Minting Mechanism for Proof of Stake Blockchains

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 12146)


As an alternative for the computational waste generated by proof-of-work (PoW) blockchains, proof-of-stake (PoS) systems gained a lot of popularity, being adopted by many existing cryptocurrencies. Unfortunately, as we show, PoS-based currencies, where newly minted coins are assigned to the slot leader, inevitably incentivises coin hoarding, as players maximise their utility by holding their stakes and not trading. As a result, existing PoS-based cryptocurrencies do not mimic the properties of fiat currencies, but are rather regarded as investment vectors.

In this work we initiate the study of minting mechanisms in cryptocurrencies as a primitive on its own right, and as a first step to a solution to mitigate coin hoarding in PoS currencies we propose a novel minting mechanism based on waiting-time first-price auctions. Our main technical tool is a protocol to run an auction over any blockchain. Moreover, our protocol is the first to securely implement an auction without requiring a semi-trusted party, i.e., where every miner in the network is a potential bidder. Our approach is generically applicable and we show that it is incentive-compatible with the underlying blockchain, i.e., the best strategy for a player is to behave honestly. Our proof-of-concept implementation shows that our system is efficient and scales to tens of thousands of bidders.

1 Introduction

Proof of Work based consensus systems, such as Bitcoin, rely on users solving a hard computational puzzle to achieve decentralised consensus on the state of the system. Since no efficient algorithm is known for solving such a puzzle, users have to rely on their computational power for an exhaustive search of the solution. This process is often referred to as “mining”. Miners work to maintain the system by validating transactions and a reward is assigned to the miner who solves the puzzle first. Apart from the reward, the miner also collects fees from the transactions he validated. This incentive mechanism has led to a hardware race  [1], which has resulted in enormous energy demands and environmental problems. To mitigate the problems mentioned above, the community investigated alternative consensus mechanisms, based on more energy-efficient resources. One such consensus mechanism is Proof of Stake (PoS)  [8, 18], that rely on the rationality of a stakeholder in the system to behave honestly due to the risk of devaluing the currency. In PoS, the consensus leader is chosen solely based on a function of her stake1 in the system.

From Cryptoassets Towards Cryptocurrencies. Deflation is the overall increase of value of a currency over time. In an economic system, this can be caused by several different factors, such as excess of production, low demand of services and goods, and decrease in the total money supply  [16]. Due to the unregulated and global nature of cryptocurrencies2 the latter aspect is the most concerning; users losing their private keys or coins getting locked forever in a badly coded smart contract  [32] can cause deflation in the cryptocurrency if there is no mechanism in place to mint new coins into the system. Although it may look as a beneficial side effect (one’s money becoming more valuable), deflation can be very harmful to a currency. Namely, it introduces the phenomenon of money hoarding:  [16] “why spend 1 coin today if tomorrow the same 1 coin can purchase more?”.

Moreover, the relation between money supply and hoarding of money is a well studied topic in economic theory. Tsiang  [33] advocates for a moderate inflation as a countermeasure for the stagnation of money. Several other works in the literature [17, 31] extensively study a steady inflation (in the form of increase in money supply) as a deterrent for money hoarding and as an incentive for trading. Predictably, capped supply of coins (as in Bitcoin) and incentivising stake-hoarding (as in PoS), have the opposite effect, which may hinder the long-term viability of cryptocurrencies as an alternative to fiat currencies. Therefore, it seems that some form of inflation is necessary for a currency to prosper.

State of the Art Minting Mechanisms. While consensus seems to be a better understood problem  [12, 13, 18, 27] given the current state of affairs, there is no unified solution for the introduction of new coins in a cryptocurrency. Current folklore approaches are either energy expensive (such as PoW-based systems) or incentivise hoarding of stakes (such as PoS-based approaches). Surprisingly, this problem has hardly received any attention and, to the best of our knowledge, there is no rigorous treatment of minting mechanisms in cryptocurrencies.

Most of the current systems have integrated the distribution of new coins with the consensus mechanism: The miner who proposes the new block, is also rewarded with the newly minted coins. However, the brute-force approach (of PoW especially) to obtain the reward has resulted in a hardware race among the miners  [1] and subsequent increase in the difficulty of mining. PoS-based systems either have a fixed cap, or assign the new coins to the consensus leader. As discussed above, this invariably incentivises coin hoarding by the stakeholders and promotes the deflation of the currency.

Decoupling Minting from Consensus. In this work we initiate the study of minting mechanisms as a primitive on its own right and we propose a new protocol based on waiting-time auctions. Any user in the system only needs a small amount of coins to compete for the newly minted coins. As a result, the system mitigates coin hoarding and incentivises participation of regular users, as they can compete with large investors. In a nutshell, our system rewards the user who is willing to “wait the longest”, after the user has waited for that amount of time. Under the assumption that users cannot stack the time at their disposal, pooling resources does not increase the chances of receiving new coins (thus preventing sybil attacks). On a conceptual level, we suggest a hybrid approach for cryptocurrencies, where the minting mechanism is decoupled from the consensus. The consensus is only incentivised by the collection of transactions fees, while the minting of new coins in the system is carried out by the minting mechanism, with its own set of rules.

Badertscher et al.  [2] recently showed that Bitcoin is still incentive compatible in a setting where rational miners only collect transaction fees for the mined blocks. To the best of our knowledge, there is no similar analysis for existing PoS blockchains, such as Ouroboros  [18] and Ouroboros Praos  [8], but since the analysis of  [2] is consensus agnostic, it carries over to PoS blockchains under the same conditions.

1.1 Our Contributions

  1. 1.

    We initiate the rigorous treatment of minting mechanisms in cryptocurrencies and we analyse the pitfalls of folklore solutions. We introduce the concept of utility-preserving stake allocation (Sect. 3), on the same spirits of Pareto efficiency. Informally, this property states that in a utility-preserving system, stakeholders can trade their stake without affecting their chances of obtaining newly minted coins. Using this property we analyse and show that coin hoarding is in fact incentivised in a PoS-based minting mechanism where new coins are assigned to the consensus leader.

  2. 2.

