Subadditive threshold in proof of stake system

1 Introduction

In 2009, Satoshi Nakamoto [Na] introduced the notion of block-chain into P2P cash systems, giving birth to the famous Bitcoin, which is the first P2P cash implemented in practise.

A cash system is a system which issues coins, and in which nodes transfer coins to each other. A P2P cash system is a cash system with a digital signature scheme in which transactions are digitally signed and are broadcast to all nodes. A block-chain cash system with a hash function $B \mapsto h a s h (B)$ and a threshold function $B \mapsto t h r e s h o l d (B)$ is a P2P cash system, where transactions are collected into blocks, where the hash of a block is contained in the next block so that the blocks are chained one after another, where only the longest block-chain is considered to correct, where a nonce is added to a block so that

h a s h (B) \leq t h r e s h o l d (B), \forall B,

and where an amount of $R w d$ new coins are rewarded to a block creator.

A block-chain cash system is said to be based on proof of work if

t h r e s h o l d (B) = \frac{M}{D}, \forall B,

where $M$ is the scale of the system, and $D$ is the difficulty constant of the system.

A block-chain cash system is said to be based on proof of stake if

t h r e s h o l d (B) = M \cdot \frac{b a l (A; C) + R w d}{D}, \forall B,

where $M$ is the scale of the system, $D$ is the difficulty constant of the system, $A$ is the creator of $B$ , $C$ is the block-chain after which $B$ is chained, $b a l (A; C)$ is the balance of $A$ in $C$ , and $R w d$ is the amount of new coins awarded to a block creator.

The block-chain cash system based on proof of stake have been studied by many authors [KN, BGM, NXT, Mi, BPS, DGKR, KRDO]. However, the block-chain cash system based on proof of stake seems vulnerable to long-term attacks, see, e.g. [Bu, Po].

We now propose stake systems. A stake system is a cash system which issues stakes as well as coins, in which nodes transfer coins to each other, and in which transaction fees are paid with coins. A P2P stake system is a stake system with a digital signature scheme in which transactions are digitally signed and are broadcast to all nodes. A block-chain stake system with a hash function $B \mapsto h a s h (B)$ , a coin-issue threshold function $B \mapsto t h r e s h o l d (B)$ , and a stake-issue threshold function $B \mapsto s t a k t h r e s h o l d (B)$ which is majored by the coin-issue threshold function is a P2P stake system where transactions are collected into blocks, where the hash of a block is contained in the next block so that the blocks are chained one after another, where only the longest block-chain is considered to correct, where a nonce is added to a block so that

h a s h (B) \leq c o i n t h r e s h o l d (B), \forall B,

where an amount of $C o i n R w d$ new coins are rewarded to a block creator, and where an amount of $S t a k R w d$ new stakes are rewarded to a block creator if he has created a block, say $B$ , which satisfies

h a s h (B) \leq s t a k t h r e s h o l d (B) .

A block-chain cash system may be regarded as a block-chain stake system whose stake-issue threshold is the same as its coin-issue threshold, and in which stakes are never transferred to each other so that the stakes of a node is just the product of $R w d$ and the times he has got rewarded.

A block-chain cash system may also be regarded as a block-chain stake system whose stake-issue threshold is the same as its coin-issue threshold, and in which coins ever used to pay transaction fees lost their stakes so that the stakes of a node is the sum of the part of coins he owned but is never used to pay transaction fees and the part of transaction fees he has paid with coins which is used to pay transaction fees for the first time.

2 Constant Stake Systems

A block-chain stake system is called a constant stake system if if

c o i n t h r e s h o l d (B) = \frac{M}{C o i n D}, \forall B,

and

s t a k t h r e s h o l d (B) = \frac{M}{S t a k D}, \forall B,

where $M$ is the scale of the system, $C o i n D$ and $S t a k D$ are respectively the coin-issue difficulty constant and the stake-issue difficulty constant of the system.

