Achieving the Common Prefix Property

#

> 1 − e^−Ω(t) That is, By pickingδ^∗,δ⁰, andδ⁰⁰ sufficiently small, we have

Pr

"

µ ≥ 1 − (1 + δ)(α + β) ˜β ˆ γ

#

> 1 − e^−Ω(t) for anyδ > 0. This completes the proof.

Now we are ready to prove the chain quality property for consecutive blocks on a chain.

Reminder of Theorem 4.2. We assume γ = ˆˆ λ(α + β) ˜β and ˆλ > 1. For any δ > 0, consider proto-col Π = (Π^w, Π^s) in Section 3.2. For any honest PoS-holder S ∈ {Sn+1, . . . ,Sn+˜n} with PoS-chain ˜C in EXEC_{(Πw,Πs),A,Z}, the probability that, for large enough` consecutive PoS-blocks of ˜C which are generated ins rounds, the ratio of honest blocks is no less than µ = 1 − (1 + δ)<sup>(α+β) ˜</sup><sub>γˆ</sub> <sup>β</sup> is at least1 − e<sup>−Ω(`)</sup>.

Proof. Let t be the rounds that the ` blocks are generated. From Lemma 4.22, we have Pr[t > c`] >

1 − e^−Ω(`).

From Lemma 4.23, the ratio of honest PoS-blocks in t consecutive rounds with ` PoS-blocks is µ ≥ 1 − (1 + δ)^{(α+β) ˜}_γˆ ^β with probability at least1 − e^−Ω(t).

Putting them together, the probability is at least1 − e^−Ω(`). This completes the proof.

4.6 Achieving the Common Prefix Property

We now turn our attention to proving the common prefix property for PoS-chain (Definition 2.4) for the proposed protocol. The concrete statement can be found in Theorem4.3.

Now we will give some informal proof ideas before the formal proof.

• First, from the assumption, we know that if the malicious parties do not get any help from the honest parties, then they cannot produce PoS-blocks faster than the honest parties. That means if the mali-cious parties keep a forked chain-pair hidden and try to extend it by themselves, then the growth rate of the hidden chain-pair is smaller than the growth rate of the public longest chain-pair on average.

When considering an extended period of time, the hidden chain-pair will be shorter than the public chain-pair with an overwhelming probability.

• Second, we assume there is no new block being generated in most rounds. This implies no new chain will lead the honest players take divergent view in most rounds. The honest players will try to be convergent after some silent rounds. If the adversary players want to keep them be divergent, they must send new blocks in silent rounds. The adversary players don’t have enough resources to do that.

Recall the definition of best public PoS-chain. Best public chain ˜C is: a) ˜C has been received by all of the honest players which means public. b) ˜C is the best one among all of the public chains. This implies each honest player will not take any chain worse than best public chain in any round . Next we will prove, it the adversary players hide some blocks for a chain, the hidden chain will be worse than the best public chain with high probability if the hidden length is long. This lemma imply that is the adversary players keep some blocks privacy, they will be invalid soon. So the adversarial players cannot store a lot of hidden blocks to destroy the best PoS-chain later.

Lemma 4.24. Let γ = ˆˆ λ ˆβ and ˆλ > 1. For any δ > 0, consider the execution REAL(σ ). Let ˜C be the PoS-chain of the best public chain-pair in roundr. Let ˜C⁰ be the PoS-chain of a hidden valid chain-pair in roundr. Let ` be the length of the hidden part of ˜C<sup>0</sup>. We havePr[len( ˜C) > len( ˜C<sup>0</sup>)] > 1 − e<sup>Ω(`)</sup>.

Proof. Let rounds = r −t be the round that last public block in ˜C⁰is generated . From Lemma4.22,` hidden blocks needt rounds to generate with probability at least 1 − e<sup>Ω(`)</sup>. That is,Pr[t > c`] > 1 − e<sup>Ω(`)</sup>.