    We propose a new minting mechanism based on waiting-time auctions and we show that it is incentive-compatible with the underlying blockchain (Sect. 4.1), i.e., following honestly the protocol is the Nash equilibrium strategy for rational miners on the blockchain system. We also formally show that our mechanism is quasi-utility-preserving in its stake allocation, and therefore mitigates the problem of coin hoarding. Informally, this is because the stakeholder needs only a token to participate in a minting round, while the rest of the coins are free to be traded with users that also possess a token.

  3. 3.

    On a technical level, we present a cryptographic construction (Fig. 4) for realising a first-price waiting-time auction on top of a blockchain. Our protocol does not require any additional interaction other than what is required by the underlying blockchain, and does not rely on any semi-trusted party. Our solution is the first where every miner in the network is a potential bidder. This is in strong contrast with previous proposals that assume the existence of a semi-trusted auctioneer to collect bids and announce the winner.

  4. 4.

    We demonstrate the scalability of our approach with a proof-of-concept implementation (Sect. 5) of our construction and a thorough performance analysis. The system can be scaled to support thousands of bidders per block with a reasonable block size (8 MB) while leaving more than two-thirds of the block free for standard transactions.


1.2 Technical Overview

To circumvent the problem of Sybil attacks, the minting mechanism must rely on some quantifiable resource. On that regard, we identify time to be such a resource. The time that we consider here is the physical time one has in her future, or in other words, the notion of “from now on”. Our minting mechanism leverages the observation that the time at one’s disposal is (roughly) equal across the set of users and cannot be combined with the time of other users.
Fig. 1.

Waiting-time based rewarding where user U1 is prepared to wait the longest (5 days), and obtains the reward after waiting for 5 days.

Minting Mechanism. We describe our mechanism under the assumption of the existence of an underlying blockchain system. Specifically, our protocol can be built on top of any public transaction ledger whose consensus relies solely on transaction fees as incentive. Our protocol implements a sequential first-price auction, does not require an auctioneer, and the miners can actively participate in the protocol and compete for the rewards. We leverage rational arguments to show that the best strategy for every user is to simply follow the protocol specification. Figure 1 gives a pictorial overview of one full round of our minting mechanism, that consists of an auction round, waiting period and redeem period. Each auction round in itself consists of three phases:
  1. 1.

    At periodic intervals users engage in a first-price auction where the item being auctioned are R newly minted coins. The bidding phase for the auction spans through \(\alpha \) blocks where every user willing to participate posts a bid transaction with a concealed bid. The bid here is the amount of physical time units the user is willing to wait in order to obtain the minted coins. To be eligible to participate, a user is required to “lock” some fixed amount Q of his coins (called token of participation or participation token) for the entire duration of the auction (until a winner is announced).

  2. 2.

    Once the bidding phase is over, the protocol allocates \(\beta \) blocks for users to broadcast the unveil information of their bids. We call these \(\beta \) blocks the opening phase.

  3. 3.

    After the opening phase, miners can open all the posted bids (using the corresponding unveil information) and determine the winner of the auction. A mint transaction is then generated assigning R newly minted coins to the winner of the auction, that can be redeemed only after the time corresponding to her bid has elapsed. All users can unlock their token of participation Q after the auction round is over, except the winner, who only gets back Q together with the newly minted coins.

Cryptographic Implementation. As a first (flawed) attempt, consider a protocol in which every bidder posts a transaction with a commitment \( com \) to their bid, then later in an opening phase they post the unveil \(r\), and the winner can be publicly determined. The challenge that arises here is how to deal with the case where a player does not post the opening to their bid. If there is a mechanism in place to actively prevent this behaviour, e.g. by excluding this player from the auction and determining the winner among the other bidders, then this constitutes an incentive for miners to suppress the openings of higher bidders, and therefore increase its own chances of winning the auction. On the other hand, if no such mechanism is in place and the auction is aborted after a certain time if an opening is not present, then a single bidder can prevent the minting of new coins.

To deal with these apparently conflicting requirements, we propose a cryptographic solution where each round of the auction can be completed even if players go offline after the bidding phase. Our protocol requires players to embed the unveil information \(r\) in a time-lock puzzle \( tlp \) during the bidding phase. Time-lock puzzles ensure that their payload is hidden for a stipulated amount of time but can be opened once this amount of time has elapsed. This means that bids remain concealed until the end of the bidding phase but can be efficiently recovered in case a player does not publish the unveil of the corresponding commitment (i.e., the player goes offline). This effectively eliminates the need for a trusted party in the execution of the auction over the blockchain. We stress however, that time-lock puzzles are only used as a deterrent against malicious bidders who refuse to open their bids. In a rational run of the protocol the time-lock puzzles are never required to be solved and therefore no puzzle-solving computational overhead is added, as the bidders reveal the bids during the opening phase. Moreover, their functionality appears to be necessary: If we were to ignore bids of bidders that go offline before publishing a reveal, then it would be unclear if the bidder indeed went offline or it was a malicious blockmaker who chose to suppress the bid. Therefore it is imperative for all bids to be revealed and considered for the round of auction. This is exactly the functionality provided by time-lock puzzles: If a malicious user does not open his bid (trying to perform a denial-of-service attack on the protocol) his initial bid can still be recovered by solving the time-lock puzzle. We also note that rational players are never incentivized to leave their bid unopened, but even in the case where players act irrationally the protocol can still recover by performing some extra work to solve the \( tlp \) and finish the current auction round.

Formal Analysis. Our protocol can be formally modelled as a first-price sequential waiting-time auction with sealed bids and we leverage state-of-the-art results on sequential auctions  [21] to show that our rewarding mechanism has a Nash equilibrium on the amount of time units that a user should bid in each round of the auction. Then we analyse the utility-preserving stake allocation of our system and we show that our minting mechanism mitigates stake hoarding. Particularly, we show that our minting mechanism is quasi utility-preserving up to the value of the participation token Q (i.e., any coin trade where the sender and the receiver has a balance of at least Q coins (before and after the transaction) does not decrease the utility of any user). In contrast, in all folklore PoS minting solutions, stake allocations are not utility-preserving, which does not promote coin circulation and inevitably leads to stake hoarding. Finally, we prove that our mechanism is incentive-compatible with the underlying blockchain, i.e., honestly following the protocol is the Nash equilibrium strategy for rational miners.

