Proof-of-Stake Protocols for Privacy-Aware Blockchains

Abstract

Proof-of-stake (PoS) protocols are emerging as one of the most promising alternative to the wasteful proof-of-work (PoW) protocols for consensus in Blockchains (or distributed ledgers). However, current PoS protocols inherently disclose both the identity and the wealth of the stakeholders, and thus seem incompatible with privacy-preserving cryptocurrencies (such as ZCash, Monero, etc.). In this paper we initiate the formal study for PoS protocols with privacy properties. Our results include:

1. 1.

   A (theoretical) feasibility result showing that it is possible to construct a general class of private PoS (PPoS) protocols; and to add privacy to a wide class of PoS protocols,

2. 2.

   A privacy-preserving version of a popular PoS protocol, Ouroboros Praos.

Towards our result, we define the notion of anonymous verifiable random function, which we believe is of independent interest.

This work was supported by the Danish Independent Research Council under Grant-ID DFF-6108-00169 (FoCC), the European Research Council (ERC) under the European Unions’s Horizon 2020 research and innovation program under grant agreement No 669255 (MPCPRO) and No 803096 (SPEC), and the Concordium Blockchain Research Center, Aarhus University, Denmark.

Appendices

Appendix

A Private Proof of Stake Lottery

Theorem 1.  The protocol \(\textsf {Lottery Protocol} ^{\mathcal {E},\mathsf {LE}}\) realizes the functionality in the -hybrid world in the presence of a PPT adversary.

Proof

Let \(\mathcal {S}_{\mathsf {zk}} = ( \mathcal {S}_{1}, \mathcal {S}_{2})\) be the simulator of the zero-knowledge proof system used in \(\textsf {Lottery-} \textsf {Protocol} ^{\mathcal {E},\mathsf {LE}}\). We construct a simulator \(\mathcal {S}_{\textsf {lottery}} \) and argue that the views of the adversary in the simulated execution and real protocol execution are computationally close. Consider the simulator \(\mathcal {S}_{\textsf {lottery}} \).

Let \(\textsc {HYB} _0\) be the (distribution) of the protocol execution (in the hybrid world where the auxiliary functionalities are available). We consider the world \(\textsc {HYB} _1\) which is the same as the protocol execution except for the following: calls to are answered as is done by the simulator \(\mathcal {S}_{\textsf {lottery}} \) consistent with the outcome returned by . It follows that distributions of \(\textsc {HYB} _0\) and \(\textsc {HYB} _1\) are indistinguishable. We now argue that the world \(\textsc {HYB} _1\) is computationally indistinguishable from the ideal world simulation.

Simulation of The only difference between \(\textsc {HYB} _1\) and the simulation is that the list \(\mathcal {L}\) consists of commitments to honest stakes in the protocol, whereas the commitments are to 0 in the interaction with the simulator. By the hiding property of the commitment scheme \(\mathsf {Com} \), the two distributions are identical.

Simulation of The CRS in \(\textsc {HYB} _1\) is distributed the same as in the simulation.

Simulation of The key-generation and evaluation queries by the adversary are distributed the same. The same holds for verification queries where the adversary verifies a commitment which was created by an evaluation query by the adversary. In \(\textsc {HYB} _1\), any other commitment message pair will be verified as true only if the commitment was part of an honest tuple \((\mathsf {e},m,c,\pi _{\mathsf {zk}})\) which was sent to the adversary via . Similarly, in the simulation any other commitment message pair will only be evaluated as true if the commitment was part of a simulated honest tuple.

Simulation of . If the adversary sends a tuple \((\mathsf {e},m,c,\pi _{\mathsf {zk}})\) in \(\textsc {HYB} _1\), parties will accept it only if it is valid with respect to the information of , and . In the ideal world, the simulator does the same checks with respect to the simulated functionalities. The simulator will then submit \((\mathsf {e},m)\) to which will send it to honest parties. The soundness of the zero-knowledge proof system and the binding property of the commitment scheme guarantee that the adversary can only submit tuples \((\mathsf {e},m,c,\pi _{\mathsf {zk}})\) where the dishonest stakeholder won the lottery for \(\mathsf {e} \). Thus the distribution of \(\textsc {HYB} _1\) and the ideal world is indistinguishable.

If in \(\textsc {HYB} _1\) an honest stakeholder wins the lottery for entry \(\mathsf {e} \) and publishes a message m via , the adversary will receive a tuple of the form \((\mathsf {e},m,c,\pi _{\mathsf {zk}})\). In the ideal world, the simulator gets \((\mathsf {e},m)\) and creates a simulated tuple. By the zero-knowledge property of the proof system the distribution of \(\textsc {HYB} _1\) and the ideal-world is indistinguishable.    \(\square \)

B Extended Preliminaries

1.1 B.1 Non-interactive Zero-Knowledge

Definition 3

(Non-interactive Zero-knowledge Argument). A non-interactive zero-knowledge argument for an NP relation R consists of a triple of polynomial time algorithms \((\mathsf {Setup},\mathsf {Prove},\mathsf {Verify})\) defined as follows.

• \(\mathsf {Setup}(1^\kappa )\) takes a security parameter \(\kappa \) and outputs a common reference string \(\sigma \).

• \(\mathsf {Prove}(\sigma , x, w)\) takes as input the CRS \(\sigma \), a statement x, and a witness w, and outputs an argument \(\pi \).

• \(\mathsf {Verify}(\sigma , x, \pi )\) takes as input the CRS \(\sigma \), a statement x, and a proof \(\pi \), and outputs either 1 accepting the argument or 0 rejecting it.

The algorithms above should satisfy the following properties.

1. 1.

   Completeness. For all \(\kappa \in \mathbb {N} \), \((x, w) \in R\),

   
2. 2.

   Computational soundness. For all PPT adversaries \(\mathcal {A}\), the following probability is negligible in \(\kappa \):

   
3. 3.

   Zero-knowledge. There exists a PPT simulator \((\mathcal {S}_1, \mathcal {S}_2)\) such that \(\mathcal {S}_1\) outputs a simulated CRS \({\varSigma }\) and trapdoor \(\tau \); \(\mathcal {S}_2\) takes as input \(\sigma \), a statement s and \(\tau \), and outputs a simulated proof \(\pi \); and, for all PPT adversaries \((\mathcal {A}_1,\mathcal {A}_2)\), the following probability is negligible in \(\kappa \):

   $$\begin{aligned}&\left| \Pr \left( \begin{matrix} (x, w) \in R \, \wedge \\ \mathcal {A}_2 (\pi ,\mathsf {st}) = 1 \end{matrix} \,:\ \begin{matrix} \sigma \leftarrow \mathsf {Setup}(1^\kappa )\\ (x, w, \mathsf {st}) \leftarrow \mathcal {A}_1 (1^{\kappa },\sigma ) \\ \pi \leftarrow \mathsf {Prove}(\sigma , x, w) \end{matrix} \right) \right. - \\&\qquad \qquad \qquad \qquad \quad \quad \left. \Pr \left( \begin{matrix} (x, w) \in R \, \wedge \\ \mathcal {A}_2 (\pi ,\mathsf {st}) = 1 \end{matrix} \,:\ \begin{matrix} (\sigma , \tau ) \leftarrow \mathcal {S}_1(1^\kappa ) \\ (x, w,\mathsf {st}) \leftarrow \mathcal {A}_1 (1^{\kappa },\sigma ) \\ \pi \leftarrow \mathcal {S}_2(\sigma , \tau , x) \end{matrix} \right) \right| . \end{aligned}$$