The hidden blocks are contributed by adversarial players only, otherwise they are not hidden. Thus, the growth of hidden blocks is from the Case 2. Int rounds, the adversarial players can generate ˆβt PoS-blocks on average. LetX be the number of adversarial blocks generated in t rounds, by Chernoff bound, we have

Pr[X > (1 + δ) ˆβt] < e^−Ω(t)

From Theorem4.1, duringt rounds the best public PoS-chain will increase Y > (1 − δ) ˆγt blocks with probability at least1 − e^−Ω(t). Forγ = ˆˆ λ ˆβ, we have

Pr[X < Y ] > 1 − e^−Ω(t)= 1 − e^Ω(`) We denote chain ˜C⁰at rounds as ˜C^0s. We have

len( ˜C) > len( ˜C^0s) + Y > len( ˜C^0s) + X > len( ˜C⁰) with probability at least1 − e^−Ω(`).

We first prove the common prefix property for any t consecutive rounds. The proof intuition is as follows:

• We assumeα + β  1, that means in most rounds, players will not generate block.

• If only honest players broadcast a new PoW-block, in2∆ silent rounds, all honest players will take the same best chain-pair (or PoS-chain), unless adversarial players send new valid blocks.

• If(α + β)∆  1, there are no new messages being broadcast in most rounds.

• From a round, the honest players will often have opportunities to take unique best chain-pair (or PoS-chain). If the adversarial players want to keep them divergent, they must broadcast new valid blocks for every opportunity.

• We will prove the adversarial players don’t have enough resource to do that under our reasonable assumption.

Lemma 4.25. Letα = ˆˆ λ(α+β) ˜β , ˆλ > 1, (α+β)∆  1. Assume 0 < δ, δ⁰, δ⁰⁰, δ⁰⁰⁰< 1, consider the execution REAL(σ ). Except with probability e^−Ω(t), there does not exist roundr ≤ r⁰ and PoS-holdersSi,Sj such that Siis honest atr,Sj is honest atr⁰ and ˜C^r

i and ˜C^r0

j diverge at rounds = r − t.

Proof. For each roundk, we define a random variable X_k. If roundk is both pure successful round and silent round, and roundk + 2∆ is also a silent round X_k= 1, otherwise X_k= 0. Let X =P X_k.

LetX⁰be the number of pure successful rounds int round. By Lemma4.13,X⁰ is(α − α²)t on average.

By Chernoff bound, we have

Pr[X⁰< (1 − δ)(α − α²)t] < e^−Ω(t)

LetX⁰⁰ be the number rounds which are both pure successful round and silent round. A round is pure successful round is independent with the event it is silent round. By Lemma4.15, we have

Pr[X⁰⁰< (1 − δ)(α − α²)t(1 − 2(1 + δ⁰)(α + β)∆)] < e^−Ω(t) For(α + β)∆  1 and α  1, ∃δ⁰⁰s.t.

Pr[X⁰⁰< (1 − δ⁰⁰)αt] < e^−Ω(t)

A roundk is also independent with the event round k + 2∆ is a silent round. Also by Lemma4.15, we have

Pr[X < (1 − δ⁰⁰⁰)αt] < e^−Ω(t)

IfX_k= 1, the new generated block in round k will be mapped to an honest stakeholder with the proba-bilityα. We use a random variable Y˜ _kfor roundk. If X_k= 1 and the new generated block is mapped to an honest stakeholderY_k= 1, otherwise Y_k= 0. Let Y =P Y_k. We have

Pr[Y < (1 − δ⁰⁰⁰)α ˜αt] < e^−Ω(t)

IfY_k= 1 all honest players will be convergent to a unique PoS-chain unless adversarial players send a new block in the next2∆ rounds. This is because, a) at round r all honest players have the best PoS-chain with same length. b) at roundr the new extended PoS-block will increase the best public PoS-chain by 1 block. If there is no adversarial players send a new chain ˜C⁰ with at least the same length, all honest parties will receive the new PoS-chain in 2∆ rounds and take it as the best chain. The last block of ˜C⁰ must be generated by adversarial players because if is longer than the best public PoS-chain of honest players.