Implementation. As a proof-of-concept of our system we build an entire blockchain system coupled with our minting mechanism (Sect. 5). Considering a bidding phase of 10 blocks and blocks of size 8 MB, we can fit more than 10K bids in a single auction round and still leave around \(70\%\) of the block’s capacity free for standard transactions. To produce a proof for a mint transaction including 750 bids, the system takes less than 3 min, and the verification is almost instant, as we show in Sect. 5.1.

1.3 Related Work

Nakamoto  [25] proposed Bitcoin, the first currency system with a consensus protocol based on Proof of Work (PoW). The underlying protocol of Bitcoin was dubbed as the Blockchain protocol and a formal analysis of its security definitions and properties can be found in the works of Garay et al.  [13] and Pass et al.  [27]. BitcoinCash, Litecoin (variants of Bitcoin), Zcash and Monero are some of the popular currencies based on PoW. One among several other alternatives proposed was Proof of Stake (PoS) based consensus where a consensus leader proves she holds a stake in the system. The proposal was formally analysed with the assumption of a synchronous  [18] network, and in the recent work of Badertscher et al.  [3] which concerns with composability of PoS blockchains. There are several currency systems that are based on different versions of PoS, namely, Cardano (based on Ouroboros), Reddcoin, and Peercoin among possibly many others. Proofs of Space  [10] is another proposal put forth that relies on a prover proving to a verifier that she has sufficient disk space, to achieve a consensus.

In all of the above mentioned consensus mechanisms, the consensus leader in the blockchain is also the one who receives the incentive in the form of newly minted coins (when such an incentive exists). Selfish mining attacks (where a miner mines a block selfishly and later hopes to make his chain longer and accepted) in case of Nakamoto’s blockchain protocol were discovered and analysed by Eyal and Sirer  [11, 26]. Fruitchain  [28] ensures that no coalition that has less than the majority of the computational power can gain more by deviating from the protocol. Concurrently, Carlsten et al.  [7] showed the possible instability in the future of Bitcoin as a result of incentives through transaction fees only.

Running auctions on blockchains has been gaining more attention given its nature of public verifiability. There are several existing proposals for running different variants of auctions. Kosba et al.’s HAWK  [19] employ smart contracts to run auctions on top of a blockchain. They require a Manager who is entrusted to run the auction contract. The manager is aware of the bidders’ inputs and is trusted to not disclose that information. Strain  [5] aims to decrease the amount of interaction, while relying on a semi-honest judge who does not collude with any bidders and produces proof of winner.

2 Preliminaries

2.1 Rational Security

Here we give a brief overview of the notion of rational players, following the definitions of  [15]. Every player is characterised by some payoff (or utility) function u. In any protocol (game), utility represents the motivations of players. A utility function for a given player assigns a number for every possible outcome of the protocol with the property that a higher number implies that the outcome is more preferred. A rational player wishes to maximise her utility.

Every player is also equipped with a strategy function. A strategy function takes as input the view of the player so far and outputs its next action. Rational players will choose from the strategies available to them the one that results in the most preferred outcome. Note that the strategies and the protocol can have potential randomness which invokes a certain distribution over the outcomes of the protocol. We define the utility of a distribution as the the expected value of the utility of an outcome drawn from that distribution.

Let Z be a family of subsets of the set of players for a game G. We say that a set of strategies \(\mathbf {s}\) constitutes a Z-coalition-safe \(\epsilon \)-Nash-equilibrium, if no coalition of players from a set Z can gain more than \(\epsilon \) in payoff when deviating from \(\mathbf {s}\) when playing G.

A mediated game is one in which a trusted party, the mediator, takes inputs from players, computes a function and provides outputs to the players. Following [15] we say that a protocol \(\varPi \) implements a mediator \(\mathcal {F}\) if it holds for any admissible environment/outer gamer \(\mathcal {Z}\) that if it is an equilibrium strategy to truthfully provide inputs to \(\mathcal {F}\) in game \(\mathcal {Z}\), then it is an \(\epsilon \)-equilibrium strategy to honestly execute protocol \(\varPi \) in \(\mathcal {Z}\), where \(\epsilon \) is negligible.

2.2 A Primer on Auction Theory

An auction is a mechanism which runs with some pre-determined rules to sell some item of value. It involves the participation of several parties whose roles are well defined. In the simplest of settings, there is a seller who puts an item on sale and more than one interested buyers compete with each other by placing bids, or the cost they are willing to pay for the item. The highest bidder is announced as the winner and is required to pay a certain amount of money and the item is awarded to this winning buyer. Here we give a brief overview of some of the basic concepts of auction theory.

Valuation. Players’ valuations define the economic value of an object that is on sale during an auction. It may be the same across the participants in the auction or can be personalised depending on the “value” of the object to each one of them. The valuation is denoted by a function \(v(\cdot )\) that takes the object and other observable information that might be specific and personalised to each participant as input and returns the value as a real number \(v^* \in \mathbb {R}^+\) (up to some fixed precision). For simplicity, we will refer to the valuation of player i as \(v_i\).

Cost. The cost defines the economic price that a participant in the auction pays depending on the outcome of the auction. It is denoted by a function c(b) that takes as input a bid b and returns the cost as a real number \(c^* \in \mathbb {R}^+\). We assume that the cost function is monotonously increasing with b.

Auction Model. An auction model describes the set of participants (bidders and sellers), the set of items up for sale and the rules regarding these items, and finally the value of each item for each bidder. The value of an item for each bidder is determined by the bidder’s capabilities, preferences, information, and beliefs or what can be collectively called as the type of each bidder. The model accounts for a mechanism and an environment. A mechanism consists of rules that govern what the participants are permitted to do and how these permitted actions determine outcomes. In this context, an environment comprises of the following: A list of the participants or potential participants, another of the possible outcomes, and another of the bidders’ possible types.

We consider a set of potential bidders \(B_I\) where \(I = \{1, 2,\ldots , n\}\). We assume that the types of each bidder are independently and identically distributed (i.i.d.), meaning that the types of each bidder are independent from one another while being from the same distribution. Finally, the utility of bidder \(B_i\) is characterised by a function \(u_i\) that depends on the bidder’s type and on the outcome of the auction.

2.3 Waiting-Time Auction

We first consider the mediated setting where an auction is conducted by a trusted auctioneer \(\mathbb {A}\) and a set of n bidders \((B_1, \dots , B_n)\). The auctioneer \(\mathbb {A}\) is entrusted with collecting bids from the bidders and awarding the reward to the winner. Moreover, after the bidding phase is over the auctioneer \(\mathbb {A}\) reveals the bids of all bidders.