The block-chain cash system based on proof of work may be regarded as a constant stake system in which $C o i n D = S t a k D$ . It is easy to see that a constant stake system is as secure as the block-chain cash system based on proof of work.

3 Linear Stake Systems

A block-chain stake system is called a linear stake system if

c o i n t h r e s h o l d (B) = M \cdot \frac{s t a k (A; C) + S t a k R w d}{C o i n D}, \forall B,

and

s t a k t h r e s h o l d (B) = M \cdot \frac{s t a k (A; C) + S t a k R w d}{S t a k D}, \forall B,

where $M$ is the scale of the system, $C o i n D$ and $S t a k D$ are respectively the coin-issue difficulty constant and the stake-issue difficulty constant of the system, $A$ is the creator of $B$ , $C$ is the block-chain after which $B$ is chained, $s t a k (A; C)$ is the stake of $A$ in $C$ , and $S t a k R w d$ is the amount of new stakes awarded to a block-creator when the hash of the created block is no greater than the stake-issue threshold.

Though a linear stake system is a little different from a block-chain cash system based on proof of stake, it is still not resistant to long-term attacks.

4 Radical Stake Systems

Let $0 < a < 1$ . A stake system is called a radical stake system with equal exponent $a$ if

c o i n t h r e s h o l d (B) = M \cdot \frac{(S t a k R w d + s t a k (A, C))^{a}}{C o i n D}

and

s t a k t h r e s h o l d (B) = M \cdot \frac{(S t a k R w d + s t a k (A, C))^{a}}{S t a k D},

Theorem 4.1

Suppose that a node, who conducts no transactions on stakes with other nodes, is going to build a block-chain alone. Then the expected time for the party to build a block-chain of length $L$ in a radical stake system with equal exponent $a$ is

\frac{C o i n D}{{S t a k R w d}^{a}} L - 1 \sum n = 0 n \sum k = 0 \frac{1}{(k + 1)^{a}} (\frac{n}{k}) p^{k} q^{n - k},

where $p = \frac{C o i n D}{S t a k D}$ , and $q = 1 - p$ .

Proof. Note that, after the node has built $n$

blocks, the probability for him to be rewarded with stakes

k

times is

(\frac{n}{k}) p^{k} q^{n - k}

. So the expected time for the node to chain the

(n + 1)

-th block is

n \sum k = 0 \frac{C o i n D}{(k + 1)^{a} \cdot {S t a k R w d}^{a}} (\frac{n}{k}) p^{k} q^{n - k}

= \frac{C o i n D}{{S t a k R w d}^{a}} n \sum k = 0 \frac{1}{(k + 1)^{a}} (\frac{n}{k}) p^{k} q^{n - k} .

It follows that the expected time for the node to build a long block-chain of length $L$ is

\frac{C o i n D}{{S t a k R w d}^{a}} L - 1 \sum n = 0 n \sum k = 0 \frac{1}{(k + 1)^{a}} (\frac{n}{k}) p^{k} q^{n - k} .

The theorem is proved.

Corollary 4.2

\frac{C o i n D}{{S t a k R w d}^{a}} L - 1 \sum n = 0 \frac{1}{(n + 1)^{a}} .

Proof. As $C o i n D = S t a k D$ , we have $p = 1$ and $q = 0$ , and hence

n \sum k = 0 \frac{1}{(k + 1)^{a}} (\frac{n}{k}) p^{k} q^{n - k} = \frac{1}{(n + 1)^{a}} .

The corollary now follows.

Lemma 4.3

We have

n \sum k = 0 \frac{1}{(k + 1)^{a}} (\frac{n}{k}) p^{k} q^{n - k} \leq \frac{1}{p} \cdot \frac{1 - q^{n + 1}}{(n + 1)^{a}} .