Let Z⁰ be the number of blocks generated by adversarial players in t consecutive rounds. We have Z⁰= (α + β) ˜βt on average. By Chernoff bound, we have Pr[Z⁰ > (1 + δ)(α + β) ˜βt] < e^−Ω(t). From Lemma 4.24, before rounds, the adversarial players can hide at most κ blocks with an overwhelming probability in κ. Let Z = Z⁰+ κ, the adversarial players can use Z new blocks to prevent the Y convergence opportunities.

Ift is large enough, we can have δ⁰ thatPr[Z > (1 + δ⁰)(α + β) ˜βt] < e^−Ω(t).

Putting them together,Y > (1 − δ⁰⁰⁰)α ˜αt and Z < (1 + δ⁰)(α + β) ˜βt with probability at least 1 − e^−Ω(t). By the assumptionα ˜α = ˆλ(α + β) ˜β and ˆλ > 1, we have

Y − Z > (1 − δ⁰⁰⁰)α ˜αt − (1 + δ⁰)(α + β) ˜βt (2)

= ((1 − δ⁰⁰⁰) ˆλ − (1 + δ⁰))(α + β) ˜βt

> 0

This implies that the adversarial players cannot prevent the best chain-pair (or PoS-chain) being con-vergent during the t consecutive rounds with probability at least 1 − e^−Ω(t). If at round r, ˜C^r

i and ˜C^r

j are not divergent, then ˜C^r

i and ˜C^r0

j are not divergent. We have ˜C^r

i and ˜C^r0

j diverge with the probability at most e^−Ω(t).

We are now ready to prove the main theorem which asserts that our protocol achieves the common-prefix property with an overwhelming probability in the security parameterκ. The theorem is formally given as follows.

Reminder of Theorem 4.3. We assumeα = ˆˆ λ(α + β) ˜β and ˆλ > 1. For any δ > 0, consider protocol Π= (Π^w, Π^s) in Section3.2. Letκ be the security parameter. For any two honest PoS-holdersSiin roundr andSj in roundr⁰, with the local best PoS-chains ˜C_i, ˜C_j, respectively, in EXEC_(Πw,Π^s),A,Zwherer ≤ r⁰ and i, j ∈ {n + 1, . . . , n + ˜n}, the probability that ˜C_i[1, `<sub>i</sub>]  ˜C<sub>j</sub> where`_i= len( ˜C_i) − Θ(κ) is at least 1 − e^−Ω(κ). Proof. From Lemma4.25, the probability that ˜C_iand ˜C_j diverge at rounds = r − t is at most e^−Ω(t).

Int consecutive rounds, the total number of PoS-blocks are produced is bounded by (1+δ)(α+β)( ˜α+ ˜β)t with probability at least1−e^−Ω(t). Lett =(1+δ)(α+β)( ˜^κ α+ ˜β). We have ˜C_iis prefix of ˜C_jexcept the lastκ blocks with the probability at least1 − e^−Ω(κ).

Acknowledgement

We thank Thomas Veale for making the pictures for our paper, and for his helpful discussions.

The last author Hong-Sheng Zhou would like to thank Alexander Chepurnoy for his valuable discussions and feedback, and his encouragement for pursuing this work. Hong-Sheng would also like to thank Juan Garay and Aggelos Kiayias for answering his questions on the Bitcoin backbone paper, and Jeremiah Blocki, Jonathan Katz, Babis Papamanthou, and Vassilis Zikas for their helpful discussions at early stage of this project.

References

[1] TwinsCoin source code. https://bitbucket.org/TwCoin/twinscoin.

[2] A. Back. Hashcash — A denial of service counter-measure. 2002. http://hashcash.org/

papers/hashcash.pdf.

[3] M. Bellare and P. Rogaway. Random oracles are practical: A paradigm for designing efficient pro-tocols. In Proceedings of the 1st ACM Conference on Computer and Communications Security, CCS

’93, pages 62–73. ACM, 1993.

[4] I. Bentov, A. Gabizon, and A. Mizrahi. Currencies without proof of work. In Bitcoin Workshop-Financial Cryptography and Data Security (FC), 2016.