We assume the time to be divided into discrete units which are known to all participants of the auction and to the auctioneer. The auction has several fixed parameters which we assume to be known to every participant: the auction good R of some economic value, a fixed token of participation Q in some arbitrary currency, the duration of each auction phase and the number of auction rounds.

The auction is composed of three phases, which we describe below.

  1. 1.

    Bidding Phase: In the bidding phase each bidder \(B_i\) sends its bid \(b_i\) along with the token of participation Q to the auctioneer \(\mathbb {A}\) through a confidential channel. After a fixed amount of time, \(\mathbb {A}\) announces the end of the bidding phase.

  2. 2.

    Opening Phase: Let \((b_1, \ldots , b_n)\) be the bids collected in the bidding phase of the same round, let \(b_\mathsf {max} = \max (b_1, \ldots , b_n)\). In case of ties \(b_\mathsf {max}\) is chosen according to some deterministic order.3 We denote by \(B_\mathsf {max}\) the bidder who sent the bid \(b_\mathsf {max}\). For all \(i \in \{1, \ldots n\} \setminus \mathsf {max}\), the auctioneer \(\mathbb {A}\) sends Q to \(B_i\), whereas \(\mathbb {A}\) sends (QR) to \(B_\mathsf {max}\) after \(b_\mathsf {max}\)-many units of time.

  3. 3.

    Winner Announcement: \(\mathbb {A}\) publicly announces the identity of the winner \(B_\mathsf {max}\), the amount \(b_\mathsf {max}\) and all other bids.

Bayesian Nash Equilibrium. A recent result of Leme et al.  [21] shows that sequential first-price auctions admit a subgame-perfect Nash equilibrium: This means that there exists a profile of bidding which is a Nash equilibrium in the single round case and, if we arbitrarily fix the outcomes of \(\ell \) rounds, the profile also remains a Nash equilibrium for the induced game. The only difference between our setting and the standard first-price auction is that the winning bidder does not pay directly her bid but has to wait time proportionate to it. If one views the cost of keeping some funds/investment locked for a certain time as the payment (also known as collateral cost), then our waiting-time auction can be cast in the more generic framework of first-price auctions and the existence of a Nash equilibrium follows from the following theorem.

Theorem 1

( [21]). Sequential first-price auction when a single item is auctioned in each round (assuming that after each round the bids of each agent become common knowledge) has a subgame-perfect equilibrium that does not use dominated strategies, and in which bids in each node of the game tree depend only on who got the item in the previous rounds.

3 Minting Mechanisms and Analysis

In this section we describe the basic minting for PoS systems and we show that with such a mechanism in place, rational users are always incentivised to hoard their stake. Later, in contrast to PoS minting, we show that our minting mechanism greatly mitigates this stake hoarding phenomenon. We refer the reader to Sect. 2.2 for a primer on auction theory and some basic definitions, and to Sect. 2.3 for the definition of waiting-time auction.

Utility-Preserving Allocation. To analyse the behaviour of minting mechanisms in relation to stake hoarding we introduce the concept of utility-preserving stake allocation, that is similar in spirits to the concept of Pareto efficiency4  [23]. Analogously to Pareto efficiency, we consider utility functions which assign utilities or benefits to stake allocations. Informally, a utility-preserving stake allocation (or distribution) is an allocation that allows a transition to a different stake allocation where no user decreases his own utility in the process. With this new concept in hand, it becomes possible to analyse if a particular distribution of stakes allows users to trade coins within the system and still maintain their utilities. We give a formal definition below.

Definition 1 (Utility-Preserving Transition)

Consider two stake allocations \(s= (s_1,\dots ,s_n)\) and \(s' = (s_1',\dots ,s_n')\) with \(\sum _i s_i = \sum _i s'_i = t\). We say a transition from \(s\) to \(s'\) is utility-preserving, if it holds for all \(i \in [n]\) that \(u_i(s'_i) \ge u_i(s_i)\).

Vanilla PoS Minting. In PoS systems, the stakeholders assume the role of consensus leaders and propose new blocks to extend the blockchain. These systems ensure that a stakeholder is chosen as the slot leader with probability proportional to one’s stake. As an incentive to propose a new block, the consensus leader collects fees from the transactions within the block. As the basic minting mechanism for PoS, we consider the scenario where the consensus leader is also allowed to mint new coins, similar to what happens in PoW systems (e.g., Bitcoin).

Specifically, consider a proof of stake system where a reward R is given to the consensus leader. Player i becomes consensus-leader with probability \(s_i/t\). Let \(X_i\) be a random variable which is 1 if player i is consensus leader and 0 otherwise, i.e. the payoff of player i is given by \(R \cdot X_i\). Consequently, it holds that \(E[R \cdot X_i] = R \cdot E[X_i] = R \cdot \Pr [X_i = 1] = R \cdot \frac{s_i}{t}\), i.e. we define \(u_i(s_i) = R \cdot \frac{s_i}{t}\).

In such a system, no non-trivial transition between two stake allocations is utility-preserving. This is shown by the following theorem.

Theorem 2

Let \(s= (s_1,\dots ,s_n)\) and \(s' = (s'_1,\dots ,s'_n)\) be stake allocations with \(\sum _i s_i = \sum _i s'_i = t\) and \(s\ne s'\). Then there exists a player \(i^*\) for which it holds that \(u_{i^*}(s'_{i^*}) < u_{i^*}(s_{i^*})\).


As \(s\ne s'\), there must exists a j with \(s_j \ne s'_j\). If \(s'_j < s_j\) we set \(i^*= j\) and it follows immediately that \(u_{i^*}(s'_{i^*}) = R \cdot s'_{i^*} / t < R \cdot s_{i^*}/t = u_{i^*}(s_{i^*})\). On the other hand, if \(s'_j > s_j\), there must be a k with \(s'_k < s_k\), as otherwise \(\sum _i s'_i > \sum _i s_i = t\). In this case, set \(i^*= k\) and the statement follows analogously.

