A short note on privacy-preserving proof-of-stake protocols

Since privacy-preserving PoS is a new concept, relatively few literature can be found on this topic. The privacy issues the existing solutions [TKKZ19, COT19] intend to resolve are actually quite similar. The underlying PoS scheme divides the system lifetime into several slots and uses voting in each slot to elect a leader, who will be responsible for producing the next block. Unfortunately, the current PoS scheme reveals both the election winner identity and his/her stake. Both solutions intend to hide the election winner identity and his/her wealth and also ensure the adversary cannot link the winner identity in two different election slots if a single stakeholder wins the election in both slots. The frequency information of an election winner is privacy-sensitive since it reveals the proportion of his/her wealth as shown in [COT19].

Zero-knowledge proof plays a central role in both cases although the design routes taken by the two works are slightly different. This is not surprising given the fact that zero-knowledge proof has a long history of playing an important role in the privacy-preserving e-voting system as mentioned in the aforementioned examples such as linkable ring signature and range proof.

Ouroboros crypsinous [TKKZ19] adopts a Zerocash-style approach to hide the stake amount of both the voter and election winner. The voters’ stake will be hidden in a commitment, and since the elected leader wins the election only when a pseudorandom function evaluation over his/her coin secret is smaller than a certain threshold, a non-interactive zero-knowledge proof (NIZK) is applied to prove the correctness of this statement in conjunction with the fact that the respective stake is unspent. As a matter of fact, the NIZK scheme for this statement can be easily constructed based on the NIZK statement of Pour operation of the Zerocash scheme.

How to guarantee the unlinkability of the election winner identities while still preventing a potential double-spending attack remains a challenge. The proposal applies a serial number to prevent the double-spending attack. Since an identical winner of two slots could very likely use the same coin to win the election, and hence the same winner serial number could link the winner identity in different slots. Ouroboros crypsinous proposes using a deterministically evolving serial number to sever this link and adopts NIZK to make sure that the serial number evolves correctly and the election winner is legit without revealing the link. One might wonder why the adversary cannot link the winner identity in different time slots if the respective serial number is deterministically dependent. Well, the winner in each slot is required to use his/her secret key to generate the serial number of the next slot, and hence it is only from the winner’s perspective this process is deterministic (due to the knowledge of the secret key) while it looks entirely random to an outsider.

The core innovation of [COT19] is a new anonymous verifiable random function scheme in which the coin for the voting stake will be re-randomized at the end of each slot. NIZK is used for proving the fact that there exists a valid old coin such that it is the precursor of this new coin and its owner has a stake that wins the election. Since exactly which old coin is the winner is not revealed due to the usage of NIZK, the unlinkability can be guaranteed. In addition, this work also exploits the independent aggregation property of a special leader election predicate function to improve the efficiency of their proposed NIZK scheme.

[TKKZ19] Kerber, Thomas, Aggelos Kiayias, Markulf Kohlweiss, and Vassilis Zikas. “Ouroboros crypsinous: Privacy-preserving proof-of-stake.” In 2019 IEEE Symposium on Security and Privacy (SP), pp. 157–174. IEEE, 2019.

[COT19] Ganesh, Chaya, Claudio Orlandi, and Daniel Tschudi. “Proof-of-Stake Protocols for Privacy-Aware Blockchains.” In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 690–719. Springer, Cham, 2019.