[5] I. Bentov, C. Lee, A. Mizrahi, and M. Rosenfeld. Proof of activity: Extending bitcoin’s proof of work via proof of stake [extended abstract]. SIGMETRICS Perform. Eval. Rev., 42(3):34–37, Dec. 2014.

[6] I. Bentov, R. Pass, and E. Shi. Snow white: Provably secure proofs of stake. In Cryptology ePrint Archive, Report 2016/919, 2016. http://eprint.iacr.org/2016/919.

[7] Bitcointalk. Proof of stake instead of proof of work. July 2011. Online post by QuantumMechanic, available athttps://bitcointalk.org/index.php?topic=27787.0.

[8] R. Canetti. Security and composition of multiparty cryptographic protocols. Journal of Cryptology, 13(1):143–202, 2000.

[9] R. Canetti. Universally composable security: A new paradigm for cryptographic protocols. Cryptology ePrint Archive, Report 2000/067, 2000. http://eprint.iacr.org/2000/067.

[10] R. Canetti. Universally composable signatures, certification and authentication. Cryptology ePrint Archive, Report 2003/239, 2003. http://eprint.iacr.org/2003/239.

[11] R. Canetti, O. Goldreich, and S. Halevi. The random oracle methodology, revisited (preliminary ver-sion). In 30th ACM STOC, pages 209–218. ACM Press, May 1998.

[12] R. Canetti and T. Rabin. Universal composition with joint state. In D. Boneh, editor, CRYPTO 2003, volume 2729 of LNCS, pages 265–281. Springer, Heidelberg, Aug. 2003.

[13] D. Chaum. Blind signatures for untraceable payments. In D. Chaum, R. L. Rivest, and A. T. Sherman, editors, CRYPTO’82, pages 199–203. Plenum Press, New York, USA, 1982.

[14] A. Chepurnoy, T. Duong, L. Fan, and H.-S. Zhou. Twinscoin: A cryptocurrency via proof-of-work and proof-of-stake. In Cryptology ePrint Archive, Report 2017/232, 2017. https://eprint.iacr.

org/2017/232.

[15] CryptoManiac. Proof of stake. NovaCoin wiki, 2014. https://github.com/

novacoin-project/novacoin/wiki/Proof-of-stake.

[16] C. Dwork and M. Naor. Pricing via processing or combatting junk mail. In E. F. Brickell, editor, CRYPTO’92, volume 740 of LNCS, pages 139–147. Springer, Heidelberg, Aug. 1993.

[17] I. Eyal. The miner’s dilemma. In 2015 IEEE Symposium on Security and Privacy, pages 89–103. IEEE Computer Society Press, May 2015.

[18] I. Eyal and E. G. Sirer. Majority is not enough: Bitcoin mining is vulnerable. In N. Christin and R. Safavi-Naini, editors, FC 2014, volume 8437 of LNCS, pages 436–454. Springer, Heidelberg, Mar.

2014.

[19] J. A. Garay, A. Kiayias, and N. Leonardos. The bitcoin backbone protocol: Analysis and applications.

In E. Oswald and M. Fischlin, editors, EUROCRYPT 2015, Part II, volume 9057 of LNCS, pages 281–310. Springer, Heidelberg, Apr. 2015.

[20] D. Goodin. Bitcoin security guarantee shattered by anonymous miner with 51% network power. 2014.

http://arstechnica.com/.

[21] D. Hofheinz and J. M¨uller-Quade. Universally composable commitments using random oracles. In M. Naor, editor, TCC 2004, volume 2951 of LNCS, pages 58–76. Springer, Heidelberg, Feb. 2004.

[22] Intel. Proof of elapsed time (poet). 2016. https://intelledger.github.io/

introduction.html.

[23] J. Katz, A. Miller, and E. Shi. Pseudonymous broadcast and secure computation from cryptographic puzzles. Cryptology ePrint Archive, Report 2014/857, 2014. http://eprint.iacr.org/

2014/857.

[24] A. Kiayias, E. Koutsoupias, M. Kyropoulou, and Y. Tselekounis. Blockchain mining games. In Pro-ceedings of the 2016 ACM Conference on Economics and Computation (EC), pages 365–382, 2016.

