Subadditive threshold in proof of stake system

05/25/2018 ∙ by Chunlei Liu, et al. ∙ 0

Two subadditive threshold are proposed for proof stake systems: one is radical threshold, the other is logarithmic threshold. Securities of both systems are analysed.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

In 2009, Satoshi Nakamoto [Na] introduced the notion of block-chain into P2P cash systems, giving birth to the famous Bitcoin, which is the first P2P cash implemented in practise.

A cash system is a system which issues coins, and in which nodes transfer coins to each other. A P2P cash system is a cash system with a digital signature scheme in which transactions are digitally signed and are broadcast to all nodes. A block-chain cash system with a hash function and a threshold function is a P2P cash system, where transactions are collected into blocks, where the hash of a block is contained in the next block so that the blocks are chained one after another, where only the longest block-chain is considered to correct, where a nonce is added to a block so that

and where an amount of new coins are rewarded to a block creator.

A block-chain cash system is said to be based on proof of work if

where is the scale of the system, and is the difficulty constant of the system.

A block-chain cash system is said to be based on proof of stake if

where is the scale of the system, is the difficulty constant of the system, is the creator of , is the block-chain after which is chained, is the balance of in , and is the amount of new coins awarded to a block creator.

The block-chain cash system based on proof of stake have been studied by many authors [KN, BGM, NXT, Mi, BPS, DGKR, KRDO]. However, the block-chain cash system based on proof of stake seems vulnerable to long-term attacks, see, e.g. [Bu, Po].

We now propose stake systems. A stake system is a cash system which issues stakes as well as coins, in which nodes transfer coins to each other, and in which transaction fees are paid with coins. A P2P stake system is a stake system with a digital signature scheme in which transactions are digitally signed and are broadcast to all nodes. A block-chain stake system with a hash function , a coin-issue threshold function , and a stake-issue threshold function which is majored by the coin-issue threshold function is a P2P stake system where transactions are collected into blocks, where the hash of a block is contained in the next block so that the blocks are chained one after another, where only the longest block-chain is considered to correct, where a nonce is added to a block so that

where an amount of new coins are rewarded to a block creator, and where an amount of new stakes are rewarded to a block creator if he has created a block, say , which satisfies

A block-chain cash system may be regarded as a block-chain stake system whose stake-issue threshold is the same as its coin-issue threshold, and in which stakes are never transferred to each other so that the stakes of a node is just the product of and the times he has got rewarded.

A block-chain cash system may also be regarded as a block-chain stake system whose stake-issue threshold is the same as its coin-issue threshold, and in which coins ever used to pay transaction fees lost their stakes so that the stakes of a node is the sum of the part of coins he owned but is never used to pay transaction fees and the part of transaction fees he has paid with coins which is used to pay transaction fees for the first time.

2 Constant Stake Systems

A block-chain stake system is called a constant stake system if if

and

where is the scale of the system, and are respectively the coin-issue difficulty constant and the stake-issue difficulty constant of the system.

The block-chain cash system based on proof of work may be regarded as a constant stake system in which . It is easy to see that a constant stake system is as secure as the block-chain cash system based on proof of work.

3 Linear Stake Systems

A block-chain stake system is called a linear stake system if

and

where is the scale of the system, and are respectively the coin-issue difficulty constant and the stake-issue difficulty constant of the system, is the creator of , is the block-chain after which is chained, is the stake of in , and is the amount of new stakes awarded to a block-creator when the hash of the created block is no greater than the stake-issue threshold.

Though a linear stake system is a little different from a block-chain cash system based on proof of stake, it is still not resistant to long-term attacks.

4 Radical Stake Systems

Let . A stake system is called a radical stake system with equal exponent if

and

where is the scale of the system, and are respectively the coin-issue difficulty constant and the stake-issue difficulty constant of the system, is the creator of , is the block-chain after which is chained, is the stake of in , and is the amount of new stakes awarded to a block-creator when the hash of the created block is no greater than the stake-issue threshold. We now prove the following.

Theorem 4.1

Suppose that a node, who conducts no transactions on stakes with other nodes, is going to build a block-chain alone. Then the expected time for the party to build a block-chain of length in a radical stake system with equal exponent is

where , and .

Proof. Note that, after the node has built

blocks, the probability for him to be rewarded with stakes

times is . So the expected time for the node to chain the -th block is

It follows that the expected time for the node to build a long block-chain of length is

The theorem is proved.

Corollary 4.2

Suppose that a node, who conducts no transactions on stakes with other nodes, is going to build a block-chain alone. Then the expected time for the party to build a block-chain of length in a radical stake system with equal exponent in which is

Proof. As , we have and , and hence

The corollary now follows.

