alternative cryptocurrencies

Alternative Cryptocurrencies

Stefan DziembowskiUniversity of Warsaw

Workshop on Bitcoin, Introduction to Cryptocurrencies,Kfar Maccabiah, Ramat Gan, Israel, June 6-7, 2016

Drawbacks of Bitcoin’s PoWs

costs money bad for environment

1. high energy consumption

2. advantage for people with dedicated hardware

Drawbacks of Bitcoin transaction system

1. lack of real anonymity

2. non-Turing complete scripts

OP_DUP OP_HASH160 02192cfd7508be5c2e6ce9f1b6312b7f268476d2 OP_EQUALVERIFY OP_CHECKSIG

Natural questions

Can we have:

1. PoWs where there is no mining in hardware?2. more energy-efficient PoWs?3. PoWs doing something useful?4. PoWs that are impossible to outsource (so there are no

mining pools)?5. a cryptocurrency with real anonymity?6. a cryptocurrency with Turing-complete scripts?

Answer to most of these questions: yes (but still some more research is needed).

Alternative cryptocurrencies

a) Litecoin – a currency where hardware mining is (supposedly) harder

b) Spacemint – a currency based on the Proofs of Spacec) Currencies based on the Proofs of Staked) Currencies doing some useful work (Primecoin,

Permacoin)e) Zerocash – a currency with true anonymityf) Ethereum – a currency with Turing-complete scriptsg) Other uses of the Blockchain technology

Disclaimers: (a) some of them are just academic proposals, (b) this order is not chronologic.

Plan

1. Litecoin – a currency based on the Scrypt hash function

2. Spacemint – a currency based on the Proofs of Space

3. Currencies based on the Proofs of Stake4. Currencies doing some useful work

(Primecoin, Permacoin)5. Ethereum – a currency with Turing-

complete scripts6. Other uses of the Blockchain technology

LitecoinReleased in Oct 2011 by Charles Lee.

Instead of SHA256 Litecoin uses scrypt hash function introduced in:

Colin Percival, Stronger Key Derivation via Sequential Memory-Hard Functions, 2009.

Idea: scrypt is a function whose computation requires a lot of memory, so it’s hard to implement it efficiently in hardware

as of June 2016:

Market cap million USD1 L 5 USD

really?

How scrypt works?

𝐕𝟏=𝐇(𝐗) 𝐕𝟐=𝐇(𝐕𝟐)𝐕𝟎=𝐗 𝐕𝑵 −𝟏=𝐇 (𝐕𝐍−𝟐). . .

second phase: compute the output by accessing the table ”pseudorandomly”Zfor i = 0 to N − 1 do

Zoutput Z

computing scrypt(X)

init phase: fill-in at table of length with pseudorandom expansion of

result (for N = 10):

What is known about scrypt?[Percival, 2009]:• it can be computed in time ,• to compute it one needs time and space such that

this holds even on a parallel machine.Pictorially:

a circuit computing

scrypt

output

input

T

S

An observation[Alwen, Serbinenko, STOC’15]: this definition is not strong enough.The adversary that wants to compute scrypt in parallel can “amortize space”. Example:

S S S

T

𝟑𝐒𝟐

can be computed in parallel as follows:

Note:. So: the bound provided by Percival is meaningless.

circ

uit f

or

scry

pt

circ

uit f

or

scry

pt

circ

uit f

or

scry

pt

The contribution of [Alwen and Serbinenko]

1. the “right” definition:

2. a construction that satisfies this definition (uses advanced graph theory).

a circuit computing

scryptT

S

instead of looking at . . . look at the sum of memory cells used over time

“the area on the picture”

Open problem

Prove security of the scrypt function in the [Alwen, Serbinenko] model.

Plan

1. Litecoin – a currency based on the Scrypt hash function

2. Spacemint – a currency based on the Proofs of Space

3. Currencies based on the Proofs of Stake4. Currencies doing some useful work

(Primecoin, Permacoin)5. Ethereum – a currency with Turing-

complete scripts6. Other uses of the Blockchain technology

Spacemint[Sunoo Park, Krzysztof Pietrzak, Albert Kwon, Joël Alwen, Georg Fuchsbauer, Peter Gaži, Eprint 2015]

Based on the Proofs of Space [D., Faust, Kolmogorov, and Pietrzak, CRYPTO 2015]

Main idea: Replace work by disk space.

Advantages:• no “dedicated hardware”,• less energy wasted (“greener”).

