Improving Privacy of Anonymous Proof-of-Stake Protocols

Abstract

The proof of stake (PoS) mechanism, which allows stakeholders to issue a block with a probability proportional to their wealth instead of computational power, is believed to be an energy-efficient alternative to the proof of work (PoW). The privacy concern of PoS, however, is more subtle than that of PoW. Recent research has shown that current anonymous PoS (APoS) protocols do not suffice to protect the stakeholder’s identity and stake, and the loss of privacy is theoretically inherent for any (deterministic) PoS protocol that provides liveness guarantees. In this paper, we consider the concrete stake privacy of PoS when considering the limitations of attacks in practice. To quantify the concrete stake privacy of PoS, we introduce the notion of \((T, \delta , \epsilon )\)-privacy. Our analysis of \((T, \delta , \epsilon )\)-privacy on Cardano shows to what extent the stake privacy can be broken in practice, which also implies possible parameters setting of rational \((T, \delta , \epsilon )\)-privacy for PoS in the real world. The data analysis of Cardano demonstrates that the \((T, \delta , \epsilon )\)-privacy of current APoS is not satisfactory, mainly due to the deterministic leader election predicate in current PoS constructions. Inspired by the differential privacy technique, we propose an efficient non-deterministic leader election predicate, which can be used as a plugin to APoS protocols to protect stakes against frequency analysis. Based on our leader election predicate, we construct anonymous PoS with noise (APoS-N), which can offer better \((T, \delta , \epsilon )\)-privacy than state-of-the-art works. Furthermore, we propose a method of proving the basic security properties of PoS in the noise setting, which can minimize the impact of the noise on the security threshold. This method can also be applied to the setting of PoS with variable stakes, which is of independent interest.

Appendices

Appendix

A Hoeffding Bound

Theorem 3

(Hoeffding bound). Let \(\{X_{i}\}^{n}_{i=1}\) be independent random variables ranging in [a, b] where \(a<b\), \(X = \sum _{i=1}^{n} X_{i}\) and let \(\mu = \mathbb {E}[x]\), then for any t:

$$Pr[|X-\mu |>t]\le 2e^{\frac{-t^{2}}{n(b-a)^{2}}}.$$

B AVRF

AVRF consists of (AVRF.gen, Update, AVRF.prov, AVRF.vrfy). Suppose that G is a group of prime order q such that \(q = \varTheta (2^{2m})\). Let H(x) denote the hash function.

• AVRF.gen(\(1^{2m}\) ): Choose a generator \(g\in G\), sample a random \(k\in \mathbb {Z}_{q}\) and output(pk, k), where the public key pk = \((g,g^{k})\).

• Update(pk): Let \(v = g^{k}\). Randomly choose \(r\in \mathbb {Z}_{q}\). Let \(g' = g^{r}, v' = v^{r}\). Set \(pk' = (g',v')\). Output \(pk'\).

• AVRF.prov\(_{k}(pk',x)\): Let \(pk' = (g,v)\). Compute \(u = H(x)\), \(\eta =u^{k}\) and \(\pi ^{'}\), which is the ZK proof of statement \(\{ (k):\log _{u}(\eta )= \log _{g}(v) \} \). Set \(\pi = (u,\pi ')\). Output(\(pk',\eta ,\pi \)).

• AVRF.vrfy\(_{k}(x,\eta , \pi )\): Output 1 if \(u = H(x)\) and \(\pi \) verifies, and 0 otherwise.

C Frequency Attack over 12 Epochs

We investigate the transactions of Cardano for two months and focus on 600 pools. The proportion of the subsets with \(R>\delta \) in different epochs is shown in Table 2.

Table 2. Proportion of 600 pools such that \(R>\delta \) over 12 epochs.

D Functionalities

In this section, we recall functionalities \(\mathcal {F}_{crs}\), \(\mathcal {F}_{Init}^{Com}\) and \(\mathcal {F}_{\varDelta }^{ABC}\) defined in [13, 15].