[25] A. Kiayias and G. Panagiotakos. Speed-security tradeoffs in blockchain protocols. Cryptology ePrint Archive, Report 2015/1019, 2015. http://eprint.iacr.org/2015/1019.

[26] A. Kiayias and G. Panagiotakos. On trees, chains and fast transactions in the blockchain. Cryptology ePrint Archive, Report 2016/545, 2016. http://eprint.iacr.org/2016/545.

[27] A. Kiayias, A. Russell, B. David, and R. Oliynykov. Ouroboros: A provably secure proof-of-stake blockchain protocol. In Cryptology ePrint Archive, Report 2016/889, 2016. http://eprint.

iacr.org/2016/889.

[28] S. King and S. Nadal. Ppcoin: Peer-to-peer crypto-currency with proof-of-stake. 2012. https:

//peercoin.net/assets/paper/peercoin-paper.pdf.

[29] J. Kwon. Tendermint: Consensus without mining. 2014.https://tendermint.com/static/

docs/tendermint.pdf.

[30] S. Micali. ALGORAND: the efficient and democratic ledger. CoRR, abs/1607.01341, 2016.

[31] A. Miller, A. Juels, E. Shi, B. Parno, and J. Katz. Permacoin: Repurposing bitcoin work for data preservation. In 2014 IEEE Symposium on Security and Privacy, pages 475–490. IEEE Computer Society Press, May 2014.

[32] A. Miller, A. E. Kosba, J. Katz, and E. Shi. Nonoutsourceable scratch-off puzzles to discourage bitcoin mining coalitions. In I. Ray, N. Li, and C. Kruegel:, editors, ACM CCS 15, pages 680–691. ACM Press, Oct. 2015.

[33] T. Moran and I. Orlov. Proofs of space-time and rational proofs of storage. Cryptology ePrint Archive, Report 2016/035, 2016. http://eprint.iacr.org/2016/035.

[34] S. Nakamoto. Bitcoin: A peer-to-peer electronic cash system. 2008. https://bitcoin.org/

bitcoin.pdf.

[35] K. Nayak, S. Kumar, A. Miller, and E. Shi. Stubborn mining: Generalizing selfish mining and combining with an eclipse attack. Cryptology ePrint Archive, Report 2015/796, 2015. http:

//eprint.iacr.org/2015/796.

[36] NXT Community. Nxt whitepaper. 2014. https://www.dropbox.com/s/

cbuwrorf672c0yy/NxtWhitepaper_v122_rev4.pdf.

[37] T. Okamoto. An efficient divisible electronic cash scheme. In D. Coppersmith, editor, CRYPTO’95, volume 963 of LNCS, pages 438–451. Springer, Heidelberg, Aug. 1995.

[38] T. Okamoto and K. Ohta. Universal electronic cash. In J. Feigenbaum, editor, CRYPTO’91, volume 576 of LNCS, pages 324–337. Springer, Heidelberg, Aug. 1992.

[39] S. Park, K. Pietrzak, A. Kwon, J. Alwen, G. Fuchsbauer, and P. Gaˇzi. Spacemint: A cryptocurrency based on proofs of space. Cryptology ePrint Archive, Report 2015/528, 2015. http://eprint.

iacr.org/2015/528.

[40] R. Pass, L. Seeman, and A. Shelat. Analysis of the blockchain protocol in asynchronous networks. In EUROCRYPT, 2017. https://eprint.iacr.org/2016/454.

[41] A. Sapirstein, Y. Sompolinsky, and A. Zohar. Optimal selfish mining strategies in bitcoin. In Financial Cryptography and Data Security (FC), 2016.

[42] O. Schrijvers, J. Bonneau, D. Boneh, and T. Roughgarden. Incentive compatibility of bitcoin mining pool reward functions. In Financial Cryptography and Data Security (FC), 2016.

[43] Y. Sompolinsky and A. Zohar. Secure high-rate transaction processing in bitcoin. In R. B¨ohme and T. Okamoto, editors, FC 2015, volume 8975 of LNCS, pages 507–527. Springer, Heidelberg, Jan. 2015.

