Skip to main content
SpringerLink
Log in

Stakechain: A Bitcoin-Backed Proof-of-Stake

  • Conference paper
  • First Online:
Financial Cryptography and Data Security. FC 2022 International Workshops (FC 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13412))

Included in the following conference series:

  • 394 Accesses

Abstract

We propose an energy-efficient solution to the double-spending problem using a bitcoin-backed proof-of-stake. Stakers vote on sidechain blocks forming a record that cannot be changed without destroying their collateral. Every user can become a staker by locking Bitcoins in the bitcoin blockchain. One-time signatures guarantee that stakers lose their bitcoin stake for publishing conflicting histories. As long as 34% of the stakers are honest the sidechain provides safety, and with a 67%-majority it provides liveness. Overwriting a finalized block costs at least 34% of the total stake. Checkpoints in Bitcoin’s blockchain mitigate classical attacks against conventional proof-of-stake algorithms. A stakechain’s footprint within the mainchain is minimal. The protocol is a generic consensus mechanism allowing for arbitrary sidechain architectures. Spawning multiple, independent instances scales horizontally to a free market of sidechains which can potentially serve billions of users.

R. Linus—Independent Researcher.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    A staker is incentivized not to wait for too long before broadcasting their block because otherwise the other stakers will skip it. Also they cannot speed up the block time much, as we will see in the next chapter.

  2. 2.

    https://medium.com/blockstream/cat-and-schnorr-tricks-i-faf1b59bd298.

  3. 3.

    https://github.com/bitcoin/bips/blob/master/bip-0118.mediawiki.

  4. 4.

    https://github.com/bitcoin/bips/blob/master/bip-0119.mediawiki.

  5. 5.

    https://github.com/sapio-lang/sapio/blob/master/sapio-contrib/src/contracts/staked_signer.rs.

References

  1. Nakamoto, S., et al.: Bitcoin: a peer-to-peer electronic cash system (2008)

    Google Scholar 

  2. Donald, J.A.: The cryptography mailing list - bitcoin P2P e-cash paper. Bitcoin Stack Exchange

    Google Scholar 

  3. Poon, J., Dryja, T.: The bitcoin lightning network: scalable off-chain instant payments (2016)

    Google Scholar 

  4. Back, A., et al.: Enabling blockchain innovations with pegged sidechains, p. 72 (2014). www.opensciencereview.com/papers/123/enablingblockchain-innovations-with-pegged-sidechains

  5. Poelstra, A., et al.: Distributed consensus from proof of stake is impossible (2014)

    Google Scholar 

  6. Pérez-Solà, C., Delgado-Segura, S., Navarro-Arribas, G., Herrera-Joancomartí, J.: Double-spending prevention for bitcoin zero-confirmation transactions. Int. J. Inf. Secur. 18(4), 451–463 (2019)

    Article  Google Scholar 

  7. Ruffing, T., Kate, A., Schröder, D.: Liar, liar, coins on fire!: penalizing equivocation by loss of bitcoins. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 219–230. ACM (2015)

    Google Scholar 

  8. Möser, M., Eyal, I., Gün Sirer, E.: Bitcoin covenants. In: Clark, J., Meiklejohn, S., Ryan, P.Y.A., Wallach, D., Brenner, M., Rohloff, K. (eds.) FC 2016. LNCS, vol. 9604, pp. 126–141. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53357-4_9

    Chapter  Google Scholar 

  9. Bonneau, J., Clark, J., Goldfeder, S.: On bitcoin as a public randomness source. IACR Cryptology ePrint Archive 2015:1015 (2015)

    Google Scholar 

  10. Brown-Cohen, J., Narayanan, A., Psomas, A., Matthew Weinberg, S.: Formal barriers to longest-chain proof-of-stake protocols. In: Proceedings of the 2019 ACM Conference on Economics and Computation, pp. 459–473. ACM (2019)