Example of an application other than cryptocurrencies

Goal: prevent malicious users from opening lots of fake accounts.Method: force each account owner to “waste” large part of his local space.Important: the space needs to be allocated as long as the user uses the service.

cloud computing service (e.g. email system)

Main difference from PoWs

To prove that one wasted n CPU cycles one needs to perform these cycles.

while:

To prove that one wasted n bytes one does not need touch all of them.

Advantages

• more energy-efficient

• no “hardware acceleration”

• cheaper (user can devote their unused disk space)

The security definition

How to measure time and space

Time is measured in terms of the calls to a random oracle .

Space is measured in blocks of length (outputs of ).E.g. .

block

𝑳

The general scenario

verify prove

R blocks of length .

. . .

𝐈𝐧𝐢𝐭 (𝐈𝐝)𝐏𝐫𝐨𝐨𝐟𝐏 𝐫𝐨𝐨𝐟 proveverify

prover’s memory

verifer prover

output

𝐈𝐝 ,𝑵 𝐈𝐝 ,𝑵The proof is done with respect to an identifier (e.g. email address).

should be unique for each execution(e.g. can contain a nonce from a verifier)

How to define security of a PoS

Properties:

• completeness,• soundness, and• efficiency.

If the prover is honest then the verifier will always accept the proof.

less trivial to define

How to define the efficiency?

Let us show a very simple (but not efficient) PoS.

Note: we have not defined the security yet, so it’s just an “informal example”.

A “trivial PoS”

𝑹=(𝑹𝟏 ,…,𝑹𝑵)

such that

{𝑹𝒊 }𝒊∈ 𝑱

R

𝐏𝐫𝐨𝐨𝐟

checks if the answeris correct

Note: if is generated pseudorandomly then he need to store only the seed.

Easy to see:to pass the verification the prover needs to store data.

Problem: the initialization phase requires the verifier to do a lot of work

𝐈𝐧𝐢𝐭random

– security parameter

Efficiency

verifier prover

We require that the computing time of the parties is as follows:

Note:this also imposes limit on communication complexity.

Remark:In our protocols is small (e.g.: ).

How to define soundness?

Informally:we want to force a cheating prover to constantly waste a lot of memory.

What would be the goal of a cheating prover?

“Compress” :

verify prove

. . .

Init(Id)proof

proofverify

𝑿

“blocks”

prove

𝑹𝑵

Observation: a cheating prover has a simple (but inefficient) winning strategy.

Init(Id)erase but store all the messages from the verifier:

each timebefore theproof:

erase

X

answer by simulating

expand by simulating

Rproof

XMoral:we need to restrict the power of a cheating prover.

Restrictions on cheating prover

We restrict his operating time.We say that is an

-cheating proverif:

size of ’s storage

time used by during

(we also have a variant of a definition with a restriction on ‘s space during proof).Note: no restrictions on ’s computing power during .

Security definition

A protocol is a -Proof of Space if it is complete, efficient, and sound.

∀-cheating

prover

𝐚𝐜𝐜𝐞𝐩𝐭𝐬P( ) ≤𝐧𝐞𝐠𝐥 (𝐤 )

The constructions

Why is constructing the PoS schemes hard?

Time-memory tradeoffs

R

Xtime

R

𝑵

√𝑵

Instead of storing blocks

the adversary stores blocksand before every phase computes in time .

For example:

Example of a time-memory tradeoff: function inversion – a random permutation

Fact: can be inverted efficiently if one can do precomputation and store the result in memory of size .

1. compute F on every and put every into a table

2. sort the table by the second column

Can we build a PoS out of it?

No

[M. Hellman, 1980]: a time-memory tradeoff exists for this problem: can be inverted in time given pre-processing in space .

Main technique

– a directed acyclic graph with .

– a hash function that depends on .

(for example for some other hash function )

We construct by recursively labelling vertices as follows:

1 23 4

5

𝑹𝟏=𝑯 𝑰𝒅 (𝟏) 𝑹𝟐=𝑯 𝑰𝒅 (𝟐)

𝑹𝟑=𝑯 𝑰𝒅 (𝟑 ,𝑹𝟏 ,𝑹𝟐) 𝑹𝟒=𝑯 𝑰𝒅(𝟒 ,𝑹𝟐)

𝑹𝟓=𝑯 𝑰𝒅 (𝟓 ,𝑹𝟑 ,𝑹𝟒)

Note: every induces a function of a form .

Very informally

A graph that is bad if it can be “quickly” labeled if one stores a “small” number of labels.

