Abstract
The proof of stake (PoS) mechanism, which allows stakeholders to issue a block with a probability proportional to their wealth instead of computational power, is believed to be an energy-efficient alternative to the proof of work (PoW). The privacy concern of PoS, however, is more subtle than that of PoW. Recent research has shown that current anonymous PoS (APoS) protocols do not suffice to protect the stakeholder’s identity and stake, and the loss of privacy is theoretically inherent for any (deterministic) PoS protocol that provides liveness guarantees. In this paper, we consider the concrete stake privacy of PoS when considering the limitations of attacks in practice. To quantify the concrete stake privacy of PoS, we introduce the notion of \((T, \delta , \epsilon )\)-privacy. Our analysis of \((T, \delta , \epsilon )\)-privacy on Cardano shows to what extent the stake privacy can be broken in practice, which also implies possible parameters setting of rational \((T, \delta , \epsilon )\)-privacy for PoS in the real world. The data analysis of Cardano demonstrates that the \((T, \delta , \epsilon )\)-privacy of current APoS is not satisfactory, mainly due to the deterministic leader election predicate in current PoS constructions. Inspired by the differential privacy technique, we propose an efficient non-deterministic leader election predicate, which can be used as a plugin to APoS protocols to protect stakes against frequency analysis. Based on our leader election predicate, we construct anonymous PoS with noise (APoS-N), which can offer better \((T, \delta , \epsilon )\)-privacy than state-of-the-art works. Furthermore, we propose a method of proving the basic security properties of PoS in the noise setting, which can minimize the impact of the noise on the security threshold. This method can also be applied to the setting of PoS with variable stakes, which is of independent interest.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
In Ouroboros, the probability of P winning an election is defined by \(\varPhi (p)=1-(1-f)^{p}\), which is close to \(p\cdot f\).
References
Nakamoto, S.: Cryptocurrencies without proof of work (2008)
King, S., Nadal, S.: Ppcoin: peer-to-peer crypto-currency with proof-of-stake (2012)
Bentov, I., Gabizon, A., Mizrahi, A.: Cryptocurrencies without proof of work. In: Clark, J., Meiklejohn, S., Ryan, P.Y.A., Wallach, D., Brenner, M., Rohloff, K. (eds.) FC 2016. LNCS, vol. 9604, pp. 142–157. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53357-4_10
Bentov, I., Lee, C., Mizrahi, A., Rosenfeld, M.: Proof of activity: extending bitcoin’s proof of work via proof of stake [extended abstract]y. SIGMETRICS Perform. Eval. Rev. 42(3), 34–37 (2014)
Daian, P., Pass, R., Shi, E.: Snow white: robustly reconfigurable consensus and applications to provably secure proof of stake. Cryptology ePrint Archive, Paper 2016/919 (2016). https://eprint.iacr.org/2016/919
Chen, J., Micali, S.: Algorand: a secure and efficient distributed ledger. Theor. Comput. Sci. 777, 155–183 (2019)
Kiayias, A., Russell, A., David, B., Oliynykov, R.: Ouroboros: a provably secure proof-of-stake blockchain protocol. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 357–388. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_12
David, B., Gaži, P., Kiayias, A., Russell, A.: Ouroboros praos: an adaptively-secure, semi-synchronous proof-of-stake blockchain. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 66–98. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_3
Badertscher, C., Gazi, P., Kiayias, A., Russell, A., Zikas, V.: Ouroboros genesis: composable proof-of-stake blockchains with dynamic availability. In: CCS 2018, pp. 913–930. ACM (2018)
Kerber, T., Kiayias, A., Kohlweiss, M., Zikas, V.: Ouroboros crypsinous: privacy-preserving proof-of-stake. In: 2019 IEEE SP, pp. 157–174. IEEE (2019)
Ben-Sasson, E., et al.: Zerocash: decentralized anonymous payments from bitcoin. In: 2014 IEEE SP, pp. 459–474. IEEE Computer Society (2014)
Noether, S.: Ring signature confidential transactions for monero. Cryptology ePrint Archive, Paper 2015/1098 (2015). https://eprint.iacr.org/2015/1098
Ganesh, C., Orlandi, C., Tschudi, D.: Proof-of-stake protocols for privacy-aware blockchains. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 690–719. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_23
