1 Introduction
In 2009, Satoshi Nakamoto [Na] introduced the notion of block-chain into P2P cash systems, giving birth to the famous Bitcoin, which is the first P2P cash implemented in practise.
A cash system is a system which issues coins, and in which nodes transfer coins to each other. A P2P cash system is a cash system with a digital signature scheme in which transactions are digitally signed and are broadcast to all nodes. A block-chain cash system with a hash function and a threshold function is a P2P cash system, where transactions are collected into blocks, where the hash of a block is contained in the next block so that the blocks are chained one after another, where only the longest block-chain is considered to correct, where a nonce is added to a block so that
and where an amount of new coins are rewarded to a block creator.
A block-chain cash system is said to be based on proof of work if
where is the scale of the system, and is the difficulty constant of the system.
A block-chain cash system is said to be based on proof of stake if
where is the scale of the system, is the difficulty constant of the system, is the creator of , is the block-chain after which is chained, is the balance of in , and is the amount of new coins awarded to a block creator.
We now propose stake systems. A stake system is a cash system which issues stakes as well as coins, in which nodes transfer coins to each other, and in which transaction fees are paid with coins. A P2P stake system is a stake system with a digital signature scheme in which transactions are digitally signed and are broadcast to all nodes. A block-chain stake system with a hash function , a coin-issue threshold function , and a stake-issue threshold function which is majored by the coin-issue threshold function is a P2P stake system where transactions are collected into blocks, where the hash of a block is contained in the next block so that the blocks are chained one after another, where only the longest block-chain is considered to correct, where a nonce is added to a block so that
where an amount of new coins are rewarded to a block creator, and where an amount of new stakes are rewarded to a block creator if he has created a block, say , which satisfies
A block-chain cash system may be regarded as a block-chain stake system whose stake-issue threshold is the same as its coin-issue threshold, and in which stakes are never transferred to each other so that the stakes of a node is just the product of and the times he has got rewarded.
A block-chain cash system may also be regarded as a block-chain stake system whose stake-issue threshold is the same as its coin-issue threshold, and in which coins ever used to pay transaction fees lost their stakes so that the stakes of a node is the sum of the part of coins he owned but is never used to pay transaction fees and the part of transaction fees he has paid with coins which is used to pay transaction fees for the first time.
2 Constant Stake Systems
A block-chain stake system is called a constant stake system if if
and
where is the scale of the system, and are respectively the coin-issue difficulty constant and the stake-issue difficulty constant of the system.
The block-chain cash system based on proof of work may be regarded as a constant stake system in which . It is easy to see that a constant stake system is as secure as the block-chain cash system based on proof of work.
3 Linear Stake Systems
A block-chain stake system is called a linear stake system if
and
where is the scale of the system, and are respectively the coin-issue difficulty constant and the stake-issue difficulty constant of the system, is the creator of , is the block-chain after which is chained, is the stake of in , and is the amount of new stakes awarded to a block-creator when the hash of the created block is no greater than the stake-issue threshold.
Though a linear stake system is a little different from a block-chain cash system based on proof of stake, it is still not resistant to long-term attacks.
4 Radical Stake Systems
Let . A stake system is called a radical stake system with equal exponent if
and
where is the scale of the system, and are respectively the coin-issue difficulty constant and the stake-issue difficulty constant of the system, is the creator of , is the block-chain after which is chained, is the stake of in , and is the amount of new stakes awarded to a block-creator when the hash of the created block is no greater than the stake-issue threshold. We now prove the following.
Theorem 4.1
Suppose that a node, who conducts no transactions on stakes with other nodes, is going to build a block-chain alone. Then the expected time for the party to build a block-chain of length in a radical stake system with equal exponent is
where , and .
Proof. Note that, after the node has built
blocks, the probability for him to be rewarded with stakes
times is . So the expected time for the node to chain the -th block isIt follows that the expected time for the node to build a long block-chain of length is
The theorem is proved.
Corollary 4.2
Suppose that a node, who conducts no transactions on stakes with other nodes, is going to build a block-chain alone. Then the expected time for the party to build a block-chain of length in a radical stake system with equal exponent in which is
Proof. As , we have and , and hence
The corollary now follows.
Lemma 4.3
We have
Proof. We have
The lemma is proved.
Corollary 4.4
Suppose that a node, who conducts no transactions on stakes with other nodes, is going to build a block-chain alone. Then the expected time for the party to build a block-chain of length in a radical stake system with equal exponent is no greater than
The above corollary says that a node, who conducts no transactions on stakes with other nodes and is going to build a block-chain alone, gets no faster if he doesn’t add a new block to the block-chain until the hash of the block is no greater than the stake-issue threshold.
Theorem 4.5
Suppose that a party with nodes is going to build a block-chain. Assume that the party conducts no transactions on stakes with nodes outside the party. Let be the proportion of stakes of the -th node. Then the expected time for the party to build a block-chain of length in a radical stake system with equal exponent is no greater than
where , , and is the expectation of .
Proof. Note that, after the party has built blocks, the probability that the party is rewarded with stakes times is . Let be the time for the party creates the -th block with the unit time being the time for a CPU to perform one operation. Then
where
is the probability mass function of the random variable
, andSo the expected time for the node to chain the -th block is
Note that
So the expected time for the node to chain the -th block is no greater than
The theorem is proved.
