1 Introduction
In 2009, Satoshi Nakamoto [Na] introduced the notion of blockchain into P2P cash systems, giving birth to the famous Bitcoin, which is the first P2P cash implemented in practise.
A cash system is a system which issues coins, and in which nodes transfer coins to each other. A P2P cash system is a cash system with a digital signature scheme in which transactions are digitally signed and are broadcast to all nodes. A blockchain cash system with a hash function and a threshold function is a P2P cash system, where transactions are collected into blocks, where the hash of a block is contained in the next block so that the blocks are chained one after another, where only the longest blockchain is considered to correct, where a nonce is added to a block so that
and where an amount of new coins are rewarded to a block creator.
A blockchain cash system is said to be based on proof of work if
where is the scale of the system, and is the difficulty constant of the system.
A blockchain cash system is said to be based on proof of stake if
where is the scale of the system, is the difficulty constant of the system, is the creator of , is the blockchain after which is chained, is the balance of in , and is the amount of new coins awarded to a block creator.
We now propose stake systems. A stake system is a cash system which issues stakes as well as coins, in which nodes transfer coins to each other, and in which transaction fees are paid with coins. A P2P stake system is a stake system with a digital signature scheme in which transactions are digitally signed and are broadcast to all nodes. A blockchain stake system with a hash function , a coinissue threshold function , and a stakeissue threshold function which is majored by the coinissue threshold function is a P2P stake system where transactions are collected into blocks, where the hash of a block is contained in the next block so that the blocks are chained one after another, where only the longest blockchain is considered to correct, where a nonce is added to a block so that
where an amount of new coins are rewarded to a block creator, and where an amount of new stakes are rewarded to a block creator if he has created a block, say , which satisfies
A blockchain cash system may be regarded as a blockchain stake system whose stakeissue threshold is the same as its coinissue threshold, and in which stakes are never transferred to each other so that the stakes of a node is just the product of and the times he has got rewarded.
A blockchain cash system may also be regarded as a blockchain stake system whose stakeissue threshold is the same as its coinissue threshold, and in which coins ever used to pay transaction fees lost their stakes so that the stakes of a node is the sum of the part of coins he owned but is never used to pay transaction fees and the part of transaction fees he has paid with coins which is used to pay transaction fees for the first time.
2 Constant Stake Systems
A blockchain stake system is called a constant stake system if if
and
where is the scale of the system, and are respectively the coinissue difficulty constant and the stakeissue difficulty constant of the system.
The blockchain cash system based on proof of work may be regarded as a constant stake system in which . It is easy to see that a constant stake system is as secure as the blockchain cash system based on proof of work.
3 Linear Stake Systems
A blockchain stake system is called a linear stake system if
and
where is the scale of the system, and are respectively the coinissue difficulty constant and the stakeissue difficulty constant of the system, is the creator of , is the blockchain after which is chained, is the stake of in , and is the amount of new stakes awarded to a blockcreator when the hash of the created block is no greater than the stakeissue threshold.
Though a linear stake system is a little different from a blockchain cash system based on proof of stake, it is still not resistant to longterm attacks.
4 Radical Stake Systems
Let . A stake system is called a radical stake system with equal exponent if
and
where is the scale of the system, and are respectively the coinissue difficulty constant and the stakeissue difficulty constant of the system, is the creator of , is the blockchain after which is chained, is the stake of in , and is the amount of new stakes awarded to a blockcreator when the hash of the created block is no greater than the stakeissue threshold. We now prove the following.
Theorem 4.1
Suppose that a node, who conducts no transactions on stakes with other nodes, is going to build a blockchain alone. Then the expected time for the party to build a blockchain of length in a radical stake system with equal exponent is
where , and .
Proof. Note that, after the node has built
blocks, the probability for him to be rewarded with stakes
times is . So the expected time for the node to chain the th block isIt follows that the expected time for the node to build a long blockchain of length is
The theorem is proved.
Corollary 4.2
Suppose that a node, who conducts no transactions on stakes with other nodes, is going to build a blockchain alone. Then the expected time for the party to build a blockchain of length in a radical stake system with equal exponent in which is
Proof. As , we have and , and hence
The corollary now follows.
Lemma 4.3
We have
Proof. We have
The lemma is proved.
Corollary 4.4
Suppose that a node, who conducts no transactions on stakes with other nodes, is going to build a blockchain alone. Then the expected time for the party to build a blockchain of length in a radical stake system with equal exponent is no greater than
The above corollary says that a node, who conducts no transactions on stakes with other nodes and is going to build a blockchain alone, gets no faster if he doesn’t add a new block to the blockchain until the hash of the block is no greater than the stakeissue threshold.
Theorem 4.5
Suppose that a party with nodes is going to build a blockchain. Assume that the party conducts no transactions on stakes with nodes outside the party. Let be the proportion of stakes of the th node. Then the expected time for the party to build a blockchain of length in a radical stake system with equal exponent is no greater than
where , , and is the expectation of .
Proof. Note that, after the party has built blocks, the probability that the party is rewarded with stakes times is . Let be the time for the party creates the th block with the unit time being the time for a CPU to perform one operation. Then
where
is the probability mass function of the random variable
, andSo the expected time for the node to chain the th block is
Note that
So the expected time for the node to chain the th block is no greater than
The theorem is proved.