    Google Scholar 

  11. Somsen, R.: 21 million bitcoins to rule all sidechains: the perpetual one-way peg. Medium (2020)

    Google Scholar 

  12. Teutsch, J., Straka, M., Boneh, D.: Retrofitting a two-way peg between blockchains. arXiv preprint arXiv:1908.03999 (2019)

  13. Garoffolo, A., Kaidalov, D., Oliynykov, R.: Zendoo: a zk-SNARK verifiable cross-chain transfer protocol enabling decoupled and decentralized sidechains. CoRR, abs/2002.01847 (2020)

    Google Scholar 

  14. Wuille, P.: Will SegWit allow for m of n multisig with very large n and m? Bitcoin Stack Exchange

    Google Scholar 

  15. Gennaro, R., Goldfeder, S.: Fast multiparty threshold ECDSA with fast trustless setup. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1179–1194. ACM (2018)

    Google Scholar 

  16. Maxwell, G., Poelstra, A., Seurin, Y., Wuille, P.: Simple Schnorr multi-signatures with applications to bitcoin. Des. Codes Crypt. 87(9), 2139–2164 (2019)

    Article  MathSciNet  MATH  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Saarbrücken, Germany

    Robin Linus

Authors
  1. Robin Linus
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Robin Linus .

Editor information

Editors and Affiliations

  1. Georgetown University, Washington, DC, USA

    Shin'ichiro Matsuo

  2. Imperial College London, London, UK

    Lewis Gudgeon

  3. Cornell University, Ithaca, NY, USA

    Ariah Klages-Mundt

  4. Imperial College London, London, UK

    Daniel Perez Hernandez

  5. Imperial College London, London, UK

    Sam Werner

  6. The Australian National University, Canberra, ACT, Australia

    Thomas Haines

  7. Western University, London, ON, Canada

    Aleksander Essex

  8. University of Stirling, Stirling, UK

    Andrea Bracciali

  9. University of Trento, Trento, Trento, Italy

    Massimiliano Sala

A Appendix

A Appendix

1.1 A.1 Staking Contracts in Bitcoin Script

Currently, burning funds is not supported in Bitcoin script. Committing to a certain spending transaction requires a construct called CovenantsFootnote 2. Yet, upcoming Bitcoin features such as SIGHASH_NOINPUTFootnote 3 or OP_CHECKTEMPLATEVERIFYFootnote 4 or OP_CAT allow trustless covenants. For now, we need a workaround to implement the staking contract. In the following we discuss solutions. All of these trust-minimizing workarounds are highly undesirable additional complexity. Fortunately, in the long term, we will certainly have some clean solution for covenants.

1.1.1 A.1.1 Trust-Minimized Workaround 1

A simple solution is to introduce a trusted party, say, Bob:

  • Alice creates a funding transaction with the following output:

    • Alice can spend her money in one year.

    • Alice and Bob can always spend her money collaboratively.

  • Bob pre-signs and publishes a punishment transaction:

    • burn her collateral now to address 0x000...000 (if Alice agrees).

  • Bob immediately deletes his secret key (in case his machine gets compromised).

There is no counter-party risk here for Alice, because she executes her funding transaction only after she received Bob’s signature for the punishment transaction and completed her setup.

For the system to minimize trust in Bob, multiple parties can participate and if only one is honest and deletes their key, then this scheme is secure. Bitcoin script currently supports more than 60 participants per multi-signature transaction [14].

Containing more than 60 signatures, the punishment transaction becomes large and expensive, but as long as the staker is honest, the transaction doesn’t need to be included in Bitcoin’s blockchain. To incentivize Bitcoin miners to execute the punishment transaction quickly in case of misbehavior, it pays a high miners fee.

It is possible to further minimize trust in single parties by using ECDSA signature aggregation to allow for thousands of Bobs participating in a single combined signature [15]. When Schnorr signatures become available in Bitcoin, such aggregated signatures will become more simple because of the linearity of Schnorr’s scheme [16].

