Proofs of Work for Blockchain Protocols

Lecture Notes in Computer Science, 2016

We study cryptocurrency protocols that do not make use of Proof of Work. Such protocols commonly rely on Proof of Stake, i.e. on mechanisms that extend voting power to the stakeholders of the system. We offer analysis of existing protocols that have a substantial amount of popularity. We then present our novel pure Proof of Stake protocols, and argue that the they help in mitigating problems that the existing protocols suffer from.

Advances in Cryptology - EUROCRYPT 2015, 2015

Bitcoin is the first and most popular decentralized cryptocurrency to date. In this work, we extract and analyze the core of the Bitcoin protocol, which we term the Bitcoin backbone, and prove two of its fundamental properties which we call common prefix and chain quality in the static setting where the number of players remains fixed. Our proofs hinge on appropriate and novel assumptions on the "hashing power" of the adversary relative to network synchronicity; we show our results to be tight under high synchronization. Next, we propose and analyze applications that can be built "on top" of the backbone protocol, specifically focusing on Byzantine agreement (BA) and on the notion of a public transaction ledger. Regarding BA, we observe that Nakamoto's suggestion falls short of solving it, and present a simple alternative which works assuming that the adversary's hashing power is bounded by 1/3. The public transaction ledger captures the essence of Bitcoin's operation as a cryptocurrency, in the sense that it guarantees the liveness and persistence of committed transactions. Based on this notion we describe and analyze the Bitcoin system as well as a more elaborate BA protocol, proving them secure assuming high network synchronicity and that the adversary's hashing power is strictly less than 1/2, while the adversarial bound needed for security decreases as the network desynchronizes.

2020

Consensus algorithms for public blockchains require computing or financial resources to secure the blockchain state. Mining mechanisms used by these algorithms are broadly divided into proof-of-work, in which nodes dedicate computing resources, and proof-of-stake, in which nodes dedicate financial resources to participate in the consensus algorithm. The high-level idea behind both proof-of-work and proof-of-stake is to make it practically infeasible for any single malicious actor to have enough computing power or ownership stake to attack the network. A variant of proof-of-work is proof-of-burn where miners compete by ”burning” (destroying) a proof-of-work cryptocurrency as a proxy for computing resources. In this paper, we introduce a new mining mechanism, called proof-of-transfer (PoX) that generalizes the concept of proof-of-burn. PoX uses the proof-of-work cryptocurrency of an established blockchain to secure a new blockchain. However, unlike proof-of-burn rather than burning th...

Secure Information Networks, 1999

We formalize the notion of a proof of work (POW). In many cryptographie protocols, a prover seeks to convince a verifier that she possesses knowledge of a secret or that a certain mathematical relation holds true. By contrast, in a POW, a prover demonstrates to a verifier that she has performed a certain amount of computational work in a specified interval of time. POWs have served as the basis of a number of security protocols in the literat ure, but have hitherto lacked careful characterization. In this paper, we offer definitions treating the notion of a POW and related concepts. We also introduce the dependent idea of a bread pudding protocol. Bread pudding is a dish that originated with the purpose of reusing bread that has gone stale. In the same spirit, we define a bread pudding protocol to be a POW such that the computational effort invested in the proof may be reused by the verifier to achieve aseparate, useful, and verifiably correct computation. As an example of a bread pudding protocol, we show how the MicroMint scheme of Rivest and Shamir can be broken up into a collection of POW s. These POW s can not only serve in their own right as mechanisms for security protocols, but can also be harvested in order to outsource the MicroMint minting operation to a large group of untrusted computational devices.

2017

Blockchains generated using a proofof-work consensus protocol, such as Bitcoin or Ethereum, are promising sources of public randomness. However, the randomness is subject to manipulation by the miners generating the blockchain. A general defense is to apply a delay function, preventing malicious miners from computing the random output until it is too late to manipulate it. Ideally, this delay function can provide a short proofof-delay that is efficient enough to be verified within a smart contract, enabling the randomness source to be directly by smart contracts. In this paper we describe the challenges of solving this problem given the extremely limited computational capacity available in Ethereum, the most popular generalpurpose smart contract framework to date. We introduce a novel multi-round protocol for verifying delay functions using a refereed delegation model. We provide a prototype Ethereum implementation to analyze performance and find that it is feasible in terms of gas ...

2018 IEEE Symposium on Security and Privacy (SP), 2018

We propose Bulletproofs, a new non-interactive zeroknowledge proof protocol with very short proofs and without a trusted setup; the proof size is only logarithmic in the witness size. Bulletproofs are especially well suited for efficient range proofs on committed values: they enable proving that a committed value is in a range using only 2 log 2 pnq`9 group and field elements, where n is the bit length of the range. Proof generation and verification times are linear in n. Bulletproofs greatly improve on the linear (in n) sized range proofs in existing proposals for confidential transactions in Bitcoin and other cryptocurrencies. Moreover, Bulletproofs supports aggregation of range proofs, so that a party can prove that m commitments lie in a given range by providing only an additive Oplogpmqq group elements over the length of a single proof. To aggregate proofs from multiple parties, we enable the parties to generate a single proof without revealing their inputs to each other via a simple multi-party computation (MPC) protocol for constructing Bulletproofs. This MPC protocol uses either a constant number of rounds and linear communication, or a logarithmic number of rounds and logarithmic communication. We show that verification time, while asymptotically linear, is very efficient in practice. The marginal cost of batch verifying 32 aggregated range proofs is less than the cost of verifying 32 ECDSA signatures. Bulletproofs build on the techniques of Bootle et al. (EUROCRYPT 2016). Beyond range proofs, Bulletproofs provide short zero-knowledge proofs for general arithmetic circuits while only relying on the discrete logarithm assumption and without requiring a trusted setup. We discuss many applications that would benefit from Bulletproofs, primarily in the area of cryptocurrencies. The efficiency of Bulletproofs is particularly well suited for the distributed and trustless nature of blockchains. The full version of this article is available at [1]. 1.1. Our Contributions We present Bulletproofs, a new zero-knowledge argument of knowledge 1 system, to prove that a secret committed 1. Proof systems with computational soundness like Bulletproofs are sometimes called argument systems. We will use the terms proof and argument interchangeably.

Publicly Verifiable Randomness has many useful and interesting applications in e-voting, distributed cryptography, secure multiparty computation, lotteries, sports seeding and many more. While the output of a Publicly Verifiable Randomness is provably unpredictable for a strong adversary, it is expected that its closeness to a uniform distribution is verifiable for any party. The inherent randomness in public blockchains such as Bitcoin has been the topic of several research papers and been used in lotteries and other multi-party protocols. However, recently it has been argued that an adversary can have a significant impact on the probability distribution of the output with much lower financial cost. Here, in this paper, we propose a new scheme based on the properties of Verifiable Secret Sharing protocols and Threshold Cryptosystems, that uses semi-trusted third parties to improve the security of Verifiable Public Randomness from any public blockchain. We argue that a successful attack against our scheme to impose a bias on a single bit of the output randomness requires not only a significant financial cost but also a corruption of more than k out of n trusted delegates.

Advances in Cryptology – CRYPTO 2017, 2017

Bitcoin's innovative and distributedly maintained blockchain data structure hinges on the adequate degree of difficulty of so-called "proofs of work," which miners have to produce in order for transactions to be inserted. Importantly, these proofs of work have to be hard enough so that miners have an opportunity to unify their views in the presence of an adversary who interferes but has bounded computational power, but easy enough to be solvable regularly and enable the miners to make progress. As such, as the miners' population evolves over time, so should the difficulty of these proofs. Bitcoin provides this adjustment mechanism, with empirical evidence of a constant block generation rate against such population changes. In this paper we provide the first formal analysis of Bitcoin's target (re)calculation function in the cryptographic setting, i.e., against all possible adversaries aiming to subvert the protocol's properties. We extend the q-bounded synchronous model of the Bitcoin backbone protocol [Eurocrypt 2015], which posed the basic properties of Bitcoin's underlying blockchain data structure and shows how a robust public transaction ledger can be built on top of them, to environments that may introduce or suspend parties in each round. We provide a set of necessary conditions with respect to the way the population evolves under which the "Bitcoin backbone with chains of variable difficulty" provides a robust transaction ledger in the presence of an actively malicious adversary controlling a fraction of the miners The full version of this paper can be found at the Cryptology ePrint Archive [12].