Baldimtsi, F., Madathil, V., Scafuro, A., Zhou, L.: Anonymous lottery in the proof-of-stake setting. In: 33rd IEEE Computer Security Foundations Symposium, pp. 318–333. IEEE (2020)
Kohlweiss, M., Madathil, V., Nayak, K., Scafuro, A.: On the anonymity guarantees of anonymous proof-of-stake protocols. In: 42nd IEEE SP, pp. 1818–1833. IEEE (2021)
Heilman, E., Kendler, A., Zohar, A., Goldberg, S.: Eclipse attacks on bitcoin’s peer-to-peer network. In: 24th USENIX Security Symposium, pp. 129–144. USENIX Association (2015)
Dwork, C.: Differential privacy. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 1–12. Springer, Heidelberg (2006). https://doi.org/10.1007/11787006_1
Dwork, C., McSherry, F., Nissim, K., Smith, A.: Calibrating noise to sensitivity in private data analysis. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 265–284. Springer, Heidelberg (2006). https://doi.org/10.1007/11681878_14
Wang, C., Pujo, D., Nayak, K., Machanavajjhala, A.: Private proof-of-stake blockchains using differentially-private stake distortion. Cryptology ePrint Archive, Paper 2023/787 (2023). https://eprint.iacr.org/2023/787
Garay, J., Kiayias, A., Leonardos, N.: The bitcoin backbone protocol: analysis and applications. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 281–310. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_10
Pass, R., Seeman, L., Shelat, A.: Analysis of the blockchain protocol in asynchronous networks. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 643–673. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-56614-6_22
Brown, L.D., Cai, T.T., DasGupta, A.: Interval estimation for a binomial proportion. Stat. Sci. 16(2), 101–133 (2001)
Cardano pooltool. https://pooltool.io/
Agresti, A.: On small-sample confidence intervals for parameters in discrete distributions. Biometrics 57, 963–971 (2001)
Cardano official website. https://cardano.org/stake-pool-operation/
Acknowledgment
This work was supported by the National Key R &D Program of China (Grant No. 2022YFB2701700, 2018YFA0704702) and Shandong Provincial Natural Science Foundation (Grant No. ZR2020MF053). Quan Yuan is supported by JST CREST Grant Number JPMJCR2113, Japan.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix
AÂ Hoeffding Bound
Theorem 3
(Hoeffding bound). Let \(\{X_{i}\}^{n}_{i=1}\) be independent random variables ranging in [a, b] where \(a<b\), \(X = \sum _{i=1}^{n} X_{i}\) and let \(\mu = \mathbb {E}[x]\), then for any t:
B AVRF
AVRF consists of (AVRF.gen, Update, AVRF.prov, AVRF.vrfy). Suppose that G is a group of prime order q such that \(q = \varTheta (2^{2m})\). Let H(x) denote the hash function.
-
AVRF.gen(\(1^{2m}\) ): Choose a generator \(g\in G\), sample a random \(k\in \mathbb {Z}_{q}\) and output(pk, k), where the public key pk = \((g,g^{k})\).
-
Update(pk): Let \(v = g^{k}\). Randomly choose \(r\in \mathbb {Z}_{q}\). Let \(g' = g^{r}, v' = v^{r}\). Set \(pk' = (g',v')\). Output \(pk'\).
-
AVRF.prov\(_{k}(pk',x)\): Let \(pk' = (g,v)\). Compute \(u = H(x)\), \(\eta =u^{k}\) and \(\pi ^{'}\), which is the ZK proof of statement \(\{ (k):\log _{u}(\eta )= \log _{g}(v) \} \). Set \(\pi = (u,\pi ')\). Output(\(pk',\eta ,\pi \)).
-
AVRF.vrfy\(_{k}(x,\eta , \pi )\): Output 1 if \(u = H(x)\) and \(\pi \) verifies, and 0 otherwise.
C Frequency Attack over 12 Epochs
We investigate the transactions of Cardano for two months and focus on 600 pools. The proportion of the subsets with \(R>\delta \) in different epochs is shown in Table 2.
D Functionalities
In this section, we recall functionalities \(\mathcal {F}_{crs}\), \(\mathcal {F}_{Init}^{Com}\) and \(\mathcal {F}_{\varDelta }^{ABC}\) defined in [13, 15].
Â
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Wu, S., Song, Z., Wei, P., Tang, P., Yuan, Q. (2023). Improving Privacy of Anonymous Proof-of-Stake Protocols. In: Deng, J., Kolesnikov, V., Schwarzmann, A.A. (eds) Cryptology and Network Security. CANS 2023. Lecture Notes in Computer Science, vol 14342. Springer, Singapore. https://doi.org/10.1007/978-981-99-7563-1_17
Download citation
DOI: https://doi.org/10.1007/978-981-99-7563-1_17
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-7562-4
Online ISBN: 978-981-99-7563-1
eBook Packages: Computer ScienceComputer Science (R0)