Proof. We have

n \sum k = 0 \frac{1}{(k + 1)^{a}} (\frac{n}{k}) p^{k} q^{n - k}

= \frac{1}{(n + 1)^{a}} n \sum k = 0 \frac{(n + 1)^{a}}{(k + 1)^{a}} (\frac{n}{k}) p^{k} q^{n - k}

\leq \frac{1}{(n + 1)^{a}} n \sum k = 0 \frac{n + 1}{k + 1} (\frac{n}{k}) p^{k} q^{n - k}

\leq \frac{1}{p} \cdot \frac{1 - q^{n + 1}}{(n + 1)^{a}} .

The lemma is proved.

Corollary 4.4

\frac{S t a k D}{{S t a k R w d}^{a}} L - 1 \sum n = 0 \frac{1}{(n + 1)^{a}} .

The above corollary says that a node, who conducts no transactions on stakes with other nodes and is going to build a block-chain alone, gets no faster if he doesn’t add a new block to the block-chain until the hash of the block is no greater than the stake-issue threshold.

Theorem 4.5

Suppose that a party with $m \geq 2$ nodes is going to build a block-chain. Assume that the party conducts no transactions on stakes with nodes outside the party. Let $X_{i}$ be the proportion of stakes of the $i$ -th node. Then the expected time for the party to build a block-chain of length $L$ in a radical stake system with equal exponent $a$ is no greater than

E ((m \sum i = 1 X_{i}^{a})^{- 1}) \frac{C o i n D}{{S t a k R w d}^{a}} L \sum n = 1 n \sum k = 0 \frac{1}{(k + 1)^{a}} (\frac{n}{k}) p^{k} q^{n - k},

where $p = \frac{C o i n D}{S t a k D}$ , $q = 1 - p$ , and $E ((\sum_{i = 1}^{m} X_{i}^{a})^{- 1})$ is the expectation of $(\sum_{i = 1}^{m} X_{i}^{a})^{- 1}$ .

Proof. Note that, after the party has built $n$ blocks, the probability that the party is rewarded with stakes $k$ times is $(\frac{n}{k}) p^{k} q^{n - k}$ . Let $T$ be the time for the party creates the $(n + 1)$ -th block with the unit time being the time for a CPU to perform one operation. Then

P (T = t) = n \sum k = 0 (\frac{n}{k}) p^{k} q^{n - k} \sum \to x f (\to x) (α (\to x)^{t - 1} - α (\to x)^{t}),

where $f (\to x)$

is the probability mass function of the random variable

(X_{1}, \dots, X_{m})

, and

α (\to x) = m \prod i = 1 (1 - \frac{(1 + k x_{i})^{a} {S t a k R w d}^{a}}{C o i n D}) .

So the expected time for the node to chain the $(n + 1)$ -th block is

n \sum k = 0 (\frac{n}{k}) p^{k} q^{n - k} \sum \to x f (\to x) \frac{C o i n D}{} m \sum i = 1 (k x_{i} + 1)^{a} \cdot {S t a k R w d}^{a}

Note that

k x + 1 \geq (k + 1) x, 0 \leq x \leq 1.

So the expected time for the node to chain the $(n + 1)$ -th block is no greater than

\leq \frac{C o i n D}{{S t a k R w d}^{a}} n \sum k = 0 \frac{1}{(k + 1)^{a}} (\frac{n}{k}) p^{k} q^{n - k} \sum \to x \frac{f (\to x)}{\sum_{i = 1}^{m} x_{i}^{a}} .

The theorem is proved.

Note that

E ((m \sum i = 1 X_{i}^{a})^{- 1}) < 1.

Therefore by the above theorems, it is very difficult for an attacker to build the longest block-chain alone. To get a sense of the degree of the difficulty an attacker would face when he started to build the longest chain, we prove the following lemma.

Lemma 4.6

Let $X_{i}$ be the proportion of stakes of the $i$ -th node in a party with $m$ nodes. Let $c > 1$ . Suppose that the probability mass function of $(X_{1}, \dots, X_{m})$ vanishes at all points $(x_{1}, \dots, x_{m})$ for which

| {i ∣ x_{i} > \frac{1}{m}} | < c m^{a} .