Consensus algorithms for public blockchains require computing or financial resources to secure the blockchain state. Mining mechanisms used by these algorithms are broadly divided into proof-of-work, in which nodes dedicate computing resources, and proof-of-stake, in which nodes dedicate financial resources to participate in the consensus algorithm. The high-level idea behind both proof-of-work and proof-of-stake is to make it practically infeasible for any single malicious actor to have enough computing power or ownership stake to attack the network. A variant of proof-of-work is proof-of-burn where miners compete by "burning" (destroying) a proof-of-work cryptocurrency as a proxy for computing resources. In this paper, we introduce a new mining mechanism, called proof-of-transfer (PoX) that generalizes the concept of proof-of-burn. PoX uses the proof-of-work cryptocurrency of an established blockchain to secure a new blockchain. However, unlike proof-of-burn rather than burning the cryptocurrency, miners transfer the committed cryptocurrency to some other participant(s) in the network. This allows network participants who are adding value to the new cryptocurrency network to earn a reward in a base cryptocurrency by actively participating in the consensus algorithm. PoX encourages a model where there is one extremely secure proof-of-work blockchain, say Bitcoin. Other new blockchains can be anchored on the secure proof-of-work blockchain instead of introducing new proof-of-work chains. PoX has the interesting property where participants can earn payouts in a separate, potentially more stable, base cryptocurrency while participating in the new blockchain network. This can help solve a bootstrapping problem for new blockchains by providing incentives for early participants. Further, PoX has a potential use case for funding ecosystem developer funds. We present a proposal for using PoX in the Stacks 2.0 blockchain.

Theory of Cryptography, 2017

Blockchain technology has the potential to disrupt how cryptography is done. In this work, we propose to view blockchains as an "enabler", much like indistinguishability obfuscation or oneway functions, for building a variety of cryptographic systems. Our contributions in this work are as follows: 1. A Framework for Proof-of-Stake based Blockchains: We provide an abstract framework for formally analyzing and defining useful security properties for Proof-of-Stake (POS) based blockchain protocols. Interestingly, for some of our applications, POS based protocols are more suitable. We believe our framework and assumptions would be useful in building applications on top of POS based blockchain protocols even in the future. Cryptography: A trusted setup, such as a common reference string (CRS) has been used to realize numerous systems in cryptography. The paragon example of a primitive requiring trusted setup is a noninteractive zero-knowledge (NIZK) system. We show that already existing blockchains systems including Bitcoin, Ethereum etc. can be used as a foundation (instead of a CRS) to realize NIZK systems. The novel aspect of our work is that it allows for utilizing an already existing (and widely trusted) setup rather than proposing a new one. Our construction does not require any additional functionality from the miners over the already existing ones, nor do we need to modify the underlying blockchain protocol. If an adversary can violate the security of our NIZK, it could potentially also take over billions of dollars worth of coins in the Bitcoin, Ethereum or any such cryptocurrency! We believe that such a "trusted setup" represents significant progress over using CRS published by a central trusted party. Indeed, NIZKs could further serve as a foundation for a variety of other cryptographic applications such as round efficient secure computation . 3. One-time programs and pay-per use programs: Goldwasser et al. [29] introduced the notion of one time program and presented a construction using tamper-proof hardware. As noted by Goldwasser et al. [29], clearly a one-time program cannot be solely software