Example of a bad graph:

1 2 3 N…√𝑵 √𝑵

The adversary that stores labels in positions can compute every label in steps.

Call a graph good if it is not bad.

How to build a PoS from a good graph?

Problem: the entire needs to be sent to the verifier.

𝑹=(𝑹𝟏 ,…,𝑹𝑵)

such that

{𝑹𝒊 }𝒊∈ 𝑱

𝐈𝐝 ,𝑵 𝐈𝐝 ,𝑵Compute

𝐈𝐧𝐢𝐭

𝐏𝐫𝐨𝐨𝐟

Solution: let the prover commit to with a Merkle tree.

𝑹𝟏 𝑹𝟐 𝑹𝟑 𝑹𝟒

𝑯 (𝑹𝟏 ,𝑹𝟐) 𝑯 (𝑹𝟑 ,𝑹𝟒)

𝑹𝟓 𝑹𝟔 𝑹𝟕 𝑹𝟖

𝑯 (𝑹𝟓 ,𝑹𝟔) 𝑯 (𝑹𝟕 ,𝑹𝟖)

C

Recall: Merkle trees allow to efficiently prove that each block was included into the hash .This is done by sending

𝐌𝐞𝐫𝐤𝐥𝐞 (𝑹𝟏 ,… ,𝑹𝟖)

New phase

𝐌𝐞𝐫𝐤𝐥𝐞 (𝑹)𝐈𝐝 𝐈𝐝

Compute

b ca

𝑹𝒃 𝑹𝒄

𝑹𝒂

checks if

if yes, then we say that is consistent

repeat times

New phase

In the phase the prover opens the Merkle commitment to every he is asked about.

such that

{𝑹𝒊 }𝒊∈ 𝑱

Easy to see

a graph to which a malicious prover committed.

If the consistency check was ok for times, then most likely:

a large fraction of nodes in is consistent.

How to deal with the inconsistent nodes?

graph : inconsistent nodes

The adversary can “save” memory by not storing these blocks.

Observation: such an adversary with memory can be “simulated” by an adversary with memory that commits to a graph with no inconsistent nodes.

Techniques

We construct good graphs such that the time-memory tradeoffs for computing are bad.

For this we use techniques from graph pebbling.

The constructions are based on tools from graph theory:• hard to pebble graphs of Paul, Tarjan, Celoni, 1976, • superconcentrators, random bipartite expander graphs, and • graphs of Erdos, Graham, Szemeredi, 1975.

The details are in the paper.

The results of [DFKP15]

We construct a .

(for some constants and )

We also have a construction that is secure when the prover’s space during the execution is restricted.

Caveat: in the model we need a “simplifying assumption” that the adversary can explicitly state which block he knows.

A question

How to construct a cryptocurrency on top of PoS?

Why cannot the PoS’s be used to directly replace the PoWs?

1. PoW is single-phase, while PoS has the Init phase

2. How to make the reward proportional to invested resources?

3. Where does the challenge come from? (we will talk later about it)

Single-phase vs. “with initialization”

random

proof random

proof

commitment Merkle(f(Id)),Id)

Note: the consistency check can be performed

in the proof phase

Good news: also PoS is “public coin”.

PoW: PoS:

prover verifier prover verifier

The solution

Every user who joins the system “declares” how much space he can devote. This is done as follows:

Gen (secret key sk, public key pk)runs

Take a PoS scheme – the function that fills-in the memory

transaction

Note: no need to run the consistency check

(this is done later)

How to make the reward proportional to invested resources?

Suppose we have 5 miners, with the following proportion of space:

How to determine who has the right to extend the chain in from a given block?

ObservationLet be the memory sizes of the miners.

Suppose

Suppose we have a random challenge .

Observe that the PoS of [DFKP15] is public-coin.

Let every miner execute the PoS with respect to this challenge:

In Bitcoin the challenge was the previous

block.

𝒙

𝒔𝟓𝒔𝟐 𝒔𝟑 𝒔𝟒𝒔𝟏

– a hash function (with very large )

is the winner if is larger than all the other ’s.

𝑷 𝟏 𝑷 𝟐 𝑷𝟑 𝑷 𝟒 𝑷 𝟓

proofs

Easy to see:

For each his probability of winning is equal to

This is because for a given commitment and a the challenge the solution is uniquely determined.

Note: this is not true if one can change .

This is why we require the miners to post

commitments on the blockchain

If it was not the case then a malicious miner could try different ’s.Hence we would be back in the Proof of Work scenario.