Waiting-Time Auction Minting. In our proposal, minting is performed via a waiting time auction. Let \(X_j^i\) be a random variable which is 1 if player i wins in round j and 0 otherwise. Thus, the payoff of player i is \(R \cdot \sum _{j = 1}^\ell X_j^i\). We will assume that given that player i participates in the auction, his valuation, and therefore his probability of winning does not depend on the stake distribution. I.e. we can write \(E[X_j^i] = p_j^i\) for \(p_j^i\) that do not depend on \(s\). Therefore, it holds that \(E[R \cdot \sum _{j = 1}^\ell X_j^i] = R \cdot \sum _{j = 1}^\ell p_j^i\) and we can set \(u_i(s_i) = R \cdot \sum _{j = 1}^\ell p_j^i\).

In such a system, every transition of stake-allocations from \(s\) to \(s'\) for which it holds for all \(i \in [n]\) that \(s_i,s'_i \ge Q\) is utility-preserving. We call such systems quasi utility-preserving.

Theorem 3

Let \(s= (s_1,\dots ,s_n)\) and \(s' = (s'_1,\dots ,s'_n)\) be stake allocations with \(\sum _i s_i = \sum _i s'_i = t\). If it holds for all \(i \in [n]\) that \(s_i,s'_i \ge Q\), then it holds for all \(i \in [n]\) that \(u_i(s'_i) = u_i(s_i)\).


As it holds for each \(i \in [n]\) that \(s_i,s'_i \ge Q\), every player i can participate in the waiting-time auction bid according to their valuation, which is independent of \(s\) or \(s'\) respectively. The winner of the auction is therefore the same, regardless of whether the stake allocation is \(s\) or \(s'\). Consequently, the utilities are the same for \(s\) and \(s'\).

Interpreting the Results. Theorem 2 says that any distribution of stakes within a PoS system with the basic minting strategy will inevitably incentivise the hoarding of stakes, as trading coins will reduce the probability of receiving the newly minted coins. Therefore, users that trade their coins within the system (i.e., decrease their stake) will be losing utility.

In contrast, Theorem 3 says that our minting protocol based on waiting-time auctions mitigates the problem of hoarding; in fact, for each auction round a user is only incentivised to keep a stake of the size of a single participation token. In that case, the user can participate in the auction round, and the probability of winning the newly minted coins will be strictly based on the user’s own valuation. The rest of the stake can be traded into the system (among other users that can afford the participation token Q) without reducing the any user’s utility. The analysis carries over to any number of auction rounds; fix \(\ell \) auction rounds, then the user only needs to hoard \(Q\cdot \ell \) coins during the period of \(\ell \) auction rounds, and the remaining coins can be traded.

As an example, consider a user with a \(30\%\) stake in the system. In case of PoS based minting, to optimise his utility, the user holds his stake throughout the period of the system. In case of our minting, the user needs only a small number of coins Q to obtain the newly minted coins. After participating and winning \(\ell \) rounds, the user only has locked \(\ell \cdot Q\) amount of coins. He can freely trade the rest of the stake for his day-to-day usage. Figure 2 gives a pictorial representation. The dotted line represents holding the entire stake and the bars represent locking of participation tokens after winning \(\ell \) successive rounds of the auction. The space between the line and the bars (i.e., the grey region) represents the freely tradable stake.
Fig. 2.

The plot shows the best strategy of a user who wishes to maximise his chance of obtaining the newly minted coins. We consider a system with total number of coins \(t=100\), a user with 30 coins as his stake (i.e., stake ratio 0.3), and participation token \(Q = 2\) coins.

4 Our Minting Protocol

Our minting mechanism implements a first-price waiting-time auction on top of a blockchain system \(\varGamma \), and consists of discrete auction rounds \(j = (1,2,\ldots )\). Each auction round consists of two phases: A bidding phase and an opening phase. The bidding phase spans over a sequence of \(\alpha \) blocks whereas the opening phase spans over \(\beta \) blocks (see Fig. 3 for a pictorial description). The parameters \(\alpha \) and \(\beta \) are fixed throughout the execution of the system.
Fig. 3.

Diagram of the auction phases for each block in the blockchain. The bidding phase of an auction round begins immediately after the opening phase of the previous auction round ends.

Below we recall the cryptographic primitives used in our protocol and we refer the reader to the full version of this paper  [9] for formal definitions.

Non-interactive CCA-Commitment Schemes. A non-interactive tagged commitment scheme consists of a pair of randomised algorithms: a setup \(\mathsf {Setup}(1^\lambda )\), that takes as input the security parameter and outputs a common reference string \(\mathtt {crs}\), and a commitment \(\mathsf {Commit}(\mathtt {crs},\mathtt {addr}, m;r)\) that takes as input the \(\mathtt {crs}\), a tag/identity \(\mathtt {addr}\), a message m and random coins \(r\) and outputs a commitment \( com \). Loosely speaking, \( com \) should hide the message m, and it should be infeasible for anyone to show a valid set of coins \(r'\) that such that \(\mathsf {Commit}(\mathtt {crs},\mathtt {addr},m';r) = com \) for a different message \(m'\). Additionally, for such schemes it is not possible to “maul” commitments for one tag into commitments for another tag. Such commitment schemes can be constructed from standard SHA-256 commitments in the random oracle model  [4].

Time-Lock Puzzles. A time-lock puzzle allows one to conceal a value for a certain amount of time. The puzzle generation algorithm \(\mathsf {PGen}(1^\lambda ,\mathbf {T},m)\) takes as input a security parameter, a hardness-parameter \(\mathbf {T}\) and a message m, and outputs a puzzle \( tlp \). The puzzle \( tlp \) can be cracked using the solving algorithm \(\mathsf {PSolve}( tlp )\), which outputs m and a recovery proof \(\pi \). The proof can be verified with the corresponding verification algorithm \(\mathsf {PVer}( tlp , m, \pi )\). Time-lock puzzles guarantee that a puzzle can be solved in polynomial time, but strictly higher than \(\mathbf {T}\). Additionally, verifying a recovery proof shall be exponentially faster than solving the puzzle. Rivest, Shamir and Wagner  [30] proposed the first and only efficient candidate time-lock puzzle based on a variant of the RSA assumption. Boneh and Naor  [6] showed how to compute a recovery proof such that its verification is exponentially faster than solving the puzzle, which was lifted to the public-coin settings by Pietrzak  [29] and Wesolowski  [34].

