On the (in)security of Proofs-of-Space based Longest-Chain Blockchains

TL;DR

This paper demonstrates fundamental security limitations of Proofs-of-Space based longest-chain blockchains under dynamic resource availability, showing that no protocol can prevent double spending beyond certain bounds.

Contribution

It provides the first formal impossibility result for secure Proofs-of-Space longest-chain protocols with dynamic resource variability, quantifying the bounds on adversarial forks.

Findings

Adversaries can create long forks proportional to their resource control and replotting time.

No chain selection rule can prevent double spending beyond the derived bounds.

A matching upper bound exists for a specific chain selection rule.

Abstract

The Nakamoto consensus protocol underlying the Bitcoin blockchain uses proof of work as a voting mechanism. Honest miners who contribute hashing power towards securing the chain try to extend the longest chain they are aware of. Despite its simplicity, Nakamoto consensus achieves meaningful security guarantees assuming that at any point in time, a majority of the hashing power is controlled by honest parties. This also holds under ``resource variability'', i.e., if the total hashing power varies greatly over time. Proofs of space (PoSpace) have been suggested as a more sustainable replacement for proofs of work. Unfortunately, no construction of a ``longest-chain'' blockchain based on PoSpace, that is secure under dynamic availability, is known. In this work, we prove that without additional assumptions no such protocol exists. We exactly quantify this impossibility result by proving a bound on the length of the fork required for double spending as a function of the adversarial capabilities. This bound holds for any chain selection rule, and we also show a chain selection rule (albeit a very strange one) that almost matches this bound. Concretely, we consider a security game in which the honest parties at any point control $\phi>1$ times more space than the adversary. The adversary can change the honest space by a factor $1\pm \varepsilon$ with every block (dynamic availability), and ``replotting'' the space takes as much time as $\rho$ blocks. We prove that no matter what chain selection rule is used, in this game the adversary can create a fork of length $\phi^2\cdot \rho / \varepsilon$ that will be picked as the winner by the chain selection rule. We also provide an upper bound that matches the lower bound up to a factor $\phi$. There exists a chain selection rule which in the above game requires forks of length at least $\phi\cdot \rho / \varepsilon$.