Abstract
Bitcoin-like blockchains use a proof-of-work (PoW) mechanism, where security holds if the majority of the computing power is under the control of honest players. However, this assumption has been seriously challenged recently, and Bitcoin-like systems fail if this assumption is violated. In this work we propose a novel 2-hop blockchain protocol that combines PoW and proof-of-stake (PoS) mechanisms. Our analysis shows that the protocol is secure as long as the honest players control a majority of the collective resources (which consist of both computing power and stake). In particular, even if the adversary controls more than 50% of the computing power, security still holds if the honest parties hold sufficiently high stake in the system. As an added contribution, our protocol also remains secure against adaptive adversaries.
T. Duong—Work supported in part by a research gift from IOHK.
J. Katz—Portions of this work were done while at the University of Maryland, and were performed under financial assistance award 70NANB19H126 from U.S. Department of Commerce, National Institute of Standards and Technology.
P. Thai and H.-S. Zhou—Work supported in part by NSF award #1801470, and a research gift from Ergo Platform.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
- 2.
- 3.
This also implies that our design could be used as a strategy for converting a PoW-based blockchain into a pure PoS one, via a sequence of hard forks.
References
Back, A.: Hashcash–a denial of service counter-measure (2002). http://hashcash.org/papers/hashcash.pdf
Badertscher, C., Gazi, P., Kiayias, A., Russell, A., Zikas, V.: Ouroboros genesis: composable proof-of-stake blockchains with dynamic availability. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) ACM CCS 2018, pp. 913–930. ACM Press, October 2018
Bentov, I., Gabizon, A., Mizrahi, A.: Currencies without proof of work. In: Bitcoin Workshop (2016)
Bentov, I., Lee, C., Mizrahi, A., Rosenfeld, M.: Proof of activity: extending bitcoin’s proof of work via proof of stake. ACM SIGMETRICS Perform. Eval. Rev. 42, 34–37 (2014)
Bitcointalk: Proof of stake instead of proof of work (2011). Online post by Quantum Mechanic, https://bitcointalk.org/index.php?topic=27787.0
Canetti, R.: Security and composition of multiparty cryptographic protocols. J. Cryptol. 13(1), 143–202 (2000). https://doi.org/10.1007/s001459910006
Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. Cryptology ePrint Archive, Report 2000/067 (2000). http://eprint.iacr.org/2000/067
Chen, J., Gorbunov, S., Micali, S., Vlachos, G.: Algorand agreement: super fast and partition resilient Byzantine agreement (2018). https://eprint.iacr.org/2018/377
Chen, J., Micali, S.: Algorand (2017). http://arxiv.org/abs/1607.01341
Chepurnoy, A., Duong, T., Fan, L., Zhou, H.-S.: Twinscoin: a cryptocurrency via proof-of-work and proof-of-stake. In: Proceedings of the 2nd ACM Workshop on Blockchains, Cryptocurrencies, and Contracts, pp. 1–13. ACM (2018)
CryptoManiac. Proof of stake (2014). NovaCoin wiki. https://github.com/novacoin-project/novacoin/wiki/Proof-of-stake/
Daian, P., Pass, R., Shi, E.: Snow White: robustly reconfigurable consensus and applications to provably secure proof of stake. In: Goldberg, I., Moore, T. (eds.) FC 2019. LNCS, vol. 11598, pp. 23–41. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-32101-7_2
David, B., Gaži, P., Kiayias, A., Russell, A.: Ouroboros Praos: an adaptively-secure, semi-synchronous proof-of-stake blockchain. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 66–98. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_3
Duong, T., Fan, L., Zhou, H.-S.: 2-hop blockchain: combining proof-of-work and proof-of-stake securely (2016). https://eprint.iacr.org/2016/716
Dwork, C., Naor, M.: Pricing via processing or combatting junk mail. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 139–147. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-48071-4_10
Eyal, I.: The miner’s dilemma. In: IEEE Symposium on Security and Privacy, pp. 89–103. IEEE Computer Society Press, May 2015