But what if the ’s are not equal?

We need a function such that the following condition

yields a winner with probability

Turns out that

is such a function (the details are in the paper).

is the winner if is larger than all the other ’s.

Quality of the blockchainUsing the function we can also define the quality of the block chain.

First, let Define:

in Bitcoin it is its length

𝒔𝟏 𝒔𝟐 𝒔𝟑 𝒔𝟒 𝒔𝟓 𝒔𝟔

the space required to get a better proof than on a random challenge with probability 1/2.

Then let the total quality of blockchain to be equal to the sum of ’s.

uniform

This solution need some small modifications

1. To avoid bad events that happen with small probability we need to limit the maximal that counts

(this limit is imposed with respect to the median of other

2. What if the amount of space in the system increases dramatically?

Then the adversary that “starts computing the blockchain from the beginning” can produce a better quality chain (even if his memory is <1/2 of the total).

Solution: only last 1000 block count (note: it requires checkpoints)

time

spac

e

Where does the challenge come from?

1. Use a NIST beacon or some other trusted source – not a good solution for a “fully distributed” currency.

2. “Ask” some other miner – possible but complicated (what if he is not online?)

3. [Bitcoin solution]: Use some previous block.

not so easy as in Bitcoin...

Problems with using previous block:

By manipulating the transaction list the miner can produce different .

i i+1

transactions from period

i+1

H

This again would lead to Proofs of Work...

this is called “grinding”

Solution

The challenge does not depend on the transactions.Spacemint blockchain syntax:

Block

s𝑖+1signature

transactions

Block

s𝑖signature

transactions

Block

s𝑖+2signature

transactions

signature chain

proof chain

x𝒊+𝟏=𝑯 (s¿¿ 𝒊)¿ x𝒊+𝟐=𝑯 (s¿¿ 𝒊+𝟏)¿

Yet another problem

Suppose there is a fork

blocki+1

blocki+2 block’i+2

blocki+3

If gives a challenge that is “good” for him, then it’s better for him to work on this chain

Note: in Bitcoin working on a shorter chain never made sense.

Solution: look deeper in the past

The challenge for block is a hash of block

Why not to look deeper into the past?

We do not want the miners to know that they can stay long offline (so they could erase their disks)

A more subtle problemIn Proofs of Work mining costs, while in Proofs of Space it is “for free”.So a miner that sees a fork the best (selfish) strategy is to work on both chains.In this case he “wins” in both cases!

blocki

blocki+1

blocki+2 block’i+2

blocki+3 block’i+3

A similar problem shows up in “Proofs of Stake”:“The problem with Proofs of Stake is that there is nothing at stake”

Solution: penalize such behavior

blocki

blocki+1

blocki+2 block’i+2

blocki+3 block’i+3

discovers that these blocks were signed by the same party

posts a transaction with a “proof” of this, and gets a reward(the party that signed 2 blocks looses her reward)

Full description of the protocol

See [PPKAFG 2015].

This paper contains also a game-theoretic model and a security proof.

Open problem

Understand better the bounds in these constructions (currently there are many

hidden constants)

Plan

1. Litecoin – a currency based on the Scrypt hash function

2. Spacemint – a currency based on the Proofs of Space

3. Currencies based on the Proofs of Stake4. Currencies doing some useful work

(Primecoin, Permacoin)5. Ethereum – a currency with Turing-

complete scripts6. Other uses of the Blockchain technology

Proofs of StakeThe “voting power” depends on how much money one has.

Justification: people who have the money are naturally interested in the stability of the currency.Currencies: BlackCoin, Peercoin, NXT,

shares of coins “voting power”

≈

Challenges when constructing Proof-of-Stake currencies

Similar to the Proofs of Space (note: Proofs of Stake is a much earlier concept).

How to determine which miner has the right to extend the chain?

How to prevent mining on many chains? (“There is nothing at stake”)

How to prevent grinding?

Other problems

1. How to distribute initial money?

2. How to force coin owners to mine?

A potential speculative attack on PoStake coins

[Nicolas Houy, It Will Cost You Nothing to 'Kill' a Proof-of-Stake Crypto-Currency, 2014]

I am going to destroy your currency by buying coins and gaining the voting

majority

shall I sell him my coins?if I believe

that he succeeds then I should sell at any non-zero price

if everybody thinks this way then the coin price will quickly go close to zero

I buy the coins now (cheaply)

Plan

1. Litecoin – a currency based on the Scrypt hash function

2. Spacemint – a currency based on the Proofs of Space

3. Currencies based on the Proofs of Stake4. Currencies doing some useful work

(Primecoin, Permacoin)5. Ethereum – a currency with Turing-

complete scripts6. Other uses of the Blockchain technology

Idea

Can we have a currency that does something useful?