Then

E ((m \sum i = 1 X_{i}^{a})^{- 1}) \leq \frac{1}{c} .

Proof. Note that,

m \sum i = 1 x_{i}^{a} \geq c whenever | {i ∣ x_{i} > \frac{1}{m}} | \geq c m^{a} .

E ((m \sum i = 1 X_{i}^{a})^{- 1}) \leq E (\frac{1}{c}) \leq \frac{1}{c} .

The lemma is proved.

5 Logarithmic Stake Systems

A stake system is called a logarithmic stake system if

c o i n t h r e s h o l d (B) = M \cdot \frac{{log}_{2} (S t a k R w d + s t a k (A, C))}{C o i n D}

and

s t a k t h r e s h o l d (B) = M \cdot \frac{{log}_{2} (S t a k R w d + s t a k (A, C))}{S t a k D},

Theorem 5.1

= C o i n D L - 1 \sum n = 0 n \sum k = 0 \frac{1}{{log}_{2} (k + 1) + {log}_{2} S t a k R w d} (\frac{n}{k}) p^{k} q^{n - k},

where $p = \frac{C o i n D}{S t a k D}$ , and $q = 1 - p$ .

Proof. Note that, after the node has built $n$ blocks, the probability for him to be rewarded with stakes $k$ times is $(\frac{n}{k}) p^{k} q^{n - k}$ . So the expected time for the node to chain the $(n + 1)$ -th block is

n \sum k = 0 \frac{C o i n D}{{log}_{2} (k + 1) + {log}_{2} S t a k R w d} (\frac{n}{k}) p^{k} q^{n - k}

= C o i n D n \sum k = 0 \frac{1}{{log}_{2} (k + 1) + {log}_{2} S t a k R w d} (\frac{n}{k}) p^{k} q^{n - k} .

It follows that the expected time for the node to build a long block-chain of length $L$ is

= C o i n D L - 1 \sum n = 0 n \sum k = 0 \frac{1}{{log}_{2} (k + 1) + {log}_{2} S t a k R w d} (\frac{n}{k}) p^{k} q^{n - k} .

The theorem is proved.

Corollary 5.2

C o i n D L - 1 \sum n = 0 \frac{1}{{log}_{2} (n + 1) + {log}_{2} S t a k R w d} .

Proof. As $C o i n D = S t a k D$ , we have $p = 1$ and $q = 0$ , and hence

n \sum k = 0 \frac{1}{{log}_{2} (k + 1) + {log}_{2} S t a k R w d} (\frac{n}{k}) p^{k} q^{n - k}

= \frac{1}{{log}_{2} (n + 1) + {log}_{2} S t a k R w d} .

The corollary now follows.

Lemma 5.3

We have

n \sum k = 0 \frac{1}{{log}_{2} (k + 1) + {log}_{2} S t a k R w d} (\frac{n}{k}) p^{k} q^{n - k}

\leq \frac{1}{p} \cdot \frac{1 - q^{n + 1}}{{log}_{2} (n + 1) + {log}_{2} S t a k R w d} .

Proof. Note that

\frac{{log}_{2} (n + 1) + {log}_{2} S t a k R w d}{{log}_{2} (k + 1) + {log}_{2} S t a k R w d} \leq \frac{n + 1}{k + 1} .

n \sum k = 0 \frac{1}{{log}_{2} (k + 1) + {log}_{2} S t a k R w d} (\frac{n}{k}) p^{k} q^{n - k}

\leq \frac{1}{{log}_{2} (n + 1) + {log}_{2} S t a k R w d} n \sum k = 0 \frac{n + 1}{k + 1} (\frac{n}{k}) p^{k} q^{n - k}

\leq \frac{1}{p} \cdot \frac{1 - q^{n + 1}}{{log}_{2} (n + 1) + {log}_{2} S t a k R w d} .

The lemma is proved.

Corollary 5.4

S t a k D L - 1 \sum n = 0 \frac{1}{{log}_{2} (n + 1) + {log}_{2} S t a k R w d} .