Eyal, I., Sirer, E.G.: Majority is not enough: bitcoin mining is vulnerable. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 436–454. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45472-5_28
Fan, L., Zhou, H.-S.: A scalable proof-of-stake blockchain in the open setting (or, how to mimic Nakamoto’s design via proof-of-stake), July 2017. https://eprint.iacr.org/2017/656/
Garay, J., Kiayias, A., Leonardos, N.: The bitcoin backbone protocol: analysis and applications. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 281–310. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_10
Gilad, Y., Hemo, R., Micali, S., Vlachos, G., Zeldovich, N.: Algorand: scaling byzantine agreements for cryptocurrencies. In: Proceedings of the 26th Symposium on Operating Systems Principles, pp. 51–68. ACM (2017)
Goodin, D.: Bitcoin security guarantee shattered by anonymous miner with 51% network power (2014). http://arstechnica.com/
Kiayias, A., Panagiotakos, G.: Speed-security tradeoffs in blockchain protocols. Cryptology ePrint Archive, Report 2015/1019 (2015). http://eprint.iacr.org/2015/1019
Kiayias, A., Panagiotakos, G.: On trees, chains and fast transactions in the blockchain. In: Lange, T., Dunkelman, O. (eds.) LATINCRYPT 2017. LNCS, vol. 11368, pp. 327–351. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-25283-0_18
Kiayias, A., Russell, A., David, B., Oliynykov, R.: Ouroboros: a provably secure proof-of-stake blockchain protocol. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 357–388. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_12
King, S., Nadal, S.: PPCoin: peer-to-peer crypto-currency with proof-of-stake (2012). https://peercoin.net/assets/paper/peercoin-paper.pdf
Lysyanskaya, A.: Unique signatures and verifiable random functions from the DH-DDH separation. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 597–612. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_38
Miller, A., Kosba, A.E., Katz, J., Shi, E.: Nonoutsourceable scratch-off puzzles to discourage bitcoin mining coalitions. In: Ray, I., Li, N., Kruegel, C. (eds.) ACM CCS 2015, pp. 680–691. ACM Press, October 2015
Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2008). https://bitcoin.org/bitcoin.pdf
NXT whitepaper (2014). https://www.dropbox.com/s/cbuwrorf672c0yy/NxtWhitepaper_v122_rev4.pdf
Pass, R., Seeman, L., Shelat, A.: Analysis of the blockchain protocol in asynchronous networks. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 643–673. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56614-6_22
Pass, R., Shi, E.: The sleepy model of consensus. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 380–409. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70697-9_14
Sapirshtein, A., Sompolinsky, Y., Zohar, A.: Optimal selfish mining strategies in bitcoin. In: Grossklags, J., Preneel, B. (eds.) FC 2016. LNCS, vol. 9603, pp. 515–532. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54970-4_30
Schrijvers, O., Bonneau, J., Boneh, D., Roughgarden, T.: Incentive compatibility of bitcoin mining pool reward functions. In: Grossklags, J., Preneel, B. (eds.) FC 2016. LNCS, vol. 9603, pp. 477–498. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54970-4_28
Sompolinsky, Y., Zohar, A.: Secure high-rate transaction processing in bitcoin. In: Böhme, R., Okamoto, T. (eds.) FC 2015. LNCS, vol. 8975, pp. 507–527. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-47854-7_32
Vasin, P.: Blackcoin’s proof-of-stake protocol v. 2 (2014). http://blackcoin.co/blackcoin-pos-protocol-v2-whitepaper.pdf
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Unique Signature Schemes
A Unique Signature Schemes
Unique signature schemes were introduced in [26], which consists of four algorithms, a randomized key generation algorithm \(\mathsf {KeyGen} \), a deterministic key verification algorithm \(\mathsf {KeyVer} \), a deterministic signing algorithm \(\mathsf {Sign} \), and a deterministic verification algorithm \(\mathsf {Verify} \). We expect for each verification key there exists only one signing key. We also expect for each pair of message and verification key, there exists only one signature. We have the following definition.