Some ideas proposed:• Permacoin [A. Miller, A. Juels, E. Shi, B. Parn, J. Katz,

Permacoin: Repurposing Bitcoin Work for Data Preservation, 2014]

• Primecoin [Sunny King, Primecoin: Cryptocurrency with Prime Number Proof-of-Work, 2013]

Permacoin

Main idea: parametrize PoWs with a large file (“too large to store by individuals”).

To solve a PoW one needs to store some part of .

(the more you store, the higher your probability is).

Why is it useful?

Can be used data that is useful for some purpose.

Difference between Permacoin and Spacemint:• Permacoin is still a Proof of Work (consumes energy)

• The data in Spacemint is random (in Permacoin it is not random)

• Permacoin doesn’t scale (maybe in 20 years everybody will have the library of congress data on his mobile?)

Another nice feature of Permacoin

It’s PoWs are nonoutsourcable:A miner in a mining pool can always steal the PoW solution.

Hence: creating mining pools makes no sense.

See also:[Miller, Kosba, Katz, Shi, Nonoutsourceable Scratch-Off Puzzles to Discourage Bitcoin Mining Coalitions, ACM CCS 2014]

Primecoin

Proof of Work: finding chains of primes.

Chains of primes• Cunningham chain of the first

kind:

(all ’s are prime) Example: 2, 5, 11, 23, 47,... 

• Cunningham chain of the second kind:

(all ’s are prime) Example: 151, 301, 601, 1201,... 

• bi-twin chain: such that• are Cunningham chain of the first kind, • are Cunningham chain of the second kind, and• each is a prime twin pair (i.e. )

Famous Conjecture: for every there exist infinitely many chains like this of length .

Main idea of PrimecoinProof of Work = “find as long chains as possible”

Some challenges:1. Verification of a PoW solution

should be very efficient

Solution: • limit the size of the numbers• allow pseudoprimes

2. Quality measure of the solution should be more fine grained than just the length of the chain.

Solution:accept chains , where all ’s but the last one are prime.The quality of such a solution is equal to , where “measures how close is to a prime”

“in terms of the Fermat test”

a “pseudoprime” is a composite number that passes

Fermat test:“check if ”

Yet another question

How to “link” the solution to the hash of the previous block

Answer:Require to be a multiple of .

For more details see [Sunny King, Primecoin: Cryptocurrency with Prime Number Proof-of-Work, 2013].

Research direction

Any other ideas for “useful Proofs of Work”?

Plan

1. Litecoin – a currency based on the Scrypt hash function

2. Spacemint – a currency based on the Proofs of Space

3. Currencies based on the Proofs of Stake4. Currencies doing some useful work

(Primecoin, Permacoin)5. Ethereum – a currency with Turing-

complete scripts6. Other uses of the Blockchain technology

Ethereum – a “currency designed for contracts”

main feature: Turing-complete scripts

the transaction ledger is maintained using the GHOST protocol of Sompolinsky and Zohar

Developers: Gavin Wood, Jeffrey Wilcke, Vitalik Buterin, et al.

Initial release: 30 July 2015

currency unit: Ether (ETH)

as of 24.05.2016:Market cap 1 billion USD1 E 12 USD

Main uses: decentralized organizations, prediction markets, and many others…

Susceptible to verifier’s dilemma?

Research direction

Understand the impact of verifier’s dillema

Plan

1. Litecoin – a currency based on the Scrypt hash function

2. Spacemint – a currency based on the Proofs of Space

3. Currencies based on the Proofs of Stake4. Currencies doing some useful work

(Primecoin, Permacoin)5. Ethereum – a currency with Turing-

complete scripts6. Other uses of the Blockchain technology

Namecoin (NMC)– a decentralized DNS

Idea: use Bitcoin’s ledger as a DNS.

It maintains a censorship-resistant top level domain .bit.

The same blockchain rules as Bitcoin.

Placing a record costs 0.01 NMC.

Records expire after 36000 blocks ( days) unless renewed.

this money is “destroyed”

Thank you!

©2016 by Stefan Dziembowski. Permission to make digital or hard copies of part or all of this material is currently granted without fee provided that copies are made only for personal or classroom use, are not distributed for profit or commercial advantage, and that new copies bear this notice and the full citation.