Theorem 5.5

C o i n D \cdot E ((m \sum i = 1 {log}_{2} (1 + X_{i}))^{- 1}) L \sum n = 1 n \sum k = 0 \frac{(\frac{n}{k}) p^{k} q^{n - k}}{{log}_{2} (k + 1) + {log}_{2} S t a k R w d},

where $p = \frac{C o i n D}{S t a k D}$ , $q = 1 - p$ , and $E ((\sum_{i = 1}^{m} {log}_{2} (1 + X_{i}))^{- 1})$ is the expectation of $(\sum_{i = 1}^{m} {log}_{2} (1 + X_{i}))^{- 1}$ .

P (T = t) = n \sum k = 0 (\frac{n}{k}) p^{k} q^{n - k} \sum \to x f (\to x) (α (\to x)^{t - 1} - α (\to x)^{t - 1}),

where $f (\to x)$ is the probability mass function of the random variable $(X_{1}, \dots, X_{m})$ , and

α (\to x) = m \prod i = 1 (1 - \frac{{log}_{2} (1 + k x_{i}) + {log}_{2} S t a k R w d}{C o i n D}) .

So the expected time for the node to chain the $(n + 1)$ -th block is

n \sum k = 0 (\frac{n}{k}) p^{k} q^{n - k} \sum \to x f (\to x) \frac{C o i n D}{} m \sum i = 1 ({log}_{2} S t a k R w d + {log}_{2} (k x_{i} + 1)) .

Note that

{log}_{2} (1 + k x) \geq {log}_{2} (1 + k) \times {log}_{2} (1 + x), 0 \leq x \leq 1.

So the expected time for the node to chain the $(n + 1)$ -th block is no greater than

C o i n D n \sum k = 0 \frac{(\frac{n}{k}) p^{k} q^{n - k}}{{log}_{2} (k + 1) + {log}_{2} S t a k R w d} \sum \to x \frac{f (\to x)}{\sum_{i = 1}^{m} {log}_{2} (1 + x_{i})} .

The theorem is proved.

Note that

E ((m \sum i = 1 {log}_{2} (1 + X_{i}))^{- 1}) < 1.

Lemma 5.6

Suppose that a party with $m > 2$ nodes is going to build a block-chain. Assume that the party conducts no transactions with nodes outside the party. Let $X_{i}$ be the proportion of stakes of the $i$ -th node. Let $1 < c \leq \frac{m}{{log}_{2} (m + 1)}$ . Suppose that the probability mass function of $(X_{1}, \dots, X_{n})$ vanishes at all points $(x_{1}, \dots, x_{m})$ for which

| {i ∣ x_{i} > \frac{1}{m}} | < 2 c {log}_{2} m .

Then the expected time for the party to build a long block-chain of length $L$ is no greater than

\frac{C o i n D}{c} L \sum n = 1 n \sum k = 0 \frac{(\frac{n}{k}) p^{k} q^{n - k}}{} {log}_{2} (k + 1) + {log}_{2} S t a k R w d,

where $p = \frac{C o i n D}{S t a k D}$ , and $q = 1 - p$ .

Proof. We claim that, if

| {i ∣ x_{i} > \frac{1}{m}} | \geq 2 c {log}_{2} m,

then

m \sum i = 1 ({log}_{2} S t a k R w d + {log}_{2} (k x_{i} + 1)) \geq c ({log}_{2} S t a k R w d + {log}_{2} (k + 1)) .

First, if $k \leq m$ , then

m \sum i = 1 ({log}_{2} S t a k R w d + {log}_{2} (k x_{i} + 1))

\geq m {log}_{2} S t a k R w d

\geq c ({log}_{2} S t a k R w d + {log}_{2} (k + 1)) .

Secondly, if $k > m$ , then

m \sum i = 1 ({log}_{2} S t a k R w d + {log}_{2} (k x_{i} + 1))

\geq m {log}_{2} S t a k R w d + 2 c ({log}_{2} m) ({log}_{2} (k + m) - {log}_{2} m)

\geq c ({log}_{2} S t a k R w d + {log}_{2} (k + 1)) .

