party to build a long blockchain, and thus contradicts to the assumption of the lemma. The lemma is proved.
We now prove the following.
Theorem 2.3
Suppose that the coins spent by a party in every block is , where is a positive constant. Then the expected time for the party to build a long PSP blockchain of length is
where is the Euler constant.
Proof. Since the coins spent by the party in the first blocks of the blockchain is , the expected time for the party to produce the th block is So the expected time for the party to build a long blockchain of length is
The theorem is proved.
Note that at the growing stages of the network, a proof of spending system is nearly a proof of work system, and hence is secure. After the network is grown up, the coins spent by the honest party in every block is . Suppose that the adversary wants to build a long PSP blockchain in shortest time. His best strategy is to transfer coins to himself in every block with . Therefore it is difficult for the adversary to built the longest blockchain alone.
3 Proof of Recent Spending
We now present a proof of recent spending system.
Let be a natural number. The proof of recent spending system with target difficulty and freshness is a blockchain system where block chained after blockchain by node must satisfy the threshold:
where is the last segment of of length , and is the total amount of coins spent by node in the chain segment .
We call a block in a proof of recent spending system a PRS block. As in the last section, we can prove the following two lemmas.
Lemma 3.1
The expected time for a party to find a PRS block chained after blockchain is where is the amount of coins spent by the party in chain segment .
Lemma 3.2
Suppose that a party is going to build a long PRS blockchain, and assume that no nodes outside the party would transfer coins to the party. Then the coins spent per block by the party is where is the amount of transaction fees per coin.
We now prove the following.
Theorem 3.3
Suppose that the coins spent by a party in every block is , where is a positive constant. Then the expected time for the party to build a long PRS blockchain of length is
Proof. We have, when is long,
So, when is large, the expected time for the party to produce the th block is
So the expected time for the party to build a long blockchain of length is
The theorem is proved.
Suppose that the adversary wants to build a long PRS blockchain alone in shortest time. His best strategy is to transfer coins to himself in every block with close to 1. The transaction fees he must pay in very block is . So he earns per block. As the time for him to create a block is
his earning, per unit time, is
which is very small. It follows that the proof of recent spending system is secure, and is very secure if
is small.
4 Spending of Old Coins
We now present a proof of spending of old coins system.
We begin with the definition of coin age. The age of coin in a block chain is defined to be the length from the last transaction of the coin to the end of the block chain. The age of coin in blockchain is denoted as .
Let be a natural number. The proof of spending of old coins system with target difficulty and experience is a blockchain system where block chained after blockchain by node must satisfy the threshold:
where is the total amount of coins of age at least spent by node in the blockchain .
We call a block in a proof of spending of old coins system a PSO block. As in the last section, we can prove the following two lemmas.
Lemma 4.1
The expected time for a party to find a PSO block chained after blockchain is where is the amount of coins of age at least spent by the party in blockchain .
Lemma 4.2
Suppose that a party is going to build a long PSO blockchain, and assume that no nodes outside the party would transfer coins to the party. Then the coins spent per block by the party is where is the amount of transaction fees per coin.
We now prove the following.
Theorem 4.3
Suppose that the coins spent by a party in every block is , where is a positive constant. Then the expected time for the party to build a long PSO blockchain of length is
Proof. We have, when is long,
where is the length of . So the expected time for the party to build a blockchain of length is
The theorem is proved.
Suppose that the adversary wants to build a long PRS blockchain alone in shortest time. His best strategy is to transfer coins to himself in every block with close to 1. His balance must be greater than . If , where is the coins of the network, then the balance of the adversary must be greater than . It follows that the proof of spending of old coins is secure if is large.
5 Recent Spending of Old Coins
We now present a proof of recent spending of old coins system.
The proof of recent spending of old coins system with target difficulty , freshness and experience is a blockchain system where block chained after blockchain by node must satisfy the threshold:
where is the total amount of coins of age at least spent by node in the segment .
We call a block in a proof of spending of old coins system a RSO block. As in the last section, we can prove the following two lemmas.
Lemma 5.1
The expected time for a party to find a RSO block chained after blockchain is where is the amount of coins of age at least spent by the party in segment .
Lemma 5.2
Suppose that a party is going to build a long RSO blockchain, and assume that no nodes outside the party would transfer coins to the party. Then the coins spent per block by the party is where is the amount of transaction fees per coin.
We now prove the following.
Theorem 5.3
Suppose that the coins spent by a party in every block is , where is a positive constant. Then the expected time for the party to build a long RSO blockchain of length is
Proof. We have, when is long,
So the expected time for the party to build a blockchain of length is
The theorem is proved.
Suppose that the adversary wants to build a long PRS blockchain alone in shortest time. His best strategy is to transfer coins to himself in every block with close to 1. His balance must be greater than . If , where is the coins of the network, then the balance of the adversary must be greater than . The transaction fees he must pay in very block is . So he earns per block. As the time for him to create a block is
his earning, per unit time, is
which is very small. It follows that the proof of recent spending system is secure, and is very secure if
is small. It follows that the proof of spending of old coins is secure if is large.
6 Conclusion
We have proposed two blockchain systems: proof of spending and proof of recent spending. The proof of spending system is more efficient, and the proof of recent spending system is more secure.
References
 [BGM] I. Bentov, A. Gabizon, and A. Mizrahi, Cryptocurrencies without of proof of work , CoRR, abs/1406.5694, 2014.
 [BPS] I. Bentov, R. Pass, and E. Shi, Snow white: Provably secure proof of stake , http://eprint.iacr.org/2016919, 2016.

[Bu]
V. Buterin, Longrange attacks: The serious problem with adaptive proof of work ,
https://download.wpsoftware.net/bitcion/old.pos.pdf, 2014. 
[NXT]
The NXT Community, NXT whitepaper ,
https://bravenewcoin.com/assets/Whitepapers/NxtWhitepaperv122rev4.pdf, 2014.  [DGKR] B. David, P. Gaz̆i, A. Kiayias, and A. Russell, Ouroboros praos: An adaptivelysecure semisynchronous proof of stake protocol , http://eprint.iacr.org/2017573, 2017.
 [KN] S. King, and S. Nadal, Ppcoin: Peertopeer cryptocurrency with proof of stake , https://ppcoin.net/assets/paper/ppcoinpaper.pdf, 2012.
 [KRDO] A. Kiayias, A. Russell, B. David, and R. Oliynykov, Ouroboros: A provably secure proof of stake blockchain protocol , In J. Kakz and S. Shacham, editors, CRYPTO 2017, Part I, vol. 10401 of LNCS,357388, Springer, Heidelberg, 2017.
 [Mi] S. Micali, ALGORAND: The efficient and demacradic leger , CoRR, abs/1607.0134, 2016.
 [Po] A. Poelstra, Distributed consensus from proof of stake is impssible , https://download.wpsoftware.net/bitcion/old.pos.pdf, 2014.

[Na]
S. Nakamoto, A peertopeer cash system ,
http://bitcoin.org/bitcoin.pdf, 2008.
Comments
There are no comments yet.