IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS 1 e-PoS: Making Proof-of-Stake Decentralized and Fair

Muhammad Saad, Zhan Qin, Kui Ren, DaeHun Nyang, and David Mohaisen

Abstract—Blockchain applications that rely on the Proof-of-Work (PoW) have increasingly become energy inefficient with a staggering carbon footprint. In contrast, energy efficient alternative consensus protocols such as Proof-of-Stake (PoS) may cause centralization and unfairness in the blockchain system. To address these challenges, we propose a modular version of PoS-based blockchain systems called e-PoS that resists the centralization of network resources by extending mining opportunities to a wider set of stakeholders. Moreover, e-PoS leverages the in-built system operations to promote fair mining practices by penalizing malicious entities. We validate e-PoS’s achievable objectives through theoretical analysis and simulations. Our results show that e-PoS ensures fairness and decentralization, and can be applied to existing blockchain applications.

Index Terms—Blockchains, Consensus Protocols, Bitcoin. !

1 INTRODUCTION An energy-efficient consensus alternative is known as Blockchain systems use various leader election schemes the Proof-of-Stake (PoS), which relies on the stake of par- for consensus-driven ledger updates. In the Proof-of-Work ticipants than their processing power. In PoS, miners are (PoW) applications, for example, the protocol requires the selected based on their balance (stake), and the network network entities to produce a valid solution to a challenge to conforms to the view of those miners. In most PoS-based be able to publish an acceptable block. To avoid concurrent cryptocurrencies, coins are generated at the inception of the solutions, the challenge complexity is periodically calibrated cryptocurrency itself. Therefore, there are no block rewards to comply with the dynamically changing hash rate. In- for miners. Instead, miners earn by collecting fee from stances of this protocol can be observed in Bitcoin, where the transactions. The selection of miners in PoS is similar to an challenge includes producing a nonce string which, when auction process whereby miners bid for the next block and hashed with the block header, produces a lower value than the miner who places the highest bid wins the auction [5], the Target threshold set by the system. As a reward for the [6]. However, there is a major caveat in this scheme: a rich efforts, the block releases coins to the miner’s account. Once miner is likely to win more auctions, which in return makes a block is published, all its transactions are approved and this miner richer and increases his chances of winning the block is added to the blockchain. subsequent auctions. Therefore, in the long term, PoS-based In cryptocurrencies, miners use sophisticated hardware applications tend to become more centralized in favor of a to increase their chances of solving proof-of-work. Mining few miners. Another challenge in PoS-based protocols is the hardware consumes significant electricity to find the correct lack of fairness policies when system is under attack. For hash value, and only one solution is considered valid per instance, if an adversary carries out fraudulent activities, block. Therefore, the energy used by all the “losing” miners such as double-spending, blockchain fork, or a majority is wasted. To make matters worse, multi-home mining pools attack, the existing systems do not have policies to penalize have been set up worldwide to facilitate collaborative min- the adversary and compensate the victims. arXiv:2101.00330v1 [cs.CR] 1 Jan 2021 ing. These mining pools are similar to data center networks, To address the aforementioned challenges, we introduce with their own mining rigs, power houses, and cooling a variant of PoS, called e-PoS, that resists network central- systems. Such processing-intensive operations expend high ization, and promotes fair mining.We revisit the notions of units of electricity. Bitcoin alone consumes more than 70 decentralization and fairness to set baseline conditions to be Terawatt-hour per year, which is more than the electricity met. While decentralization guarantees that the auction pro- consumed by countries, such as Colombia and Switzerland cess in e-PoS is made available to wider set of stakeholders, [1], [2]. The Bitcoin community has been criticized for en- fairness ensures that, during an attack, malicious entities are abling the exhaustion of valuable energy resources, and has penalized and the affected parties are compensated. been encouraged to adapt to green mining practices [3], [4]. Contributions and Roadmap. Towards the broader goal of decentralization and fairness in PoS-based blockchain • Muhammad Saad and David Mohaisen are affiliated with the University systems, we make the following key contributions: of Central Florida, USA. Zhan Qin and Kui Ren are affiliated with 1 We propose a consensus protocol, called the extended the Zhejiang University, China. DaeHun Nyang is with the the Ewha PoS (e-PoS), which addresses the limitations of PoW and Womans University. South Korea. E-mail: [email protected], [email protected], PoS and enables decentralized, energy-efficient, and fair [email protected], [email protected], and [email protected]. David mining in blockchain systems. Mohaisen is the corresponding author. This work was supported in part 2 We present the design constructs of e-PoS and its trans- by NRF grant NRF-2016K1A1A2912757 (GRL Project). lation into the blockchain framework using theoretical IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS 2

1013 108 × × 1.5 74 10.8 1.0 200 72 10.6 1.0 2 70 10.4 0.5 68 10.2 Difficulty Difficulty

0.5 Hash Rate Hash Rate 66 10 0 0 64 9.8 2017-09-23 2019-05-16 2015-07-30 2018-11-11 62 9.6 per year Date (yy-mm-dd) Date (yy-mm-dd) 60 per year 9.4 58 9.2 (a) Bitcoin (b) Ethereum 56 9 TWh TWh 8.8