Note that
Therefore by the above theorems, it is very difficult for an attacker to build the longest block-chain alone. To get a sense of the degree of the difficulty an attacker would face when he started to build the longest chain, we prove the following lemma.
Lemma 4.6
Let be the proportion of stakes of the -th node in a party with nodes. Let . Suppose that the probability mass function of vanishes at all points for which
Then
Proof. Note that,
So
The lemma is proved.
5 Logarithmic Stake Systems
A stake system is called a logarithmic stake system if
and
where is the scale of the system, and are respectively the coin-issue difficulty constant and the stake-issue difficulty constant of the system, is the creator of , is the block-chain after which is chained, is the stake of in , and is the amount of new stakes awarded to a block-creator when the hash of the created block is no greater than the stake-issue threshold. We now prove the following.
Theorem 5.1
Suppose that a node, who conducts no transactions on stakes with other nodes, is going to build a block-chain alone. Then the expected time for the party to build a block-chain of length in a logarithmic stake system is
where , and .
Proof. Note that, after the node has built blocks, the probability for him to be rewarded with stakes times is . So the expected time for the node to chain the -th block is
It follows that the expected time for the node to build a long block-chain of length is
The theorem is proved.
Corollary 5.2
Suppose that a node, who conducts no transactions on stakes with other nodes, is going to build a block-chain alone. Then the expected time for the party to build a block-chain of length in a logarithmic stake system in which is
Proof. As , we have and , and hence
The corollary now follows.
Lemma 5.3
We have
Proof. Note that
So
The lemma is proved.
Corollary 5.4
Suppose that a node, who conducts no transactions on stakes with other nodes, is going to build a block-chain alone. Then the expected time for the party to build a block-chain of length in a logarithmic stake system is no greater than
The above corollary says that a node, who conducts no transactions on stakes with other nodes and is going to build a block-chain alone, gets no faster if he doesn’t add a new block to the block-chain until the hash of the block is no greater than the stake-issue threshold.
Theorem 5.5
Suppose that a party with nodes is going to build a block-chain. Assume that the party conducts no transactions on stakes with nodes outside the party. Let be the proportion of stakes of the -th node. Then the expected time for the party to build a block-chain of length in a logarithmic stake system is no greater than
where , , and is the expectation of .
Proof. Note that, after the party has built blocks, the probability that the party is rewarded with stakes times is . Let be the time for the party creates the -th block with the unit time being the time for a CPU to perform one operation. Then
where is the probability mass function of the random variable , and
So the expected time for the node to chain the -th block is
Note that
So the expected time for the node to chain the -th block is no greater than
The theorem is proved.
Note that
Therefore by the above theorems, it is very difficult for an attacker to build the longest block-chain alone. To get a sense of the degree of the difficulty an attacker would face when he started to build the longest chain, we prove the following lemma.
Lemma 5.6
Suppose that a party with nodes is going to build a block-chain. Assume that the party conducts no transactions with nodes outside the party. Let be the proportion of stakes of the -th node. Let . Suppose that the probability mass function of vanishes at all points for which
Then the expected time for the party to build a long block-chain of length is no greater than
where , and .
Proof. We claim that, if
then
First, if , then
Secondly, if , then
The lemma now follows from the proof of Theorem 5.5.
6 Conclusion
We have proposed stake system which issues stakes as well as coins. Two subadditive stake systems are studied: the radical stake system and the logarithmic stake system. In both subadditive stake systems, an attacker would find it very difficult to build the longest block-chain alone.
References
- [BGM] I. Bentov, A. Gabizon, and A. Mizrahi, Cryptocurrencies without of proof of work , CoRR, abs/1406.5694, 2014.
- [BPS] I. Bentov, R. Pass, and E. Shi, Snow white: Provably secure proof of stake , http://eprint.iacr.org/2016919, 2016.
-
[Bu]
V. Buterin, Long-range attacks: The serious problem with adaptive proof of work ,
https://download.wpsoftware.net/bitcion/old.pos.pdf, 2014. -
[NXT]
The NXT Community, NXT whitepaper ,
https://bravenewcoin.com/assets/Whitepapers/NxtWhitepaper-v122-rev4.pdf, 2014. - [DGKR] B. David, P. Gaz̆i, A. Kiayias, and A. Russell, Ouroboros praos: An adaptively-secure semi-synchronous proof of stake protocol , http://eprint.iacr.org/2017573, 2017.
- [KN] S. King, and S. Nadal, Ppcoin: Peer-to-peer crypto-currency with proof of stake , https://ppcoin.net/assets/paper/ppcoin-paper.pdf, 2012.
- [KRDO] A. Kiayias, A. Russell, B. David, and R. Oliynykov, Ouroboros: A provably secure proof of stake block-chain protocol , In J. Kakz and S. Shacham, editors, CRYPTO 2017, Part I, vol. 10401 of LNCS,357-388, Springer, Heidelberg, 2017.
- [Mi] S. Micali, ALGORAND: The efficient and demacradic leger , CoRR, abs/1607.0134, 2016.
- [Po] A. Poelstra, Distributed consensus from proof of stake is impssible , https://download.wpsoftware.net/bitcion/old.pos.pdf, 2014.
-
[Na]
S. Nakamoto, A peer-to-peer cash system ,
http://bitcoin.org/bitcoin.pdf, 2008.
Comments
There are no comments yet.