Note that
Therefore by the above theorems, it is very difficult for an attacker to build the longest blockchain alone. To get a sense of the degree of the difficulty an attacker would face when he started to build the longest chain, we prove the following lemma.
Lemma 4.6
Let be the proportion of stakes of the th node in a party with nodes. Let . Suppose that the probability mass function of vanishes at all points for which
Then
Proof. Note that,
So
The lemma is proved.
5 Logarithmic Stake Systems
A stake system is called a logarithmic stake system if
and
where is the scale of the system, and are respectively the coinissue difficulty constant and the stakeissue difficulty constant of the system, is the creator of , is the blockchain after which is chained, is the stake of in , and is the amount of new stakes awarded to a blockcreator when the hash of the created block is no greater than the stakeissue threshold. We now prove the following.
Theorem 5.1
Suppose that a node, who conducts no transactions on stakes with other nodes, is going to build a blockchain alone. Then the expected time for the party to build a blockchain of length in a logarithmic stake system is
where , and .
Proof. Note that, after the node has built blocks, the probability for him to be rewarded with stakes times is . So the expected time for the node to chain the th block is
It follows that the expected time for the node to build a long blockchain of length is
The theorem is proved.
Corollary 5.2
Suppose that a node, who conducts no transactions on stakes with other nodes, is going to build a blockchain alone. Then the expected time for the party to build a blockchain of length in a logarithmic stake system in which is
Proof. As , we have and , and hence
The corollary now follows.
Lemma 5.3
We have
Proof. Note that
So
The lemma is proved.
Corollary 5.4
Suppose that a node, who conducts no transactions on stakes with other nodes, is going to build a blockchain alone. Then the expected time for the party to build a blockchain of length in a logarithmic stake system is no greater than
The above corollary says that a node, who conducts no transactions on stakes with other nodes and is going to build a blockchain alone, gets no faster if he doesn’t add a new block to the blockchain until the hash of the block is no greater than the stakeissue threshold.
Theorem 5.5
Suppose that a party with nodes is going to build a blockchain. Assume that the party conducts no transactions on stakes with nodes outside the party. Let be the proportion of stakes of the th node. Then the expected time for the party to build a blockchain of length in a logarithmic stake system is no greater than
where , , and is the expectation of .
Proof. Note that, after the party has built blocks, the probability that the party is rewarded with stakes times is . Let be the time for the party creates the th block with the unit time being the time for a CPU to perform one operation. Then
where is the probability mass function of the random variable , and
So the expected time for the node to chain the th block is
Note that
So the expected time for the node to chain the th block is no greater than
The theorem is proved.
Note that
Therefore by the above theorems, it is very difficult for an attacker to build the longest blockchain alone. To get a sense of the degree of the difficulty an attacker would face when he started to build the longest chain, we prove the following lemma.
Lemma 5.6
Suppose that a party with nodes is going to build a blockchain. Assume that the party conducts no transactions with nodes outside the party. Let be the proportion of stakes of the th node. Let . Suppose that the probability mass function of vanishes at all points for which
Then the expected time for the party to build a long blockchain of length is no greater than
where , and .
Proof. We claim that, if
then
First, if , then
Secondly, if , then
The lemma now follows from the proof of Theorem 5.5.
6 Conclusion
We have proposed stake system which issues stakes as well as coins. Two subadditive stake systems are studied: the radical stake system and the logarithmic stake system. In both subadditive stake systems, an attacker would find it very difficult to build the longest blockchain alone.
References
 [BGM] I. Bentov, A. Gabizon, and A. Mizrahi, Cryptocurrencies without of proof of work , CoRR, abs/1406.5694, 2014.
 [BPS] I. Bentov, R. Pass, and E. Shi, Snow white: Provably secure proof of stake , http://eprint.iacr.org/2016919, 2016.

[Bu]
V. Buterin, Longrange attacks: The serious problem with adaptive proof of work ,
https://download.wpsoftware.net/bitcion/old.pos.pdf, 2014. 
[NXT]
The NXT Community, NXT whitepaper ,
https://bravenewcoin.com/assets/Whitepapers/NxtWhitepaperv122rev4.pdf, 2014.  [DGKR] B. David, P. Gaz̆i, A. Kiayias, and A. Russell, Ouroboros praos: An adaptivelysecure semisynchronous proof of stake protocol , http://eprint.iacr.org/2017573, 2017.
 [KN] S. King, and S. Nadal, Ppcoin: Peertopeer cryptocurrency with proof of stake , https://ppcoin.net/assets/paper/ppcoinpaper.pdf, 2012.
 [KRDO] A. Kiayias, A. Russell, B. David, and R. Oliynykov, Ouroboros: A provably secure proof of stake blockchain protocol , In J. Kakz and S. Shacham, editors, CRYPTO 2017, Part I, vol. 10401 of LNCS,357388, Springer, Heidelberg, 2017.
 [Mi] S. Micali, ALGORAND: The efficient and demacradic leger , CoRR, abs/1607.0134, 2016.
 [Po] A. Poelstra, Distributed consensus from proof of stake is impssible , https://download.wpsoftware.net/bitcion/old.pos.pdf, 2014.

[Na]
S. Nakamoto, A peertopeer cash system ,
http://bitcoin.org/bitcoin.pdf, 2008.
Comments
There are no comments yet.