Succinct Non-interactive Arguments. Let \(R:\{0,1\}^*\times \{0,1\}^*\rightarrow \{0,1\}\) be an \( NP \)-witness-relation with corresponding \( NP \)-language \(\mathcal {L}:= \{x:\exists w \text{ s.t. } R(x,w) = 1\}\). A succinct non-interactive argument (SNARG)  [24] system for R is initialised with a setup algorithm \(\mathsf {crsGen}(1^\lambda )\) that, on input of security parameter, outputs a common reference string \(\mathtt {crs}\). A prover can show the validity of a statement x with a witness w by invoking \(\mathsf {P}(\mathtt {crs},x,w)\), which outputs a proof \(\pi \). The proof can be efficiently checked by the verification algorithm \(\mathsf {V}(\mathtt {crs},x,\pi )\). We require a SNARG system to be sound: it is hard for any prover to convince a verifier of a false statement, and proofs to be succinct: size independent of x and w.

Communication Interface to Blockchain. We refer to  [9] for details on the underlying blockchain model. The protocol \(\varGamma \) provides the nodes with the following set of interfaces which have complete access to the network and its users.

  • \(\{\mathcal {CH}',\bot \} \leftarrow \varGamma .\mathsf {getChain}\): returns a longer \(\mathcal {CH}\) if it exists, otherwise returns \(\bot \).

  • \(\{0,1\} \leftarrow \varGamma .\mathsf {isChainValid}(\mathcal {CH})\): The validity checking takes as input a chain \(\mathcal {CH}\) and returns 1 iff the chain satisfies a (public) set of conditions.

  • \(\varGamma .\mathsf {postTx}(\mathtt {TxType}, dt )\): takes as input the transaction type information and the transaction data. It then constructs a transaction of type \(\mathtt {TxType}\) with data \( dt \), validate the transaction and include it in the next block.

  • \(\{\mathtt {txID},\bot \} \leftarrow \varGamma .\mathsf {isTxStable}(\mathcal {CH}, dt )\): takes as input a chain \(\mathcal {CH}\) and some transaction data \( dt \) and checks if the transaction containing \( dt \) is stabilised (w.r.t. the persistence property) in \(\mathcal {CH}\). If yes, then it returns the transaction id \(\mathtt {txID}\) within \(\varGamma \), otherwise it returns \(\bot \).5

  • \(\varGamma .\mathsf {broadcast}( dt )\): takes as input some data \( dt \) and broadcasts it in the network.

The nodes in the \(\varGamma \) protocol network have their own local chain \(\mathcal {CH}\) which are initialised with a common genesis block. The genesis block contains the information about the addresses of nodes and the spendable balances in each of them.

Winning Condition. Consider the following NP-language: where the function \(( bid ^\star ,i^\star ) \leftarrow \mathsf {max}\left( \{ bid _i\}_{i \in [1,\ell ]}\right) \) takes as input an ordered set of real numbers and returns the greatest number together with its index. If the output index is not unique, the function selects one deterministically according to some ordering (e.g., lexicographically). The discrete time units used to bid can be made arbitrarily fine grained to avoid collisions (ties) for the highest bid. Furthermore, observe that the choice of the function \(\mathsf {max}()\) can be generalised to any (efficiently computable) winning condition on the bids, which may have other applications beyond minting. Let \((\mathsf {crsGen}_{\mathsf {win}},\mathsf {P}_{\mathsf {win}},\mathsf {V}_{\mathsf {win}})\) be a SNARG system for the language \(\mathcal {L}_{\mathsf {win}}\). The global system parametersconsist of the auction parameters \((\alpha , \beta )\), the hardness \(\mathbf {T}\) (of the time-lock puzzle), a token value Q, a reward value \(R\), and a pair of common reference strings.
Chain Validity. In the following we describe the conditions that determine the validity of a chain in our system. The interface \(\mathsf {isChainValid}(\mathcal {CH}')\) takes as input a chain \(\mathcal {CH}'\) and validates all transactions in the chain according to certain rules. It returns 1 if and only if all of the transactions are valid. Users of the blockchain are indexed by addresses \(\mathtt {addr}\), which belong to a certain efficiently samplable domain \(\mathbb {A}\) (note that a node in the network may be associated with multiple addresses). We define the balance function \(\mathsf {bal}(\mathcal {CH},\mathtt {addr})\) that takes as input the chain \(\mathcal {CH}\) and an address \(\mathtt {addr}\) and returns the spendable balance associated with \(\mathtt {addr}\). The spendable balance is initially 0 for all addresses and it is modified by different types of transactions. We define the different types of transactions and describe how to validate each of them  [9].
Fig. 4.

Waiting-time auction-based minting protocol

4.1 Minting Protocol Description and Analysis

We give a formal description of our minting protocol in Fig. 4. The following theorem shows that our construction preserves the subgame-perfect Nash-equilibria of the mediated game. In other words, we formally argue that our protocol implements a waiting-time first-price auction on top of any blockchain (with its own set of incentives). Intuitively, the adversarial strategy that we want to prevent is that of suppressing higher bids. Since the bids are hidden with a commitment the adversary can only suppress bids at random (since bids for different auction rounds are also unlinkable). Therefore, the condition \(R \le m \cdot F\) ensures that it is more profitable for a miner to include all bids (thereby collecting fees) rather than dropping even one bid to increase its own probability in the auction. The case of ties has to be handled with special care since in this case the selection of the winner is arbitrary: We handle this by making the discrete time unit fine-grained enough so that collisions become very unlikely. It follows that all bids will eventually be posted in the blockchain. We defer the formal proof of Theorem 4 to the full version of the paper  [9].

Theorem 4 (Subgame-perfect Nash-equilibria)

Let m be the number of bidders in the auction, F be the transaction fee for each bid, and R be the reward. If \(R \le m \cdot F\) then the protocol of Fig. 4 implements a sequential mediated waiting-time auction.

4.2 Discussion on Different Adversarial Behaviours

We discuss the intuition behind how we prevent some of the common attacks against our minting protocol of Fig. 4. For detailed discussion of the choice of system parameters we refer the reader to the full version of the paper  [9].