[44] P. Vasin. Blackcoin’s proof-of-stake protocol v2. 2014. http://blackcoin.co/

blackcoin-pos-protocol-v2-whitepaper.pdf.

[45] Wikipedia. Nothing up my sleeve. https://en.wikipedia.org/wiki/Nothing_up_my_

sleeve_number.

A Supporting Material for Our Model

A.1 Resource Certificate Authority Functionality F_rCA^∗

In this work, we consider the following scenario where a cryptocurrency system (e.g., Bitcoin) has “grown up” which the blockchain protocol has been stably run for a while; meaning that stake stored in this blockchain is distributed among all players. This mature blockchain can be used to implement a resource certification functionality F_rCA^∗ described in Figure 10. In [10], Canetti introduce the certificate author-ity functionalauthor-ity F_CA; here, we introduce the resource certificate authority functionality F_rCA^∗ without any trapdoor information and can be implemented by real world resource.

Note that, proof-of-stake is introduced to strengthen the proof-of-work blockchain. Specifically, our goal is to use proof-of-stake effectively to secure the proof-of-work blockchain if the adversary controls the ma-jority of computing power but the mama-jority of collective online resources (stake and computing) overall. We will later formally show that, under the assumption that the majority of collective online resources belongs to the honest players, even if the adversary dominates the proof-of-work chain (meaning that the adversary controls the majority of computing power), our protocol is still secure. Here, the honest stakeholders have an important role to protect the proof-of-work blockchain from the domination of the malicious players.

We argue that the scenario we consider here is realistic. Currently, the PoW-based cryptocurrency system such as Bitcoin is stable where the honest players have the majority of computing power, which means the majority of stake is also under the control of honest players. Then, the adversary may develop novel mining techniques and attempt to dominate the Bitcoin system. However, by our effective protocol design and under the plausible assumption that the majority of collective online resources is honest, these PoW-based cryptocurrency systems are protected.

Similarly to F_rRO^∗ , at any time step, a PoS-holderSjcould send a register command(CA-REGISTER,Sj, B, vk_j) to ask for registration. The functionality then records(Sj, B, vk_j) (if permitted by the adversary), with prob-ability˜p. Then, for each execution round, a different player P could request the functionality retrieving the message registered by Sj, the functionality then returns the record ofSj if it permitted by the adversary.

Otherwise, the playerSj⁰will not receive vk_j.

The formal description of F_rCA^∗ is given in Figure10.

FUNCTIONALITYF^∗

rCA

The functionality is parameterized by a PoS parameter˜p, a security parameter κ, and interacts with PoW-miners {W₁, . . . ,W_n}, PoS-holders {S_n+1, . . . ,S_n+˜n}, as well as an adversary A.

Registration. Upon receiving a message(CA-R^EGISTER,S_j, B, vk_j) from party S_j ∈ {S_n+1, . . . ,S_n+˜n} where vk_j∈ {0, 1}^poly(κ), it then passes the message to the adversary. Upon receiving a message(CA-R^EGISTERED,Sj) from the adversary,

1. With probability˜p, set f := 1, then record (S_j, B, vk_j), and pass (CA-R^EGISTERED,S_j, f) to the party.

2. With probability1 − ˜p, set f := 0, and pass (CA-REGISTERED,S_j, f) to the party.

Retrieve: Upon receiving (R^ETRIEVE,S_j, B) from a player P ∈ {W₁, . . . ,W_n,S_n+1, . . . ,S_n+˜n}, send (RETRIEVE,S_j, P ) to the adversary, and wait for a message (RETRIEVED,S_j, P ) from the adversary. Then, if there is a recorded entry(Sj, B, vk_j), output (RETRIEVED, vk_j) to P . Else, output (RETRIEVED, ⊥) to P .

Figure 10: Resource certificate authority functionality F_rCA^∗ .

