Snow White: Robustly Reconfigurable Consensus and Applications to Provably Secure Proof of Stake

  • Phil Daian
  • Rafael Pass
  • Elaine ShiEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11598)


We present the a provably secure proof-of-stake protocol called Snow White. The primary application of Snow White is to be used as a “green” consensus alternative for a decentralized cryptocurrency system with open enrollement. We break down the task of designing Snow White into the following core challenges:
  1. 1.

    identify a core “permissioned” consensus protocol suitable for proof-of-stake; specifically the core consensus protocol should offer robustness in an Internet-scale, heterogeneous deployment;

  2. 2.

    propose a robust committee re-election mechanism such that as stake switches hands in the cryptocurrency system, the consensus committee can evolve in a timely manner and always reflect the most recent stake distribution; and

  3. 3.

    relying on the formal security of the underlying consensus protocol, prove the full end-to-end protocol to be secure—more specifically, we show that any consensus protocol satisfying the desired robustness properties can be used to construct proofs-of-stake consensus, as long as money does not switch hands too quickly.


Snow White was publicly released in September 2016. It provides the first formal, end-to-end proof of a proof-of-stake system in a truly decentralized, open-participation network, where nodes can join at any time (not necessarily at the creation of the system). We also give the first formal treatment of a well-known issue called “costless simulation” in our paper, proving both upper- and lower-bounds that characterize exactly what setup assumptions are needed to defend against costless simulation attacks. We refer the reader to our detailed chronological notes on a detailed comparison of Snow White and other prior and concurrent works, as well as how subsequent works (including Ethereum’s proof-of-stake design) have since extended and improved our ideas.



We gratefully acknowledge Siqiu Yao and Yuncong Hu for lending critical help in building the simulator. We thank Lorenzo Alvisi for suggesting the name Snow White. We also thank Rachit Agarwal, Kai-Min Chung, and Ittay Eyal for helpful and supportive discussions.


  1. 1.
    Personal communication with Vitalik Buterin, and public talks on sharding by Vitalik Buterin (2018)Google Scholar
  2. 2.
    Bentov, I., Gabizon, A., Mizrahi, A.: Cryptocurrencies without proof of work. In: Clark, J., Meiklejohn, S., Ryan, P.Y.A., Wallach, D., Brenner, M., Rohloff, K. (eds.) FC 2016. LNCS, vol. 9604, pp. 142–157. Springer, Heidelberg (2016). Scholar
  3. 3.
    Bentov, I., Lee, C., Mizrahi, A., Rosenfeld, M.: Proof of activity: extending bitcoin’s proof of work via proof of stake. In: Proceedings of the ACM SIGMETRICS 2014 Workshop on Economics of Networked Systems, NetEcon (2014)Google Scholar
  4. 4.
    Bonneau, J., Clark, J., Goldfeder, S.: On bitcoin as a public randomness source. IACR Cryptology ePrint Archive 2015:1015 (2015)Google Scholar
  5. 5.
    Castro, M., Liskov, B.: Practical byzantine fault tolerance. In: OSDI (1999)Google Scholar
  6. 6.
    Chen, J., Micali, S.: Algorand: the efficient and democratic ledger (2016).
  7. 7.
    User “cunicula” and Meni Rosenfeld. Proof of stake brainstorming, August 2011.
  8. 8.
    Daian, P., Pass, R., Shi, E.: Snow white: provably secure proofs of stake. Cryptology ePrint Archive, Report 2016/919, online full version of this paper (2016)Google Scholar
  9. 9.
    David, B., Gaži, P., Kiayias, A., Russell, A.: Ouroboros praos: an adaptively-secure, semi-synchronous proof-of-stake protocol. Cryptology ePrint Archive, Report 2017/573 (2017).
  10. 10.
    Eyal, I., Sirer, E.G.: Majority is not enough: bitcoin mining is vulnerable. In: FC (2014)Google Scholar
  11. 11.
    Garay, J., Kiayias, A., Leonardos, N.: The bitcoin backbone protocol: analysis and applications. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 281–310. Springer, Heidelberg (2015). Scholar
  12. 12.
    Hanke, T., Movahedi, M., Williams, D.: Dfinity technology overview series: Consensus system.
  13. 13.
    Kiayias, A., Russell, A., David, B., Oliynykov, R.: Ouroboros: a provably secure proof-of-stake blockchain protocol. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 357–388. Springer, Cham (2017). Scholar
  14. 14.
    King, S., Nadal, S.: Ppcoin: peer-to-peer crypto-currency with proof-of-stake (2012).
  15. 15.
    Kwon, J.: Tendermint: consensus without mining (2014).
  16. 16.
    Maxwell, G., Poelstra, A.: Distributed consensus from proof of stake is impossible (2014).
  17. 17.
    Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2008)Google Scholar
  18. 18.
    Pass, R., Seeman, L., Shelat, A.: Analysis of the blockchain protocol in asynchronous networks. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 643–673. Springer, Cham (2017). Scholar
  19. 19.
    Pass, R., Shi, E.: Fruitchains: a fair blockchain (2016, manuscript)Google Scholar
  20. 20.
    Pass, R., Shi, E.: Hybrid consensus: efficient consensus in the permissionless model (2016, manuscript)Google Scholar
  21. 21.
    Pass, R., Shi, E.: The sleepy model of consensus (2016).
  22. 22.
    Pass, R., Shi, E.: Rethinking large-scale consensus. In: CSF (2017)Google Scholar
  23. 23.
    Poelstra, A.: Distributed consensus from proof of stake is impossible.
  24. 24.
    User “QuantumMechanic”. Proof of stake instead of proof of work, July 2011.
  25. 25.
    User “tacotime”. Netcoin proof-of-work and proof-of-stake hybrid design (2013).
  26. 26.
    Griffith, V., Buterin, V.: Casper the friendly finality gadget.

Copyright information

© International Financial Cryptography Association 2019

Authors and Affiliations

  1. 1.Cornell/CornellTechNew YorkUSA

Personalised recommendations