TY - GEN
T1 - Formal barriers to longest-chain Proof-of-Stake protocols?
AU - Brown-Cohen, Jonah
AU - Narayanan, Arvind
AU - Psomas, Alexandros
AU - Matthew Weinberg, S.
PY - 2019/6/17
Y1 - 2019/6/17
N2 - The security of most existing cryptocurrencies is based on a concept called Proof-of-Work, in which users must solve a computationally hard cryptopuzzle to authorize transactions ("one unit of computation, one vote"). This leads to enormous expenditure on hardware and electricity in order to collect the rewards associated with transaction authorization. Proof-of-Stake is an alternative concept that instead selects users to authorize transactions proportional to their wealth ("one coin, one vote"). Some aspects of the two paradigms are the same. For instance, obtaining voting power in Proof-of-Stake has a monetary cost just as in Proof-of-Work: a coin cannot be freely duplicated any more easily than a unit of computation. However some aspects are fundamentally different. In particular, exactly because Proof-of-Stake is wasteless, there is no inherent resource cost to deviating (commonly referred to as the "Nothing-at-Stake" problem). In contrast to prior work, we focus on incentive-driven deviations (any participant will deviate if doing so yields higher revenue) instead of adversarial corruption (an adversary may take over a significant fraction of the network, but the remaining players follow the protocol). The main results of this paper are several formal barriers to designing incentive-compatible proof-of-stake cryptocurrencies (that don't apply to proof-of-work).
AB - The security of most existing cryptocurrencies is based on a concept called Proof-of-Work, in which users must solve a computationally hard cryptopuzzle to authorize transactions ("one unit of computation, one vote"). This leads to enormous expenditure on hardware and electricity in order to collect the rewards associated with transaction authorization. Proof-of-Stake is an alternative concept that instead selects users to authorize transactions proportional to their wealth ("one coin, one vote"). Some aspects of the two paradigms are the same. For instance, obtaining voting power in Proof-of-Stake has a monetary cost just as in Proof-of-Work: a coin cannot be freely duplicated any more easily than a unit of computation. However some aspects are fundamentally different. In particular, exactly because Proof-of-Stake is wasteless, there is no inherent resource cost to deviating (commonly referred to as the "Nothing-at-Stake" problem). In contrast to prior work, we focus on incentive-driven deviations (any participant will deviate if doing so yields higher revenue) instead of adversarial corruption (an adversary may take over a significant fraction of the network, but the remaining players follow the protocol). The main results of this paper are several formal barriers to designing incentive-compatible proof-of-stake cryptocurrencies (that don't apply to proof-of-work).
KW - Cryptocurrencies
KW - Longest chain
KW - Proof of stake
UR - http://www.scopus.com/inward/record.url?scp=85069041487&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85069041487&partnerID=8YFLogxK
U2 - 10.1145/3328526.3329567
DO - 10.1145/3328526.3329567
M3 - Conference contribution
T3 - ACM EC 2019 - Proceedings of the 2019 ACM Conference on Economics and Computation
SP - 459
EP - 473
BT - ACM EC 2019 - Proceedings of the 2019 ACM Conference on Economics and Computation
PB - Association for Computing Machinery, Inc
T2 - 20th ACM Conference on Economics and Computation, EC 2019
Y2 - 24 June 2019 through 28 June 2019
ER -