There are multiple ways to instantiate F_rCA^∗ . Intuitively, in our main application scenario, F_rCA^∗ is imple-mented by a protocol in { ˆF_CA, FRO}-hybrid model, and then multi-session certificate authority functionality

ˆ

F_CAcan be implemented by an already “mature” blockchain (i.e., Bitcoin). At a specified point, this already mature blockchain changes its gear, and switch to a new mode (i.e., hybrid PoW/PoS protocol).

We denote φ^∗_rCA as the ideal protocol for an ideal functionality F_rCA^∗ andπ_rCA as the protocol in the {Fˆ_CA, FRO}-hybrid model. In the ideal protocolφ^∗_rCA, players are dummy, they just forward the messages received from the environment F_rCA^∗ to the functionality F_rRO^∗ , and then forward the messages received from the functionality to the environment. In contrast, upon receiving messages from the environment, the players inπ_rCAexecute the protocol and then pass the outputs to the environment. The protocolπ_rCAis described in Figure11.

PROTOCOLπrCA

The protocol is parameterized by a PoS parameter˜p, a security parameter κ.

1. Upon receiving(CA-REGISTER,S_j, B, vk_j) from the environment Z, PoS-holderS_j ∈ {S_n+1, . . . ,S_n+˜n} sends(B, vk_j) to the functionality FROand receivesh.

• Ifh > ˜D where ˜D = ˜p · 2^κ, then set f:= 0, and pass (CA-R^EGISTERED,Sj, f) to the environment.

• Else, if h ≤ ˜D, send (R^EGISTER, sid, ssid,S_j, B, vk_j) for some sid, ssid to the functional-ity ˆF_CA. Upon receiving (R^EGISTERED, sid, ssid,Sj, B, vk_j) from ˆF_CA, set f := 1 and send (CA-R^EGISTERED,S_j, f) to the environment.

2. Upon receiving (RETRIEVE,S_j, B) from the environment, party P ∈ {W₁, . . . ,W_n,S_n+1, . . . ,S_n+˜n} send (RETRIEVE, sid, ssid,S_j, B) to the functionality Fˆ_CA and then receive the output (RETRIEVED, sid, ssid, vk_j). Then send (RETRIEVED, vk_j) to the environment.

Figure 11: Resource certificate authority protocolπ_rCA.

Let S be the adversary against the ideal protocol φ^∗_rCA, and A be the adversary against protocolπ_rCA. Let EXEC^F

∗ rCA

φ^∗_rCA,S,Zbe the random variable denoting the joint view of all parties in the execution ofφ^∗_rCAwith the adversary S and an environment Z. Let EXEC^F_π^ˆCA,FRO

rCA,A,Z be the random variable denoting the joint view of all parties in the execution ofπ_rCAwith the adversary A and an environment Z.

Lemma A.1. Considerφ^∗_rCAdescribed above and described above andπ_rCAin Figure11. It holds that the two ensembles EXEC^F

∗ rCA

φ^∗_rCA,S,Zand EXEC^F_π^ˆCA,FRO

rCA,A,Z are perfectly indistinguishable.

Proof. The adversary S on input1^κ and˜p operates as follows. Note that, S stores a table T .

1. Upon receiving(B, vk_j) from A in the name ofSj, send(CA-REGISTER,Sj, B, vk_j) to the functionality ob-tain(RETRIEVED, vk_j). Then pass the message to the environment.

We now show that the two ensembles EXEC^F

∗ rCA

φ^∗_rCA,S,Z and EXEC^F_π^ˆCA,FRO

rCA,A,Z are perfectly close. Notice that for each random oracle query from A, the adversary S asks the functionality F_rCA^∗ to decide whether this random

oracle query is successful or not, then it samples the output randomly from a set {0, 1}^κ. Moreover, for every register query to the functionality ˆF_CA, S would accept if it the random oracle query is successful. Putting

oracle query is successful or not, then it samples the output randomly from a set {0, 1}^κ. Moreover, for every register query to the functionality ˆF_CA, S would accept if it the random oracle query is successful. Putting

在文檔中 April15,2017 TuyetDuong LeiFan Hong-ShengZhou 2-hopBlockchain:CombiningProof-of-WorkandProof-of-StakeSecurely (頁 33-42)