A Scalable Proof-of-Stake Blockchain in the Open Seing

Bitcoin and blockchain technologies have proven to be a phenomenal success. Œe un-derlying techniques hold huge promise to change the future of €nancial transactions, andeventually the way people and companies compute, collaborate, and interact. At the sametime, the current Bitcoin-like proof-of-work based blockchain systems are facing many chal-lenges. For example, a huge amount of energy/electricity is needed for maintaining the Bit-coin blockchain.We propose a new approach to constructing energy-ecient blockchain protocols. Moreconcretely, we develop proof-of-stake based, scalable blockchain protocols in the open net-work seŠing. Our contributions are as follows: • We for the €rst time identify a new security property called chain soundness for proof-of-stake based protocols, which captures the intuition of ensuring new players to jointhe protocol execution securely. • We for the €rst time formally investigate greedy strategies for proof-of-stake basedprotocols; via a greedy strategy, the protocol players may extend the best blockchainfaster by aŠempting to extend multiple positions, instead of only the latest block, inthe blockchain. We demonstrate a very useful upper bound of extending blockchain bygreedy players, which enables us to give the €rst natural mimic of Bitcoin blockchainvia proof-of-stake mechanism (without using any form of Byzantine fault tolerance). • Our design is very simple, using only standard hash functions and unique digital sig-natures, which makes our design very appealing in practice. Our blockchain achievesimportant security properties including common pre€x, chain quality, chain growth,and chain soundness, and is adaptively secure without assuming secure erasure. ∗All results in this paper have been submiŠed to Eurocrypt 2018. In this version, the presentation has beenimproved, according to the feedback from the Eurocrypt reviewers, and from multiple researchers. In addition, inthe current version, the related work part has been updated, and some discussions about rational aŠacks includingnothing at stake aŠacks, sel€sh mining aŠacks, are added.