Fig. 1. Fig. 1(a) shows Bitcoin hash rate (EH/s) and difficulty, while Kuwait Bitcoin Austria Libya Fig. 1(b) shows Ethereum hash rate (PH/s) and difficulty. Switzerland Colombina EstoniaTriniad Georgia Costa Rica Ethereum Czech Republic

primitives and engineering requirements. (a) Bitcoin (b) Ethereum 3 We perform feasibility and security analyses of e-PoS, and show its merits through simulations. Fig. 2. Energy profile of Bitcoin and Ethereum. Note that Bitcoin’s and 4 Finally, to highlight structural and functional compos- Ethereum’s electricity consumption is compare able to several countries ability, we show how e-PoS can be applied to the existing cryptocurrencies such as Bitcoin and Ethereum. of the network decentralization, as generally expected in a blockchain application. Furthermore, public exposure of Additionally, the paper includes background and moti- stakes reveals the balance of candidate miners, thereby com- vation in section2, design primitives in section3, simula- promising their anonymity and privacy. Moreover, in PoS, tions in section5, and concluding remarks in section8. it is easy to fork the blockchain since anyone can produce a block without much effort and fork the main chain. Such an 2 BACKGROUNDAND MOTIVATION attacker can exploit network latency and churn to identify nodes that lag behind the main chain, and partition them Proof-of-Work Limitations. PoW involves solving a math- with his version of the blockchain [14], [15]. ematical challenge set by the network in order to produce a Motivation. Considering the aforementioned limitations, valid block. Now days, mining is carried out as a joint effort we anticipate a revision to the existing consensus schemes to by the mining pools. As mining pools expand, the aggregate improve decentralization and fairness. Naturally, we expect hashing power of the system increases, as shown in Fig. 1(a) a variant of PoS or an energy-efficient hybrid model that and Fig. 1(b), and the competition for mining block increases does not rely on compute-intensive mining. For decentral- as well. The excessive use of electricity in cryptocurrencies ization, the protocol should offer mining opportunities to has raised major concerns. In 2019, Bitcoin consumed 69.97 a wider set of stakeholders. For fairness, the protocol must TWh electricity with 32.95 Megaton carbon footprint [2]. The prevent fraudulent activities and fairly compensate affected carbon footprint is the amount of carbon dioxide released parties if attacked. While ensuring fairness, the protocol due to electricity generation. Similarly, in 2019, Ethereum must also have a reward mechanism that incentivizes honest consumed 10.1 TWh electricity with 4.78 Megaton carbon mining. Additionally, it would be useful if the protocol footprint [7]. In Fig. 2(a) and Fig. 2(b), we present the energy complements the existing PoW-based cryptocurrencies to profile of Bitcoin and Ethereum, respectively. Note that their facilitate their transition to the proposed scheme and avoid energy profile is comparable to several countries, reflecting bootstrapping complexities. With this motivation, we sketch the threat they pose to the environment. the design of an algorithm that addresses these challenges Proof-of-Stake Limitations. A popular alternative to PoW and provides a blueprint for future applications. is the Proof-of-Stake (PoS), which overcomes the shortcom- ings of PoW while achieving similar objectives [8]. In PoS, a candidate miner is selected to mine the next expected block, 3 EXTENDED PROOF-OF-STAKE and the candidate miner has to put his balance as a stake. Our protocol introduced in this section is called the “Ex- Peercoin, launched in 2012, is the first cryptocurrency that tended Proof-of-Stake” (or e-PoS), which builds on PoS used PoS for block mining [9]. Later, more cryptocurrencies protocol, and offers fairness, security, and decentralization. were launched including Nxt and BlackCoin, which used . variants of PoS. The two popular techniques for miner selection are called the “randomized block selection” and the “coin age-based selection.” In the randomized block 3.1 Design Overview selection, a combination of the lowest hash value and the The abstract implementation of e-PoS includes a set of min- size of a candidate’s stake is used to select the miner for ers executing an immutable smart contract that implements the next block. In the coin age-based selection, an auction the rules of a PoS auction. The smart contract in e-PoS process selects the candidate miners based on the coin age. makes modular adjustments to the conventional PoS design Although PoS is energy-efficient, it introduces central- to acquire the desirable properties including decentraliza- ization [10], [11], [12]. In randomized block selection, the tion and fairness. Its correct execution, on the other hand, deserving candidates with high stakes are often ignored, requires consensus among multiple parties (miners in a and a random candidate is selected. In the open stake cryptocurrency). For that, we use the practical Byzantine auction and age-based selection, a rich candidate is able to fault tolerance (PBFT) protocol [16]. It can be argued that win every auction and get richer [10], [13]. This creates a PBFT, in general, could provide an energy-efficient consen- skew in the network, challenging the expected guarantees sus scheme for distributed systems, although it suffers from IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS 3