(1) Bid Suppression: The most straightforward attack for the adversary is to suppress bids from a block during the bidding phase. By suppressing bids from a block, the adversary can increase its chances of winning the newly minted coins. As we show in the analysis of Theorem 4, this strategy has ultimately a decreasing payoff, and therefore will be avoided by the rational adversarial miner. The intuition behind this argument is that by suppressing bids, the adversary will be forfeiting the transaction fees incurred by the bid transactions, what would be less profitable than simply including all the bids and following the protocol.

(2) Denial-of-Coin: A denial-of-coin attack is when the adversary tries to stop the creation of new coins in the system. One way to achieve this goal is to bid an incredibly high amount of time (way above one’s valuation), such that the newly minted coins would remain locked (practically) forever. This is not a profitable attack for the rational adversary, since this strategy would quickly lock all funds of the adversary, eventually reestablishing the coin supply. Furthermore, the attacker must be heavily invested in the currency to launch such an attack and thus he is hurting primarily himself with this manoeuvre.

(3) Denial-of-Service: A possible denial-of-service attack is for the adversary to spam the network with many bid transactions in order to stall the network and avoid honest users from participating in the bidding process. Our protocol avoids this by charging a transaction fee for each bid posted. In that way, for the adversary to be able to spam the network he would have to decrease his payoff significantly.

Another vector of attack to slow down the network is to post (well-formed) bids but not their openings. This causes the miners to incur in additional computational efforts to brute-force the time-lock puzzles. This attack can be prevented using the recently introduced homomorphic time-lock puzzles  [22].

(4) Mint Suppression: This attack happens when the miner refuses to include a valid minting transaction into the block being mined. Such an attack is not rational for any miner because at this point of the execution the winner is already determined, although not yet announced. The miner cannot change the winner of the auction and therefore does not gain any advantage by denying to accept the minting transaction.

(5) Malformed Bids: An attacker could see posting inconsistent time-lock puzzles as an opportunity to slow down the system, since miners need to solve a time-lock puzzle to eventually realise that the bid is not well-formed. As shown in our analysis in the full version of this paper  [9], this behaviour is not profitable for any attacker, since any miner who fails to solve a malformed time-lock puzzle can produce a recovery proof and steal the participation token of the bidder.

5 Implementation

We report a python 3 proof-of-concept implementation of our protocol from Fig. 4. Our benchmarking was performed in a virtual environment on a Linux server with specifications: Intel Xeon Gold 6132 CPU (32 cores) @ 2.60 GHz, 64 GB of RAM, Debian Linux 4.9.0-6-amd64 and Python 3.6.4, fastecdsa 1.6.4, and the latest libSNARK. As in Bitcoin, we use the ECDSA signature scheme over the elliptic curve \(\mathtt {secp256k1}\) which has a signature of size 65-bytes, private key of size 32-bytes and public-key of size 65-bytes.

Special Transactions. The commitment to bids in bid transactions are implemented as SHA-256 commitments computed using the libSNARK SHA-256 hash function. The average size for a bid transaction (including input and output) in our prototype is 289 bytes. The unveil information for the commitments are the bid itself and the randomness. The size of a mint transaction is approximately 252-bytes, where it contains no inputs but two outputs. The first output contains a 137-byte SNARG proof, along with the highest bid (8-bytes), and the commitment to the highest bid (32-bytes), thus adding to a total of 177-bytes. The second output is a pay-to-pubkey-lock type transaction, that is a standard pay-to-pubkey transaction with a lock-time corresponding to the value of the winning bid. The measurements are summarized in Table 1.

Time-Lock Puzzles. We implement the RSW time-lock puzzles (combined with Pietrzak’s proofs), which leverage repeated squaring as a non-parallelisable operation. We conservatively set the hardness parameter \(\mathbf {T}\) to be \(2^{35}\), which keeps the \( tlp \) locked for more than 15 h with our hardware. We instantiate the \( tlp \) with an RSA modulus of 512 bits, which we estimate to be sufficient for hiding a value for less than a day.

LibSNARK. For the SNARG in the mint transactions we use the libSNARK  [20] implementation of the system described in  [14]. We build a python wrapper around the libSNARK argument system and use it as a shared library. In our prototype we run tests for up to 750 bids in each auction round and produce a proof of the auction winner.
Fig. 5.

The graphs show the average time to generate/verify a SNARG in a mint transaction. The average is taken over the run of 100 experiments for each parameter value. The error bars display the standard deviation of the measurements.

5.1 Benchmarking

We measure the time to generate and to verify SNARG proofs for a mint transaction varying the number of bids considered in each auction round. For each experiment we generate fresh bid commitments and we run 100 iterations of each experiment, taking the average time among all the iterations. The results of the experiments shown in Fig. 5 were measured considering the wait time, and with the libSNARK multicore mode enabled (32 cores). The graph on the left of Fig. 5 shows outlier points for 300 and 600 bids; this is due to parallelisation. We discuss in further details several optimizations and other aspects of our evaluation in the full version of this paper  [9].


  1. 1.

    Unless explicitly said differently, we always refer to “stake” as the available balance of each user in the system.

  2. 2.

    We refer to cryptocurrencies the digital currencies that are aimed to be used as an utility token (i.e., mimic the behavior of fiat currency) and as cryptoassets the tokens that are aimed to be used as a store of value.

  3. 3.

    E.g., lexicographical in the commitments of the bidders.

  4. 4.

    Pareto efficiency is a common notion in game and economic theory used to determine if a particular allocation of resources within a set of players is optimal or not.

  5. 5.

    Note that Nakamoto-style consensus guarantees only stability with high probability assuming a bound on the adversary’s fraction of resources within the system, which suffices for our analysis.