Lemma 4.3

We have

Proof. We have

The lemma is proved.

Corollary 4.4

Suppose that a node, who conducts no transactions on stakes with other nodes, is going to build a block-chain alone. Then the expected time for the party to build a block-chain of length in a radical stake system with equal exponent is no greater than

The above corollary says that a node, who conducts no transactions on stakes with other nodes and is going to build a block-chain alone, gets no faster if he doesn’t add a new block to the block-chain until the hash of the block is no greater than the stake-issue threshold.

Theorem 4.5

Suppose that a party with nodes is going to build a block-chain. Assume that the party conducts no transactions on stakes with nodes outside the party. Let be the proportion of stakes of the -th node. Then the expected time for the party to build a block-chain of length in a radical stake system with equal exponent is no greater than

where , , and is the expectation of .

Proof. Note that, after the party has built blocks, the probability that the party is rewarded with stakes times is . Let be the time for the party creates the -th block with the unit time being the time for a CPU to perform one operation. Then

where

is the probability mass function of the random variable

, and

So the expected time for the node to chain the -th block is

Note that

So the expected time for the node to chain the -th block is no greater than

The theorem is proved.

Note that

Therefore by the above theorems, it is very difficult for an attacker to build the longest block-chain alone. To get a sense of the degree of the difficulty an attacker would face when he started to build the longest chain, we prove the following lemma.

Lemma 4.6

Let be the proportion of stakes of the -th node in a party with nodes. Let . Suppose that the probability mass function of vanishes at all points for which

Then

Proof. Note that,

So

The lemma is proved.

5 Logarithmic Stake Systems

A stake system is called a logarithmic stake system if

and

where is the scale of the system, and are respectively the coin-issue difficulty constant and the stake-issue difficulty constant of the system, is the creator of , is the block-chain after which is chained, is the stake of in , and is the amount of new stakes awarded to a block-creator when the hash of the created block is no greater than the stake-issue threshold. We now prove the following.

Theorem 5.1

Suppose that a node, who conducts no transactions on stakes with other nodes, is going to build a block-chain alone. Then the expected time for the party to build a block-chain of length in a logarithmic stake system is

where , and .

Proof. Note that, after the node has built blocks, the probability for him to be rewarded with stakes times is . So the expected time for the node to chain the -th block is

It follows that the expected time for the node to build a long block-chain of length is

The theorem is proved.

Corollary 5.2

Suppose that a node, who conducts no transactions on stakes with other nodes, is going to build a block-chain alone. Then the expected time for the party to build a block-chain of length in a logarithmic stake system in which is

Proof. As , we have and , and hence

The corollary now follows.

Lemma 5.3

We have

Proof. Note that

So

The lemma is proved.

Corollary 5.4

Suppose that a node, who conducts no transactions on stakes with other nodes, is going to build a block-chain alone. Then the expected time for the party to build a block-chain of length in a logarithmic stake system is no greater than

The above corollary says that a node, who conducts no transactions on stakes with other nodes and is going to build a block-chain alone, gets no faster if he doesn’t add a new block to the block-chain until the hash of the block is no greater than the stake-issue threshold.

Theorem 5.5

Suppose that a party with nodes is going to build a block-chain. Assume that the party conducts no transactions on stakes with nodes outside the party. Let be the proportion of stakes of the -th node. Then the expected time for the party to build a block-chain of length in a logarithmic stake system is no greater than

where , , and is the expectation of .

Proof. Note that, after the party has built blocks, the probability that the party is rewarded with stakes times is . Let be the time for the party creates the -th block with the unit time being the time for a CPU to perform one operation. Then

where is the probability mass function of the random variable , and

So the expected time for the node to chain the -th block is

Note that

So the expected time for the node to chain the -th block is no greater than

The theorem is proved.

Note that

Therefore by the above theorems, it is very difficult for an attacker to build the longest block-chain alone. To get a sense of the degree of the difficulty an attacker would face when he started to build the longest chain, we prove the following lemma.

Lemma 5.6

Suppose that a party with nodes is going to build a block-chain. Assume that the party conducts no transactions with nodes outside the party. Let be the proportion of stakes of the -th node. Let . Suppose that the probability mass function of vanishes at all points for which

Then the expected time for the party to build a long block-chain of length is no greater than

where , and .

Proof. We claim that, if

then

First, if , then

Secondly, if , then

The lemma now follows from the proof of Theorem 5.5.

6 Conclusion

We have proposed stake system which issues stakes as well as coins. Two subadditive stake systems are studied: the radical stake system and the logarithmic stake system. In both subadditive stake systems, an attacker would find it very difficult to build the longest block-chain alone.

References