The lemma now follows from the proof of Theorem 5.5.

6 Conclusion

We have proposed stake system which issues stakes as well as coins. Two subadditive stake systems are studied: the radical stake system and the logarithmic stake system. In both subadditive stake systems, an attacker would find it very difficult to build the longest block-chain alone.

References

[BGM] I. Bentov, A. Gabizon, and A. Mizrahi, Cryptocurrencies without of proof of work , CoRR, abs/1406.5694, 2014.
[BPS] I. Bentov, R. Pass, and E. Shi, Snow white: Provably secure proof of stake , http://eprint.iacr.org/2016919, 2016.
[Bu] V. Buterin, Long-range attacks: The serious problem with adaptive proof of work ,
https://download.wpsoftware.net/bitcion/old.pos.pdf, 2014.
[NXT] The NXT Community, NXT whitepaper ,
https://bravenewcoin.com/assets/Whitepapers/NxtWhitepaper-v122-rev4.pdf, 2014.
[DGKR] B. David, P. Gaz̆i, A. Kiayias, and A. Russell, Ouroboros praos: An adaptively-secure semi-synchronous proof of stake protocol , http://eprint.iacr.org/2017573, 2017.
[KN] S. King, and S. Nadal, Ppcoin: Peer-to-peer crypto-currency with proof of stake , https://ppcoin.net/assets/paper/ppcoin-paper.pdf, 2012.
[KRDO] A. Kiayias, A. Russell, B. David, and R. Oliynykov, Ouroboros: A provably secure proof of stake block-chain protocol , In J. Kakz and S. Shacham, editors, CRYPTO 2017, Part I, vol. 10401 of LNCS,357-388, Springer, Heidelberg, 2017.
[Mi] S. Micali, ALGORAND: The efficient and demacradic leger , CoRR, abs/1607.0134, 2016.
[Po] A. Poelstra, Distributed consensus from proof of stake is impssible , https://download.wpsoftware.net/bitcion/old.pos.pdf, 2014.
[Na] S. Nakamoto, A peer-to-peer cash system ,
http://bitcoin.org/bitcoin.pdf, 2008.

Subadditive threshold in proof of stake system

Authors

Proof of subadditive stake in block-chain cash system

Parallel repetition with a threshold in quantum interactive proofs

Subadditive stake systems

Threshold and Revocation Encryptions via Threshold Trapdoor Function

On the Seidel spectrum of threshold graphs

Foresight AND Hindsight

The satisfiability threshold for random linear equations

1 Introduction

2 Constant Stake Systems

3 Linear Stake Systems

4 Radical Stake Systems

Theorem 4.1

Corollary 4.2

Lemma 4.3

Corollary 4.4

Theorem 4.5

Lemma 4.6

5 Logarithmic Stake Systems

Theorem 5.1

Corollary 5.2

Lemma 5.3

Corollary 5.4

Theorem 5.5

Lemma 5.6

6 Conclusion

References

Subadditive threshold in proof of stake system

Authors

Related Research

Proof of subadditive stake in block-chain cash system

Parallel repetition with a threshold in quantum interactive proofs

Subadditive stake systems

Threshold and Revocation Encryptions via Threshold Trapdoor Function

On the Seidel spectrum of threshold graphs

Foresight AND Hindsight

The satisfiability threshold for random linear equations

This week in AI

1 Introduction

2 Constant Stake Systems

3 Linear Stake Systems

4 Radical Stake Systems

Theorem 4.1

Corollary 4.2

Lemma 4.3

Corollary 4.4

Theorem 4.5

Lemma 4.6

5 Logarithmic Stake Systems

Theorem 5.1

Corollary 5.2

Lemma 5.3

Corollary 5.4

Theorem 5.5

Lemma 5.6

6 Conclusion

References