The Bobs could be a trusted federation or a percentage of the current stakers. With aggregated signatures they could also be a significant percentage of current coin holders. The trusted parties sign blindly to reduce the risk of censorship. A simple scheme exploits that Bitcoin transactions use double SHA256. Thus, Alice can ask Bob to sign the single-round SHA256 hash of her transaction. The second round is Bob’s hashing function for his signature algorithm. This way Bob doesn’t learn what he signs until Alice publishes her contract.

1.1.2 A.1.2 Trust-Minimized Workaround 2

The bitcoin mailing list member, ZmnSCPxj, came up with the following trust-minimized covenant construction based on replace-by-fee, which requires no softfork.

We can implement the staking contract with a simple

figure a

OP_CHECKSEQUENCEVERIFY ensures, as a side effect, that the spending transaction opts in to replace-by-fee. Thus, if the pubkey <​A>​ is used in a single-sign signature scheme (which reveals the privkey if double-signed), then at the end of the period, anyone who saw the double-signing can claim that fund and thus act as “Bob”. Indeed, many “Bob”s will act and claim this fund, increasing the fee each time to try to get their version onchain. Eventually, some “Bob” will just put the entire fund as fee and put a measly OP_RETURN as single output. This “burns” the funds by donating it to miners.

From the point of view of Alice this is hardly distinguishable from losing the fund right now, since Alice will have a vanishingly low chance of spending it after the collateral period ends, and Alice still cannot touch the funds now anyway. Alice also cannot plausibly bribe a miner, since the miner could always get more funds by replacing the transaction internally with a spend-everything-on-fees OP_RETURN output transaction, and can only persuade the miner not to engage in this behavior by offering more than the collateral is worth (which is always worse than just losing the collateral).

A OP_CHECKTEMPLATEVERIFY would work better for this use-case, but even without it you do not need a trusted party to implement the staking contract.

Drawback of this solution is that cheating stakers are not immediately removed from Bitcoin’s UTXO set. Yet, this might be a decent tradeoff because we have a succinct proof to exclude a cheating staker: knowledge of his private key.

Another drawback is that it requires trust in miners. If Alice cooperates with a significant share of Bitcoin’s hash power, she has proportional chances of mining the transaction herself. Then she would not have any cost of attacking the chain.

1.2 A.2 Staker Signatures

In this chapter we discuss details of the stakers signatures. We explain how to pre-commit to a particular nonce per block efficiently. Finally, we explain a scheme for better hot key security.

1.2.1 A.2.1 Compact Nonce Commitments

Constructed naively, stakers would have to pre-commit to millions of nonces within their funding transaction. A more efficient construction is to let stakers subsequently commit to their next nonce by signing it within their previous signature. This amortizes the inclusion proof size to basically zero. Furthermore, each staker has to store only one nonce at each point in time.

Jeremy Rubin contributed this scheme for constant-sized commitments to sequences of nonces. Furthermore, he implemented a staking contract in SapioFootnote 5.

1.2.2 A.2.2 Hot Key Security

Hardware wallets are usually stateless and therefore they’re incompatible with nonce commitments. Thus, to protect the stakers’ nodes, they can use a staking key to sign sidechain blocks and a separate redeem key to spend the bitcoin deposit once it is unlocked. Until then, the redeem key remains in a cold wallet. Nodes having access only to the staking key are a much less attractive target for attackers.

Rights and permissions

Reprints and permissions

Copyright information

© 2023 International Financial Cryptography Association

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Linus, R. (2023). Stakechain: A Bitcoin-Backed Proof-of-Stake. In: Matsuo, S., et al. Financial Cryptography and Data Security. FC 2022 International Workshops. FC 2022. Lecture Notes in Computer Science, vol 13412. Springer, Cham. https://doi.org/10.1007/978-3-031-32415-4_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-32415-4_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-32414-7

  • Online ISBN: 978-3-031-32415-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation