Minting Mechanism for Proof of Stake Blockchains
 288 Downloads
Abstract
As an alternative for the computational waste generated by proofofwork (PoW) blockchains, proofofstake (PoS) systems gained a lot of popularity, being adopted by many existing cryptocurrencies. Unfortunately, as we show, PoSbased currencies, where newly minted coins are assigned to the slot leader, inevitably incentivises coin hoarding, as players maximise their utility by holding their stakes and not trading. As a result, existing PoSbased cryptocurrencies do not mimic the properties of fiat currencies, but are rather regarded as investment vectors.
In this work we initiate the study of minting mechanisms in cryptocurrencies as a primitive on its own right, and as a first step to a solution to mitigate coin hoarding in PoS currencies we propose a novel minting mechanism based on waitingtime firstprice auctions. Our main technical tool is a protocol to run an auction over any blockchain. Moreover, our protocol is the first to securely implement an auction without requiring a semitrusted party, i.e., where every miner in the network is a potential bidder. Our approach is generically applicable and we show that it is incentivecompatible with the underlying blockchain, i.e., the best strategy for a player is to behave honestly. Our proofofconcept implementation shows that our system is efficient and scales to tens of thousands of bidders.
1 Introduction
Proof of Work based consensus systems, such as Bitcoin, rely on users solving a hard computational puzzle to achieve decentralised consensus on the state of the system. Since no efficient algorithm is known for solving such a puzzle, users have to rely on their computational power for an exhaustive search of the solution. This process is often referred to as “mining”. Miners work to maintain the system by validating transactions and a reward is assigned to the miner who solves the puzzle first. Apart from the reward, the miner also collects fees from the transactions he validated. This incentive mechanism has led to a hardware race [1], which has resulted in enormous energy demands and environmental problems. To mitigate the problems mentioned above, the community investigated alternative consensus mechanisms, based on more energyefficient resources. One such consensus mechanism is Proof of Stake (PoS) [8, 18], that rely on the rationality of a stakeholder in the system to behave honestly due to the risk of devaluing the currency. In PoS, the consensus leader is chosen solely based on a function of her stake^{1} in the system.
From Cryptoassets Towards Cryptocurrencies. Deflation is the overall increase of value of a currency over time. In an economic system, this can be caused by several different factors, such as excess of production, low demand of services and goods, and decrease in the total money supply [16]. Due to the unregulated and global nature of cryptocurrencies^{2} the latter aspect is the most concerning; users losing their private keys or coins getting locked forever in a badly coded smart contract [32] can cause deflation in the cryptocurrency if there is no mechanism in place to mint new coins into the system. Although it may look as a beneficial side effect (one’s money becoming more valuable), deflation can be very harmful to a currency. Namely, it introduces the phenomenon of money hoarding: [16] “why spend 1 coin today if tomorrow the same 1 coin can purchase more?”.
Moreover, the relation between money supply and hoarding of money is a well studied topic in economic theory. Tsiang [33] advocates for a moderate inflation as a countermeasure for the stagnation of money. Several other works in the literature [17, 31] extensively study a steady inflation (in the form of increase in money supply) as a deterrent for money hoarding and as an incentive for trading. Predictably, capped supply of coins (as in Bitcoin) and incentivising stakehoarding (as in PoS), have the opposite effect, which may hinder the longterm viability of cryptocurrencies as an alternative to fiat currencies. Therefore, it seems that some form of inflation is necessary for a currency to prosper.
State of the Art Minting Mechanisms. While consensus seems to be a better understood problem [12, 13, 18, 27] given the current state of affairs, there is no unified solution for the introduction of new coins in a cryptocurrency. Current folklore approaches are either energy expensive (such as PoWbased systems) or incentivise hoarding of stakes (such as PoSbased approaches). Surprisingly, this problem has hardly received any attention and, to the best of our knowledge, there is no rigorous treatment of minting mechanisms in cryptocurrencies.
Most of the current systems have integrated the distribution of new coins with the consensus mechanism: The miner who proposes the new block, is also rewarded with the newly minted coins. However, the bruteforce approach (of PoW especially) to obtain the reward has resulted in a hardware race among the miners [1] and subsequent increase in the difficulty of mining. PoSbased systems either have a fixed cap, or assign the new coins to the consensus leader. As discussed above, this invariably incentivises coin hoarding by the stakeholders and promotes the deflation of the currency.
Decoupling Minting from Consensus. In this work we initiate the study of minting mechanisms as a primitive on its own right and we propose a new protocol based on waitingtime auctions. Any user in the system only needs a small amount of coins to compete for the newly minted coins. As a result, the system mitigates coin hoarding and incentivises participation of regular users, as they can compete with large investors. In a nutshell, our system rewards the user who is willing to “wait the longest”, after the user has waited for that amount of time. Under the assumption that users cannot stack the time at their disposal, pooling resources does not increase the chances of receiving new coins (thus preventing sybil attacks). On a conceptual level, we suggest a hybrid approach for cryptocurrencies, where the minting mechanism is decoupled from the consensus. The consensus is only incentivised by the collection of transactions fees, while the minting of new coins in the system is carried out by the minting mechanism, with its own set of rules.
Badertscher et al. [2] recently showed that Bitcoin is still incentive compatible in a setting where rational miners only collect transaction fees for the mined blocks. To the best of our knowledge, there is no similar analysis for existing PoS blockchains, such as Ouroboros [18] and Ouroboros Praos [8], but since the analysis of [2] is consensus agnostic, it carries over to PoS blockchains under the same conditions.
1.1 Our Contributions
 1.
We initiate the rigorous treatment of minting mechanisms in cryptocurrencies and we analyse the pitfalls of folklore solutions. We introduce the concept of utilitypreserving stake allocation (Sect. 3), on the same spirits of Pareto efficiency. Informally, this property states that in a utilitypreserving system, stakeholders can trade their stake without affecting their chances of obtaining newly minted coins. Using this property we analyse and show that coin hoarding is in fact incentivised in a PoSbased minting mechanism where new coins are assigned to the consensus leader.
 2.
We propose a new minting mechanism based on waitingtime auctions and we show that it is incentivecompatible with the underlying blockchain (Sect. 4.1), i.e., following honestly the protocol is the Nash equilibrium strategy for rational miners on the blockchain system. We also formally show that our mechanism is quasiutilitypreserving in its stake allocation, and therefore mitigates the problem of coin hoarding. Informally, this is because the stakeholder needs only a token to participate in a minting round, while the rest of the coins are free to be traded with users that also possess a token.
 3.
On a technical level, we present a cryptographic construction (Fig. 4) for realising a firstprice waitingtime auction on top of a blockchain. Our protocol does not require any additional interaction other than what is required by the underlying blockchain, and does not rely on any semitrusted party. Our solution is the first where every miner in the network is a potential bidder. This is in strong contrast with previous proposals that assume the existence of a semitrusted auctioneer to collect bids and announce the winner.
 4.
We demonstrate the scalability of our approach with a proofofconcept implementation (Sect. 5) of our construction and a thorough performance analysis. The system can be scaled to support thousands of bidders per block with a reasonable block size (8 MB) while leaving more than twothirds of the block free for standard transactions.
1.2 Technical Overview
 1.
At periodic intervals users engage in a firstprice auction where the item being auctioned are R newly minted coins. The bidding phase for the auction spans through \(\alpha \) blocks where every user willing to participate posts a bid transaction with a concealed bid. The bid here is the amount of physical time units the user is willing to wait in order to obtain the minted coins. To be eligible to participate, a user is required to “lock” some fixed amount Q of his coins (called token of participation or participation token) for the entire duration of the auction (until a winner is announced).
 2.
Once the bidding phase is over, the protocol allocates \(\beta \) blocks for users to broadcast the unveil information of their bids. We call these \(\beta \) blocks the opening phase.
 3.
After the opening phase, miners can open all the posted bids (using the corresponding unveil information) and determine the winner of the auction. A mint transaction is then generated assigning R newly minted coins to the winner of the auction, that can be redeemed only after the time corresponding to her bid has elapsed. All users can unlock their token of participation Q after the auction round is over, except the winner, who only gets back Q together with the newly minted coins.
To deal with these apparently conflicting requirements, we propose a cryptographic solution where each round of the auction can be completed even if players go offline after the bidding phase. Our protocol requires players to embed the unveil information \(r\) in a timelock puzzle \( tlp \) during the bidding phase. Timelock puzzles ensure that their payload is hidden for a stipulated amount of time but can be opened once this amount of time has elapsed. This means that bids remain concealed until the end of the bidding phase but can be efficiently recovered in case a player does not publish the unveil of the corresponding commitment (i.e., the player goes offline). This effectively eliminates the need for a trusted party in the execution of the auction over the blockchain. We stress however, that timelock puzzles are only used as a deterrent against malicious bidders who refuse to open their bids. In a rational run of the protocol the timelock puzzles are never required to be solved and therefore no puzzlesolving computational overhead is added, as the bidders reveal the bids during the opening phase. Moreover, their functionality appears to be necessary: If we were to ignore bids of bidders that go offline before publishing a reveal, then it would be unclear if the bidder indeed went offline or it was a malicious blockmaker who chose to suppress the bid. Therefore it is imperative for all bids to be revealed and considered for the round of auction. This is exactly the functionality provided by timelock puzzles: If a malicious user does not open his bid (trying to perform a denialofservice attack on the protocol) his initial bid can still be recovered by solving the timelock puzzle. We also note that rational players are never incentivized to leave their bid unopened, but even in the case where players act irrationally the protocol can still recover by performing some extra work to solve the \( tlp \) and finish the current auction round.
Formal Analysis. Our protocol can be formally modelled as a firstprice sequential waitingtime auction with sealed bids and we leverage stateoftheart results on sequential auctions [21] to show that our rewarding mechanism has a Nash equilibrium on the amount of time units that a user should bid in each round of the auction. Then we analyse the utilitypreserving stake allocation of our system and we show that our minting mechanism mitigates stake hoarding. Particularly, we show that our minting mechanism is quasi utilitypreserving up to the value of the participation token Q (i.e., any coin trade where the sender and the receiver has a balance of at least Q coins (before and after the transaction) does not decrease the utility of any user). In contrast, in all folklore PoS minting solutions, stake allocations are not utilitypreserving, which does not promote coin circulation and inevitably leads to stake hoarding. Finally, we prove that our mechanism is incentivecompatible with the underlying blockchain, i.e., honestly following the protocol is the Nash equilibrium strategy for rational miners.
Implementation. As a proofofconcept of our system we build an entire blockchain system coupled with our minting mechanism (Sect. 5). Considering a bidding phase of 10 blocks and blocks of size 8 MB, we can fit more than 10K bids in a single auction round and still leave around \(70\%\) of the block’s capacity free for standard transactions. To produce a proof for a mint transaction including 750 bids, the system takes less than 3 min, and the verification is almost instant, as we show in Sect. 5.1.
1.3 Related Work
Nakamoto [25] proposed Bitcoin, the first currency system with a consensus protocol based on Proof of Work (PoW). The underlying protocol of Bitcoin was dubbed as the Blockchain protocol and a formal analysis of its security definitions and properties can be found in the works of Garay et al. [13] and Pass et al. [27]. BitcoinCash, Litecoin (variants of Bitcoin), Zcash and Monero are some of the popular currencies based on PoW. One among several other alternatives proposed was Proof of Stake (PoS) based consensus where a consensus leader proves she holds a stake in the system. The proposal was formally analysed with the assumption of a synchronous [18] network, and in the recent work of Badertscher et al. [3] which concerns with composability of PoS blockchains. There are several currency systems that are based on different versions of PoS, namely, Cardano (based on Ouroboros), Reddcoin, and Peercoin among possibly many others. Proofs of Space [10] is another proposal put forth that relies on a prover proving to a verifier that she has sufficient disk space, to achieve a consensus.
In all of the above mentioned consensus mechanisms, the consensus leader in the blockchain is also the one who receives the incentive in the form of newly minted coins (when such an incentive exists). Selfish mining attacks (where a miner mines a block selfishly and later hopes to make his chain longer and accepted) in case of Nakamoto’s blockchain protocol were discovered and analysed by Eyal and Sirer [11, 26]. Fruitchain [28] ensures that no coalition that has less than the majority of the computational power can gain more by deviating from the protocol. Concurrently, Carlsten et al. [7] showed the possible instability in the future of Bitcoin as a result of incentives through transaction fees only.
Running auctions on blockchains has been gaining more attention given its nature of public verifiability. There are several existing proposals for running different variants of auctions. Kosba et al.’s HAWK [19] employ smart contracts to run auctions on top of a blockchain. They require a Manager who is entrusted to run the auction contract. The manager is aware of the bidders’ inputs and is trusted to not disclose that information. Strain [5] aims to decrease the amount of interaction, while relying on a semihonest judge who does not collude with any bidders and produces proof of winner.
2 Preliminaries
2.1 Rational Security
Here we give a brief overview of the notion of rational players, following the definitions of [15]. Every player is characterised by some payoff (or utility) function u. In any protocol (game), utility represents the motivations of players. A utility function for a given player assigns a number for every possible outcome of the protocol with the property that a higher number implies that the outcome is more preferred. A rational player wishes to maximise her utility.
Every player is also equipped with a strategy function. A strategy function takes as input the view of the player so far and outputs its next action. Rational players will choose from the strategies available to them the one that results in the most preferred outcome. Note that the strategies and the protocol can have potential randomness which invokes a certain distribution over the outcomes of the protocol. We define the utility of a distribution as the the expected value of the utility of an outcome drawn from that distribution.
Let Z be a family of subsets of the set of players for a game G. We say that a set of strategies \(\mathbf {s}\) constitutes a Zcoalitionsafe \(\epsilon \)Nashequilibrium, if no coalition of players from a set Z can gain more than \(\epsilon \) in payoff when deviating from \(\mathbf {s}\) when playing G.
A mediated game is one in which a trusted party, the mediator, takes inputs from players, computes a function and provides outputs to the players. Following [15] we say that a protocol \(\varPi \) implements a mediator \(\mathcal {F}\) if it holds for any admissible environment/outer gamer \(\mathcal {Z}\) that if it is an equilibrium strategy to truthfully provide inputs to \(\mathcal {F}\) in game \(\mathcal {Z}\), then it is an \(\epsilon \)equilibrium strategy to honestly execute protocol \(\varPi \) in \(\mathcal {Z}\), where \(\epsilon \) is negligible.
2.2 A Primer on Auction Theory
An auction is a mechanism which runs with some predetermined rules to sell some item of value. It involves the participation of several parties whose roles are well defined. In the simplest of settings, there is a seller who puts an item on sale and more than one interested buyers compete with each other by placing bids, or the cost they are willing to pay for the item. The highest bidder is announced as the winner and is required to pay a certain amount of money and the item is awarded to this winning buyer. Here we give a brief overview of some of the basic concepts of auction theory.
Valuation. Players’ valuations define the economic value of an object that is on sale during an auction. It may be the same across the participants in the auction or can be personalised depending on the “value” of the object to each one of them. The valuation is denoted by a function \(v(\cdot )\) that takes the object and other observable information that might be specific and personalised to each participant as input and returns the value as a real number \(v^* \in \mathbb {R}^+\) (up to some fixed precision). For simplicity, we will refer to the valuation of player i as \(v_i\).
Cost. The cost defines the economic price that a participant in the auction pays depending on the outcome of the auction. It is denoted by a function c(b) that takes as input a bid b and returns the cost as a real number \(c^* \in \mathbb {R}^+\). We assume that the cost function is monotonously increasing with b.
Auction Model. An auction model describes the set of participants (bidders and sellers), the set of items up for sale and the rules regarding these items, and finally the value of each item for each bidder. The value of an item for each bidder is determined by the bidder’s capabilities, preferences, information, and beliefs or what can be collectively called as the type of each bidder. The model accounts for a mechanism and an environment. A mechanism consists of rules that govern what the participants are permitted to do and how these permitted actions determine outcomes. In this context, an environment comprises of the following: A list of the participants or potential participants, another of the possible outcomes, and another of the bidders’ possible types.
We consider a set of potential bidders \(B_I\) where \(I = \{1, 2,\ldots , n\}\). We assume that the types of each bidder are independently and identically distributed (i.i.d.), meaning that the types of each bidder are independent from one another while being from the same distribution. Finally, the utility of bidder \(B_i\) is characterised by a function \(u_i\) that depends on the bidder’s type and on the outcome of the auction.
2.3 WaitingTime Auction
We first consider the mediated setting where an auction is conducted by a trusted auctioneer \(\mathbb {A}\) and a set of n bidders \((B_1, \dots , B_n)\). The auctioneer \(\mathbb {A}\) is entrusted with collecting bids from the bidders and awarding the reward to the winner. Moreover, after the bidding phase is over the auctioneer \(\mathbb {A}\) reveals the bids of all bidders.
We assume the time to be divided into discrete units which are known to all participants of the auction and to the auctioneer. The auction has several fixed parameters which we assume to be known to every participant: the auction good R of some economic value, a fixed token of participation Q in some arbitrary currency, the duration of each auction phase and the number of auction rounds.
The auction is composed of three phases, which we describe below.
 1.
Bidding Phase: In the bidding phase each bidder \(B_i\) sends its bid \(b_i\) along with the token of participation Q to the auctioneer \(\mathbb {A}\) through a confidential channel. After a fixed amount of time, \(\mathbb {A}\) announces the end of the bidding phase.
 2.
Opening Phase: Let \((b_1, \ldots , b_n)\) be the bids collected in the bidding phase of the same round, let \(b_\mathsf {max} = \max (b_1, \ldots , b_n)\). In case of ties \(b_\mathsf {max}\) is chosen according to some deterministic order.^{3} We denote by \(B_\mathsf {max}\) the bidder who sent the bid \(b_\mathsf {max}\). For all \(i \in \{1, \ldots n\} \setminus \mathsf {max}\), the auctioneer \(\mathbb {A}\) sends Q to \(B_i\), whereas \(\mathbb {A}\) sends (Q, R) to \(B_\mathsf {max}\) after \(b_\mathsf {max}\)many units of time.
 3.
Winner Announcement: \(\mathbb {A}\) publicly announces the identity of the winner \(B_\mathsf {max}\), the amount \(b_\mathsf {max}\) and all other bids.
Theorem 1
( [21]). Sequential firstprice auction when a single item is auctioned in each round (assuming that after each round the bids of each agent become common knowledge) has a subgameperfect equilibrium that does not use dominated strategies, and in which bids in each node of the game tree depend only on who got the item in the previous rounds.
3 Minting Mechanisms and Analysis
In this section we describe the basic minting for PoS systems and we show that with such a mechanism in place, rational users are always incentivised to hoard their stake. Later, in contrast to PoS minting, we show that our minting mechanism greatly mitigates this stake hoarding phenomenon. We refer the reader to Sect. 2.2 for a primer on auction theory and some basic definitions, and to Sect. 2.3 for the definition of waitingtime auction.
UtilityPreserving Allocation. To analyse the behaviour of minting mechanisms in relation to stake hoarding we introduce the concept of utilitypreserving stake allocation, that is similar in spirits to the concept of Pareto efficiency^{4} [23]. Analogously to Pareto efficiency, we consider utility functions which assign utilities or benefits to stake allocations. Informally, a utilitypreserving stake allocation (or distribution) is an allocation that allows a transition to a different stake allocation where no user decreases his own utility in the process. With this new concept in hand, it becomes possible to analyse if a particular distribution of stakes allows users to trade coins within the system and still maintain their utilities. We give a formal definition below.
Definition 1 (UtilityPreserving Transition)
Consider two stake allocations \(s= (s_1,\dots ,s_n)\) and \(s' = (s_1',\dots ,s_n')\) with \(\sum _i s_i = \sum _i s'_i = t\). We say a transition from \(s\) to \(s'\) is utilitypreserving, if it holds for all \(i \in [n]\) that \(u_i(s'_i) \ge u_i(s_i)\).
Vanilla PoS Minting. In PoS systems, the stakeholders assume the role of consensus leaders and propose new blocks to extend the blockchain. These systems ensure that a stakeholder is chosen as the slot leader with probability proportional to one’s stake. As an incentive to propose a new block, the consensus leader collects fees from the transactions within the block. As the basic minting mechanism for PoS, we consider the scenario where the consensus leader is also allowed to mint new coins, similar to what happens in PoW systems (e.g., Bitcoin).
Specifically, consider a proof of stake system where a reward R is given to the consensus leader. Player i becomes consensusleader with probability \(s_i/t\). Let \(X_i\) be a random variable which is 1 if player i is consensus leader and 0 otherwise, i.e. the payoff of player i is given by \(R \cdot X_i\). Consequently, it holds that \(E[R \cdot X_i] = R \cdot E[X_i] = R \cdot \Pr [X_i = 1] = R \cdot \frac{s_i}{t}\), i.e. we define \(u_i(s_i) = R \cdot \frac{s_i}{t}\).
In such a system, no nontrivial transition between two stake allocations is utilitypreserving. This is shown by the following theorem.
Theorem 2
Let \(s= (s_1,\dots ,s_n)\) and \(s' = (s'_1,\dots ,s'_n)\) be stake allocations with \(\sum _i s_i = \sum _i s'_i = t\) and \(s\ne s'\). Then there exists a player \(i^*\) for which it holds that \(u_{i^*}(s'_{i^*}) < u_{i^*}(s_{i^*})\).
Proof
As \(s\ne s'\), there must exists a j with \(s_j \ne s'_j\). If \(s'_j < s_j\) we set \(i^*= j\) and it follows immediately that \(u_{i^*}(s'_{i^*}) = R \cdot s'_{i^*} / t < R \cdot s_{i^*}/t = u_{i^*}(s_{i^*})\). On the other hand, if \(s'_j > s_j\), there must be a k with \(s'_k < s_k\), as otherwise \(\sum _i s'_i > \sum _i s_i = t\). In this case, set \(i^*= k\) and the statement follows analogously.
WaitingTime Auction Minting. In our proposal, minting is performed via a waiting time auction. Let \(X_j^i\) be a random variable which is 1 if player i wins in round j and 0 otherwise. Thus, the payoff of player i is \(R \cdot \sum _{j = 1}^\ell X_j^i\). We will assume that given that player i participates in the auction, his valuation, and therefore his probability of winning does not depend on the stake distribution. I.e. we can write \(E[X_j^i] = p_j^i\) for \(p_j^i\) that do not depend on \(s\). Therefore, it holds that \(E[R \cdot \sum _{j = 1}^\ell X_j^i] = R \cdot \sum _{j = 1}^\ell p_j^i\) and we can set \(u_i(s_i) = R \cdot \sum _{j = 1}^\ell p_j^i\).
In such a system, every transition of stakeallocations from \(s\) to \(s'\) for which it holds for all \(i \in [n]\) that \(s_i,s'_i \ge Q\) is utilitypreserving. We call such systems quasi utilitypreserving.
Theorem 3
Let \(s= (s_1,\dots ,s_n)\) and \(s' = (s'_1,\dots ,s'_n)\) be stake allocations with \(\sum _i s_i = \sum _i s'_i = t\). If it holds for all \(i \in [n]\) that \(s_i,s'_i \ge Q\), then it holds for all \(i \in [n]\) that \(u_i(s'_i) = u_i(s_i)\).
Proof
As it holds for each \(i \in [n]\) that \(s_i,s'_i \ge Q\), every player i can participate in the waitingtime auction bid according to their valuation, which is independent of \(s\) or \(s'\) respectively. The winner of the auction is therefore the same, regardless of whether the stake allocation is \(s\) or \(s'\). Consequently, the utilities are the same for \(s\) and \(s'\).
Interpreting the Results. Theorem 2 says that any distribution of stakes within a PoS system with the basic minting strategy will inevitably incentivise the hoarding of stakes, as trading coins will reduce the probability of receiving the newly minted coins. Therefore, users that trade their coins within the system (i.e., decrease their stake) will be losing utility.
In contrast, Theorem 3 says that our minting protocol based on waitingtime auctions mitigates the problem of hoarding; in fact, for each auction round a user is only incentivised to keep a stake of the size of a single participation token. In that case, the user can participate in the auction round, and the probability of winning the newly minted coins will be strictly based on the user’s own valuation. The rest of the stake can be traded into the system (among other users that can afford the participation token Q) without reducing the any user’s utility. The analysis carries over to any number of auction rounds; fix \(\ell \) auction rounds, then the user only needs to hoard \(Q\cdot \ell \) coins during the period of \(\ell \) auction rounds, and the remaining coins can be traded.
4 Our Minting Protocol
Below we recall the cryptographic primitives used in our protocol and we refer the reader to the full version of this paper [9] for formal definitions.
Noninteractive CCACommitment Schemes. A noninteractive tagged commitment scheme consists of a pair of randomised algorithms: a setup \(\mathsf {Setup}(1^\lambda )\), that takes as input the security parameter and outputs a common reference string \(\mathtt {crs}\), and a commitment \(\mathsf {Commit}(\mathtt {crs},\mathtt {addr}, m;r)\) that takes as input the \(\mathtt {crs}\), a tag/identity \(\mathtt {addr}\), a message m and random coins \(r\) and outputs a commitment \( com \). Loosely speaking, \( com \) should hide the message m, and it should be infeasible for anyone to show a valid set of coins \(r'\) that such that \(\mathsf {Commit}(\mathtt {crs},\mathtt {addr},m';r) = com \) for a different message \(m'\). Additionally, for such schemes it is not possible to “maul” commitments for one tag into commitments for another tag. Such commitment schemes can be constructed from standard SHA256 commitments in the random oracle model [4].
TimeLock Puzzles. A timelock puzzle allows one to conceal a value for a certain amount of time. The puzzle generation algorithm \(\mathsf {PGen}(1^\lambda ,\mathbf {T},m)\) takes as input a security parameter, a hardnessparameter \(\mathbf {T}\) and a message m, and outputs a puzzle \( tlp \). The puzzle \( tlp \) can be cracked using the solving algorithm \(\mathsf {PSolve}( tlp )\), which outputs m and a recovery proof \(\pi \). The proof can be verified with the corresponding verification algorithm \(\mathsf {PVer}( tlp , m, \pi )\). Timelock puzzles guarantee that a puzzle can be solved in polynomial time, but strictly higher than \(\mathbf {T}\). Additionally, verifying a recovery proof shall be exponentially faster than solving the puzzle. Rivest, Shamir and Wagner [30] proposed the first and only efficient candidate timelock puzzle based on a variant of the RSA assumption. Boneh and Naor [6] showed how to compute a recovery proof such that its verification is exponentially faster than solving the puzzle, which was lifted to the publiccoin settings by Pietrzak [29] and Wesolowski [34].
Succinct Noninteractive Arguments. Let \(R:\{0,1\}^*\times \{0,1\}^*\rightarrow \{0,1\}\) be an \( NP \)witnessrelation with corresponding \( NP \)language \(\mathcal {L}:= \{x:\exists w \text{ s.t. } R(x,w) = 1\}\). A succinct noninteractive argument (SNARG) [24] system for R is initialised with a setup algorithm \(\mathsf {crsGen}(1^\lambda )\) that, on input of security parameter, outputs a common reference string \(\mathtt {crs}\). A prover can show the validity of a statement x with a witness w by invoking \(\mathsf {P}(\mathtt {crs},x,w)\), which outputs a proof \(\pi \). The proof can be efficiently checked by the verification algorithm \(\mathsf {V}(\mathtt {crs},x,\pi )\). We require a SNARG system to be sound: it is hard for any prover to convince a verifier of a false statement, and proofs to be succinct: size independent of x and w.
Communication Interface to Blockchain. We refer to [9] for details on the underlying blockchain model. The protocol \(\varGamma \) provides the nodes with the following set of interfaces which have complete access to the network and its users.

\(\{\mathcal {CH}',\bot \} \leftarrow \varGamma .\mathsf {getChain}\): returns a longer \(\mathcal {CH}\) if it exists, otherwise returns \(\bot \).

\(\{0,1\} \leftarrow \varGamma .\mathsf {isChainValid}(\mathcal {CH})\): The validity checking takes as input a chain \(\mathcal {CH}\) and returns 1 iff the chain satisfies a (public) set of conditions.

\(\varGamma .\mathsf {postTx}(\mathtt {TxType}, dt )\): takes as input the transaction type information and the transaction data. It then constructs a transaction of type \(\mathtt {TxType}\) with data \( dt \), validate the transaction and include it in the next block.

\(\{\mathtt {txID},\bot \} \leftarrow \varGamma .\mathsf {isTxStable}(\mathcal {CH}, dt )\): takes as input a chain \(\mathcal {CH}\) and some transaction data \( dt \) and checks if the transaction containing \( dt \) is stabilised (w.r.t. the persistence property) in \(\mathcal {CH}\). If yes, then it returns the transaction id \(\mathtt {txID}\) within \(\varGamma \), otherwise it returns \(\bot \).^{5}

\(\varGamma .\mathsf {broadcast}( dt )\): takes as input some data \( dt \) and broadcasts it in the network.
The nodes in the \(\varGamma \) protocol network have their own local chain \(\mathcal {CH}\) which are initialised with a common genesis block. The genesis block contains the information about the addresses of nodes and the spendable balances in each of them.
4.1 Minting Protocol Description and Analysis
We give a formal description of our minting protocol in Fig. 4. The following theorem shows that our construction preserves the subgameperfect Nashequilibria of the mediated game. In other words, we formally argue that our protocol implements a waitingtime firstprice auction on top of any blockchain (with its own set of incentives). Intuitively, the adversarial strategy that we want to prevent is that of suppressing higher bids. Since the bids are hidden with a commitment the adversary can only suppress bids at random (since bids for different auction rounds are also unlinkable). Therefore, the condition \(R \le m \cdot F\) ensures that it is more profitable for a miner to include all bids (thereby collecting fees) rather than dropping even one bid to increase its own probability in the auction. The case of ties has to be handled with special care since in this case the selection of the winner is arbitrary: We handle this by making the discrete time unit finegrained enough so that collisions become very unlikely. It follows that all bids will eventually be posted in the blockchain. We defer the formal proof of Theorem 4 to the full version of the paper [9].
Theorem 4 (Subgameperfect Nashequilibria)
Let m be the number of bidders in the auction, F be the transaction fee for each bid, and R be the reward. If \(R \le m \cdot F\) then the protocol of Fig. 4 implements a sequential mediated waitingtime auction.
4.2 Discussion on Different Adversarial Behaviours
We discuss the intuition behind how we prevent some of the common attacks against our minting protocol of Fig. 4. For detailed discussion of the choice of system parameters we refer the reader to the full version of the paper [9].
(1) Bid Suppression: The most straightforward attack for the adversary is to suppress bids from a block during the bidding phase. By suppressing bids from a block, the adversary can increase its chances of winning the newly minted coins. As we show in the analysis of Theorem 4, this strategy has ultimately a decreasing payoff, and therefore will be avoided by the rational adversarial miner. The intuition behind this argument is that by suppressing bids, the adversary will be forfeiting the transaction fees incurred by the bid transactions, what would be less profitable than simply including all the bids and following the protocol.
(2) DenialofCoin: A denialofcoin attack is when the adversary tries to stop the creation of new coins in the system. One way to achieve this goal is to bid an incredibly high amount of time (way above one’s valuation), such that the newly minted coins would remain locked (practically) forever. This is not a profitable attack for the rational adversary, since this strategy would quickly lock all funds of the adversary, eventually reestablishing the coin supply. Furthermore, the attacker must be heavily invested in the currency to launch such an attack and thus he is hurting primarily himself with this manoeuvre.
(3) DenialofService: A possible denialofservice attack is for the adversary to spam the network with many bid transactions in order to stall the network and avoid honest users from participating in the bidding process. Our protocol avoids this by charging a transaction fee for each bid posted. In that way, for the adversary to be able to spam the network he would have to decrease his payoff significantly.
Another vector of attack to slow down the network is to post (wellformed) bids but not their openings. This causes the miners to incur in additional computational efforts to bruteforce the timelock puzzles. This attack can be prevented using the recently introduced homomorphic timelock puzzles [22].
(4) Mint Suppression: This attack happens when the miner refuses to include a valid minting transaction into the block being mined. Such an attack is not rational for any miner because at this point of the execution the winner is already determined, although not yet announced. The miner cannot change the winner of the auction and therefore does not gain any advantage by denying to accept the minting transaction.
(5) Malformed Bids: An attacker could see posting inconsistent timelock puzzles as an opportunity to slow down the system, since miners need to solve a timelock puzzle to eventually realise that the bid is not wellformed. As shown in our analysis in the full version of this paper [9], this behaviour is not profitable for any attacker, since any miner who fails to solve a malformed timelock puzzle can produce a recovery proof and steal the participation token of the bidder.
5 Implementation
We report a python 3 proofofconcept implementation of our protocol from Fig. 4. Our benchmarking was performed in a virtual environment on a Linux server with specifications: Intel Xeon Gold 6132 CPU (32 cores) @ 2.60 GHz, 64 GB of RAM, Debian Linux 4.9.06amd64 and Python 3.6.4, fastecdsa 1.6.4, and the latest libSNARK. As in Bitcoin, we use the ECDSA signature scheme over the elliptic curve \(\mathtt {secp256k1}\) which has a signature of size 65bytes, private key of size 32bytes and publickey of size 65bytes.
Special Transactions. The commitment to bids in bid transactions are implemented as SHA256 commitments computed using the libSNARK SHA256 hash function. The average size for a bid transaction (including input and output) in our prototype is 289 bytes. The unveil information for the commitments are the bid itself and the randomness. The size of a mint transaction is approximately 252bytes, where it contains no inputs but two outputs. The first output contains a 137byte SNARG proof, along with the highest bid (8bytes), and the commitment to the highest bid (32bytes), thus adding to a total of 177bytes. The second output is a paytopubkeylock type transaction, that is a standard paytopubkey transaction with a locktime corresponding to the value of the winning bid. The measurements are summarized in Table 1.
TimeLock Puzzles. We implement the RSW timelock puzzles (combined with Pietrzak’s proofs), which leverage repeated squaring as a nonparallelisable operation. We conservatively set the hardness parameter \(\mathbf {T}\) to be \(2^{35}\), which keeps the \( tlp \) locked for more than 15 h with our hardware. We instantiate the \( tlp \) with an RSA modulus of 512 bits, which we estimate to be sufficient for hiding a value for less than a day.
5.1 Benchmarking
We measure the time to generate and to verify SNARG proofs for a mint transaction varying the number of bids considered in each auction round. For each experiment we generate fresh bid commitments and we run 100 iterations of each experiment, taking the average time among all the iterations. The results of the experiments shown in Fig. 5 were measured considering the wait time, and with the libSNARK multicore mode enabled (32 cores). The graph on the left of Fig. 5 shows outlier points for 300 and 600 bids; this is due to parallelisation. We discuss in further details several optimizations and other aspects of our evaluation in the full version of this paper [9].
Footnotes
 1.
Unless explicitly said differently, we always refer to “stake” as the available balance of each user in the system.
 2.
We refer to cryptocurrencies the digital currencies that are aimed to be used as an utility token (i.e., mimic the behavior of fiat currency) and as cryptoassets the tokens that are aimed to be used as a store of value.
 3.
E.g., lexicographical in the commitments of the bidders.
 4.
Pareto efficiency is a common notion in game and economic theory used to determine if a particular allocation of resources within a set of players is optimal or not.
 5.
Note that Nakamotostyle consensus guarantees only stability with high probability assuming a bound on the adversary’s fraction of resources within the system, which suffices for our analysis.
References
 1.Mining hardware comparison (2017). https://tinyurl.com/4pjhy5t
 2.Badertscher, C., Garay, J., Maurer, U., Tschudi, D., Zikas, V.: But why does it work? A rational protocol design treatment of Bitcoin. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 34–65. Springer, Cham (2018). https://doi.org/10.1007/9783319783758_2CrossRefGoogle Scholar
 3.Badertscher, C., Gazi, P., Kiayias, A., Russell, A., Zikas, V.: Ouroboros genesis: composable proofofstake blockchains with dynamic availability. In: Lie, D., Mannan, M., Backes, M., Wang, X.F. (eds.) ACM CCS 2018, pp. 913–930. ACM Press (October 2018)Google Scholar
 4.Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Denning, D.E., Pyle, R., Ganesan, R., Sandhu, R.S., Ashby, V. (eds.) ACM CCS 93, pp. 62–73. ACM Press (November 1993)Google Scholar
 5.Blass, E.O., Kerschbaum, F.: Strain: a secure auction for Blockchains. In: Lopez, J., Zhou, J., Soriano, M. (eds.) ESORICS 2018. LNCS, vol. 11098, pp. 87–110. Springer, Cham (2018). https://doi.org/10.1007/9783319990736_5CrossRefGoogle Scholar
 6.Boneh, D., Naor, M.: Timed commitments. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 236–254. Springer, Heidelberg (2000). https://doi.org/10.1007/3540445986_15CrossRefGoogle Scholar
 7.Carlsten, M., Kalodner, H.A., Weinberg, S.M., Narayanan, A.: On the instability of bitcoin without the block reward. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM CCS 2016, pp. 154–167. ACM Press (October 2016)Google Scholar
 8.David, B., Gaži, P., Kiayias, A., Russell, A.: Ouroboros Praos: an adaptivelysecure, semisynchronous proofofstake blockchain. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 66–98. Springer, Cham (2018). https://doi.org/10.1007/9783319783758_3CrossRefGoogle Scholar
 9.Deuber, D., Dttling, N., Magri, B., Malavolta, G., Thyagarajan, S.A.K.: Minting mechanisms for blockchain  or  moving from cryptoassets to cryptocurrencies. Cryptology ePrint Archive, Report 2018/1110 (2018)Google Scholar
 10.Dziembowski, S., Faust, S., Kolmogorov, V., Pietrzak, K.: Proofs of space. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 585–605. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662480007_29CrossRefGoogle Scholar
 11.Eyal, I., Sirer, E.G.: Majority Is not enough: bitcoin mining is vulnerable. In: Christin, N., SafaviNaini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 436–454. Springer, Heidelberg (2014). https://doi.org/10.1007/9783662454725_28CrossRefGoogle Scholar
 12.Garay, J., Kiayias, A., Leonardos, N.: The bitcoin backbone protocol with chains of variable difficulty. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 291–323. Springer, Cham (2017). https://doi.org/10.1007/9783319636887_10CrossRefGoogle Scholar
 13.Garay, J., Kiayias, A., Leonardos, N.: The bitcoin backbone protocol: analysis and applications. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 281–310. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662468036_10CrossRefGoogle Scholar
 14.Groth, J.: On the size of pairingbased noninteractive arguments. In: Fischlin, M., Coron, J.S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 305–326. Springer, Heidelberg (2016). https://doi.org/10.1007/9783662498965_11CrossRefGoogle Scholar
 15.Halpern, J.Y., Pass, R.: Algorithmic rationality: game theory with costly computation. J. Econ. Theor. 156, 246–268 (2015)MathSciNetCrossRefGoogle Scholar
 16.Hayes, A.: Why is deflation bad for the economy? Investopedia (2019). https://www.investopedia.com/articles/personalfinance/030915/whydeflationbadeconomy.asp
 17.Hummel, J.R.: Death and taxes, including inflation: the public versus economists. Econ. J. Watch 4(1), 46 (2007)Google Scholar
 18.Kiayias, A., Russell, A., David, B., Oliynykov, R.: Ouroboros: a provably secure proofofstake blockchain protocol. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 357–388. Springer, Cham (2017). https://doi.org/10.1007/9783319636887_12CrossRefGoogle Scholar
 19.Kosba, A.E., Miller, A., Shi, E., Wen, Z., Papamanthou, C.: Hawk: the blockchain model of cryptography and privacypreserving smart contracts. In: 2016 IEEE Symposium on Security and Privacy, pp. 839–858. IEEE Computer Society Press (May 2016)Google Scholar
 20.Wang, S.: Microeconomic Theory. STBE. Springer, Singapore (2018). https://doi.org/10.1007/9789811300417CrossRefGoogle Scholar
 21.Leme, R.P., Syrgkanis, V., Tardos, É.: Sequential auctions and externalities. In: Proceedings of the TwentyThird Annual ACMSIAM Symposium on Discrete Algorithms, pp. 869–886. Society for Industrial and Applied Mathematics (2012)Google Scholar
 22.Malavolta, G., Thyagarajan, S.A.K.: Homomorphic timelock puzzles and applications. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 620–649. Springer, Cham (2019). https://doi.org/10.1007/9783030269487_22CrossRefGoogle Scholar
 23.Wang, S.: Microeconomic Theory. STBE. Springer, Singapore (2018). https://doi.org/10.1007/9789811300417CrossRefGoogle Scholar
 24.Micali, S.: Computationally sound proofs. SIAM J. Comput. 30(4), 1253–1298 (2000)MathSciNetCrossRefGoogle Scholar
 25.Nakamoto, S.: Bitcoin: A PeertoPeer Electronic Cash System (2008)Google Scholar
 26.Nayak, K., Kumar, S., Miller, A., Shi, E.: Stubborn mining: generalizing selfish mining and combining with an eclipse attack. In: 2016 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 305–320. IEEE (2016)Google Scholar
 27.Pass, R., Seeman, L., Shelat, A.: Analysis of the blockchain protocol in asynchronous networks. In: Coron, J.S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 643–673. Springer, Cham (2017). https://doi.org/10.1007/9783319566146_22CrossRefzbMATHGoogle Scholar
 28.Pass, R., Shi, E.: FruitChains: a fair blockchain. In: Schiller, E.M., Schwarzmann, A.A. (eds.) 36th ACM PODC, pp. 315–324. ACM (July 2017)Google Scholar
 29.Pietrzak, K.: Simple verifiable delay functions. In: ITCS (2019)Google Scholar
 30.Rivest, R.L., Shamir, A., Wagner, D.A.: Timelock puzzles and timedrelease crypto. Technical report, Cambridge, MA, USA (1996)Google Scholar
 31.Sattarov, K.: Inflation and economic growth. Analyzing the threshold level of inflationCase study of Finland, 1980–2010 (2011)Google Scholar
 32.Thomson, I.: Parity: The bug that put \$169m of ethereum on ice? Yeah, it was on the todo list for months. The Register (2017). https://www.theregister.co.uk/2017/11/16/parity_flaw_not_fixed
 33.Tsiang, S.C.: A critical note on the optimum supply of money. In: Finance Constraints and the Theory of Money, pp. 331–348. Elsevier (1989)Google Scholar
 34.Wesolowski, B.: Efficient verifiable delay functions. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478, pp. 379–407. Springer, Cham (2019). https://doi.org/10.1007/9783030176594_13CrossRefGoogle Scholar