Definition 4
We say \((\mathsf {KeyGen}, \mathsf {KeyVer}, \mathsf {Sign}, \mathsf {Verify})\) is a unique signature scheme, if it satisfies:
-
Correctness of key generation: Honestly generated key pair can always be verified. More formally, it holds that
$$\Pr \left[ \begin{array}{l} (\textsc {pk},\textsc {sk})\leftarrow \mathsf {KeyGen} (1^\kappa ) \ : \ \mathsf {KeyVer} (\textsc {pk}, \textsc {sk})=1 \end{array} \right] \ge 1-\mathsf {negl} (\kappa )$$ -
Uniqueness of signing key: There does not exist two different valid signing keys for a verification key. More formally, for all \(\textsc {ppt}\) adversary \(\mathcal {A}\), it holds that
$$\Pr \left[ \begin{array}{l} (\textsc {pk},\textsc {sk} _1, \textsc {sk} _2)\leftarrow \mathcal {A} (1^\kappa ) \\ \ : \ \mathsf {KeyVer} (\textsc {pk},\textsc {sk} _1)=1 \wedge \mathsf {KeyVer} (\textsc {pk},\textsc {sk} _1)=1 \wedge \textsc {sk} _1 \ne \textsc {sk} _2 \end{array} \right] \le \mathsf {negl} (\kappa )$$ -
Correctness of signature generation: For any message x, it holds that
$$\Pr \left[ \begin{array}{l} (\textsc {pk},\textsc {sk})\leftarrow \mathsf {KeyGen} (1^\kappa ); \sigma := \mathsf {Sign} (\textsc {sk},x)\\ \ : \ \mathsf {Verify} (\textsc {pk},x,\sigma )=1 \end{array} \right] \ge 1-\mathsf {negl} (\kappa )$$ -
Uniqueness of signature generation: For all \(\textsc {ppt}\) adversary \(\mathcal {A}\),
$$\Pr \left[ \begin{array}{l} (\textsc {pk},x, \sigma _1, \sigma _2)\leftarrow \mathcal {A} (1^\kappa ) \\ \ : \ \mathsf {Verify} (\textsc {pk},x,\sigma _1)=1 \wedge \mathsf {Verify} (\textsc {pk},x,\sigma _2)=1 \wedge \sigma _1 \ne \sigma _2 \end{array} \right] \le \mathsf {negl} (\kappa )$$ -
Unforgeability of signature generation: For all \(\textsc {ppt}\) adversary \(\mathcal {A}\),
$$\Pr \left[ \begin{array}{l} (\textsc {pk},\textsc {sk})\leftarrow \mathsf {KeyGen} (1^\kappa );(x,\sigma )\leftarrow \mathcal {A} ^{\mathsf {Sign} (\textsc {sk},\cdot )} (1^\kappa ) \\ \ : \ \mathsf {Verify} (\textsc {pk},x,\sigma )=1 \wedge (x,\sigma ) \not \in Q \end{array} \right] \le \mathsf {negl} (\kappa )$$where Q is the history of queries that the adversary \(\mathcal {A} \) made to signing oracle \(\mathsf {Sign} (\textsc {sk},\cdot )\).
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Duong, T., Fan, L., Katz, J., Thai, P., Zhou, HS. (2020). 2-hop Blockchain: Combining Proof-of-Work and Proof-of-Stake Securely. In: Chen, L., Li, N., Liang, K., Schneider, S. (eds) Computer Security – ESORICS 2020. ESORICS 2020. Lecture Notes in Computer Science(), vol 12309. Springer, Cham. https://doi.org/10.1007/978-3-030-59013-0_34
Download citation
DOI: https://doi.org/10.1007/978-3-030-59013-0_34
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-59012-3
Online ISBN: 978-3-030-59013-0
eBook Packages: Computer ScienceComputer Science (R0)