  1. 1.
    Mining hardware comparison (2017).
  2. 2.
    Badertscher, C., Garay, J., Maurer, U., Tschudi, D., Zikas, V.: But why does it work? A rational protocol design treatment of Bitcoin. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 34–65. Springer, Cham (2018). Scholar
  3. 3.
    Badertscher, C., Gazi, P., Kiayias, A., Russell, A., Zikas, V.: Ouroboros genesis: composable proof-of-stake blockchains with dynamic availability. In: Lie, D., Mannan, M., Backes, M., Wang, X.F. (eds.) ACM CCS 2018, pp. 913–930. ACM Press (October 2018)Google Scholar
  4. 4.
    Bellare, M., Rogaway, P.: Random oracles are practical: a paradigm for designing efficient protocols. In: Denning, D.E., Pyle, R., Ganesan, R., Sandhu, R.S., Ashby, V. (eds.) ACM CCS 93, pp. 62–73. ACM Press (November 1993)Google Scholar
  5. 5.
    Blass, E.-O., Kerschbaum, F.: Strain: a secure auction for Blockchains. In: Lopez, J., Zhou, J., Soriano, M. (eds.) ESORICS 2018. LNCS, vol. 11098, pp. 87–110. Springer, Cham (2018). Scholar
  6. 6.
    Boneh, D., Naor, M.: Timed commitments. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 236–254. Springer, Heidelberg (2000). Scholar
  7. 7.
    Carlsten, M., Kalodner, H.A., Weinberg, S.M., Narayanan, A.: On the instability of bitcoin without the block reward. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM CCS 2016, pp. 154–167. ACM Press (October 2016)Google Scholar
  8. 8.
    David, B., Gaži, P., Kiayias, A., Russell, A.: Ouroboros Praos: an adaptively-secure, semi-synchronous proof-of-stake blockchain. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 66–98. Springer, Cham (2018). Scholar
  9. 9.
    Deuber, D., Dttling, N., Magri, B., Malavolta, G., Thyagarajan, S.A.K.: Minting mechanisms for blockchain - or - moving from cryptoassets to cryptocurrencies. Cryptology ePrint Archive, Report 2018/1110 (2018)Google Scholar
  10. 10.
    Dziembowski, S., Faust, S., Kolmogorov, V., Pietrzak, K.: Proofs of space. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 585–605. Springer, Heidelberg (2015). Scholar
  11. 11.
    Eyal, I., Sirer, E.G.: Majority Is not enough: bitcoin mining is vulnerable. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 436–454. Springer, Heidelberg (2014). Scholar
  12. 12.
    Garay, J., Kiayias, A., Leonardos, N.: The bitcoin backbone protocol with chains of variable difficulty. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 291–323. Springer, Cham (2017). Scholar
  13. 13.
    Garay, J., Kiayias, A., Leonardos, N.: The bitcoin backbone protocol: analysis and applications. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 281–310. Springer, Heidelberg (2015). Scholar
  14. 14.
    Groth, J.: On the size of pairing-based non-interactive arguments. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 305–326. Springer, Heidelberg (2016). Scholar
  15. 15.
    Halpern, J.Y., Pass, R.: Algorithmic rationality: game theory with costly computation. J. Econ. Theor. 156, 246–268 (2015)MathSciNetCrossRefGoogle Scholar
  16. 16.
    Hayes, A.: Why is deflation bad for the economy? Investopedia (2019).
  17. 17.
    Hummel, J.R.: Death and taxes, including inflation: the public versus economists. Econ. J. Watch 4(1), 46 (2007)Google Scholar
  18. 18.
    Kiayias, A., Russell, A., David, B., Oliynykov, R.: Ouroboros: a provably secure proof-of-stake blockchain protocol. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 357–388. Springer, Cham (2017). Scholar
  19. 19.
    Kosba, A.E., Miller, A., Shi, E., Wen, Z., Papamanthou, C.: Hawk: the blockchain model of cryptography and privacy-preserving smart contracts. In: 2016 IEEE Symposium on Security and Privacy, pp. 839–858. IEEE Computer Society Press (May 2016)Google Scholar
  20. 20.
    Wang, S.: Microeconomic Theory. STBE. Springer, Singapore (2018). Scholar
  21. 21.
    Leme, R.P., Syrgkanis, V., Tardos, É.: Sequential auctions and externalities. In: Proceedings of the Twenty-Third Annual ACM-SIAM Symposium on Discrete Algorithms, pp. 869–886. Society for Industrial and Applied Mathematics (2012)Google Scholar
  22. 22.
    Malavolta, G., Thyagarajan, S.A.K.: Homomorphic time-lock puzzles and applications. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11692, pp. 620–649. Springer, Cham (2019). Scholar
  23. 23.
    Wang, S.: Microeconomic Theory. STBE. Springer, Singapore (2018). Scholar
  24. 24.
    Micali, S.: Computationally sound proofs. SIAM J. Comput. 30(4), 1253–1298 (2000)MathSciNetCrossRefGoogle Scholar
  25. 25.
    Nakamoto, S.: Bitcoin: A Peer-to-Peer Electronic Cash System (2008)Google Scholar
  26. 26.
    Nayak, K., Kumar, S., Miller, A., Shi, E.: Stubborn mining: generalizing selfish mining and combining with an eclipse attack. In: 2016 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 305–320. IEEE (2016)Google Scholar
  27. 27.
    Pass, R., Seeman, L., Shelat, A.: Analysis of the blockchain protocol in asynchronous networks. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 643–673. Springer, Cham (2017). Scholar
  28. 28.
    Pass, R., Shi, E.: FruitChains: a fair blockchain. In: Schiller, E.M., Schwarzmann, A.A. (eds.) 36th ACM PODC, pp. 315–324. ACM (July 2017)Google Scholar
  29. 29.
    Pietrzak, K.: Simple verifiable delay functions. In: ITCS (2019)Google Scholar
  30. 30.
    Rivest, R.L., Shamir, A., Wagner, D.A.: Time-lock puzzles and timed-release crypto. Technical report, Cambridge, MA, USA (1996)Google Scholar
  31. 31.
    Sattarov, K.: Inflation and economic growth. Analyzing the threshold level of inflation-Case study of Finland, 1980–2010 (2011)Google Scholar
  32. 32.
    Thomson, I.: Parity: The bug that put \$169m of ethereum on ice? Yeah, it was on the todo list for months. The Register (2017).
  33. 33.
    Tsiang, S.C.: A critical note on the optimum supply of money. In: Finance Constraints and the Theory of Money, pp. 331–348. Elsevier (1989)Google Scholar
  34. 34.
    Wesolowski, B.: Efficient verifiable delay functions. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478, pp. 379–407. Springer, Cham (2019). Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.Friedrich-Alexander-Universität Erlangen-NürnbergErlangenGermany
  2. 2.CISPA Helmholtz CenterSaarbrückenGermany
  3. 3.Concordium Blockchain Research CenterAarhus UniversityAarhusDenmark
  4. 4.UC BerkeleyBerkeleyUSA
  5. 5.Carnegie Mellon UniversityPittsburghUSA

Personalised recommendations