high a message complexity which restricts its scalability peers. In PoW, the advantage is the mining power. If the ad- for a cryptocurrency network comprising of thousands of versary holds more than 50% hash rate, he can double-spend nodes [17]. As we later show in §6, e-PoS fragments the by mining a longer private chain and forcing the network to cryptocurrency network in a way that the selected number switch to the longer chain [21]. In PoS, the same applies of miners can easily execute PBFT. However, for now, we if the adversary holds more than 50% of all coins. In the focus on the rules of the smart contract in e-PoS. following, we characterize this advantage of the adversary. In e-PoS, the block mining is fragmented in a series of Our objective is to show that the success probability e-PoS epochs ,..., j. In each epoch, the smart contract pro- (with 50% coins) is lower than in conventional PoS, thereby E1 E duces a sequence of blocks ,..., l. The smart contract leading to a fair system with e-PoS. B1 B computes a baseline stake 1,..., l for each block To formally analyze this aspect, let BN denote the total ST ST Pn and announces them to the network. Candidate miners coins in the system, where BN = i=1 bi. Let αBN be (m , b ), willing to participate in the block auction com- the fraction coins owned by an adversary , and βBN be c c A pareC the baseline stake with their balance, and place a bid the coins owned by the honest miners. For m consecutive on their block of choice. The smart contract selects the final blocks, the probability that the adversary successfully pro- list of miners (mk, bk) based on their bids. For each epoch duces a longer private chain becomes: K j, the miners of the previous epoch j−1 execute the smart  m contractE using PBFT and transfer controlE to the miners of  α , α < 0.5 ( ) = β the next epoch. Assuming a 3f + 1 honest majority among Pr double-spends in PoS (2) A 1 , α 0.5 (mk, bk), e-PoS continues to function correctly [16]. K ≥ Decentralization in e-PoS. In PoS, decentralization can   be attributed to the extension of mining opportunities to  α , α < 0.5 a wider set of stake holders [18]. Roughly speaking, a PoS- Pr( mines the next block) = β (3) A based blockchain application is centralized if only the rich 1 , α 0.5 ≥ miners have the ability to mine a majority of the blocks. (2) shows that when α < 0.5, the adversary’s suc- l n For a given epoch of length , let be the total number cess probability decreases exponentially. However, when c < n of participants in the network, be the number of can- α 0.5 ( acquires more than 50% coins), the adversary k < c e-PoS didate miners, and , be the final list of miners in . eventually≥ A produces a longer private chain and double- For simplicity, and without the loss of generality, we assume spends. Moreover, (3) shows that when α 0.5, the ad- that two independent and concurrent execution fragments versary mines the next block with probability≥ 1. This is due k of PoS have been implemented, from which we obtain to the fact that no other honest miner has a higher stake e-PoS k0 miners in and in the conventional PoS. Provided in the network. For any block, the adversary can place a that, decentralization (or the lack of it, thereof) is expressed higher bid than any other miner and win the auction. In β 0 < β 1 β = k as a parameter , where . More precisely, e n summary, by acquiring more than 50% coins, the adver- is used for expressing the decentralization≤ level in e-PoS, 0 sary can (1) double-spend with probability 1, and (2) win β k while c = n is used for expressing the decentralization each successive auction and mine subsequent blocks. This in the conventional PoS. We note that a scheme is more prevents honest miners from producing blocks and allows decentralized if β is closer to 1, and centralized otherwise. adversary to violate the blockchain safety properties [22]. We use this notion of decentralization to compare dif- In other words, the adversary breaks the notion of fairness ferent schemes. Let the difference between the two schemes that we aim for a PoS-based blockchain system. In e-PoS, we above be γ = βe βc, which represents the gap in decen- − propose that even with 50% coins, the adversary’s success tralization between the two schemes. Such a gap is used to probability of (1) double-spending is negligible (a small compare e-PoS the conventional PoS as follows: value ), and (2) mining the next block is less than 1.  γ < 0 e-PoS is less decentralized Pr( double-spends in e-PoS α 0.5) =  (4)  A | ≥ βe βc = γ = 0 equally decentralized (1) Pr( mines the next block in e-PoS α 0.5) < 1 (5) −  γ > 0 e-PoS is more decentralized A | ≥ The closer γ is to 1, the more decentralization e-PoS 3.2 Epoch Length brings over the conventional PoS (and vice versa). To affirm The first challenge in e-PoS is to determine the length of that over a long run of the system, we say that one scheme an eoch, j, required to calculate the expected number of is better than another (with respect to the decentralization blocks l Eto be computed. For that, we use the memory notion) if the overwhelming majority of the observations of pool (mempool) of cryptocurrencies. The mempool is a γ over a large number of epochs is positive. repository of unconfirmed transactions used by miners to Fairness in e-PoS. In blockchain applications, fairness is select transactions for blocks. The mempool size is usually defined as a model that forces an adversary to pay back greater than the average size of the block [23], [24]. Miners a penalty upon deviating from the protocol by, for exam- prioritize transactions based on their fee, and select the high ple, premature abortion of the agreed upon protocol or by valued transactions from the mempool to mine in blocks. carrying out fraudulent activities. This notion of fairness is The mining process can be viewed from two perspec- defined in the prior work to explore fair mining [19], [20]. tives. 1) The miner’s aim is to select highly paying transac- In general, an adversary may carry out fraudulent activ- tions. 2) In ideal conditions, the network requires an empty ities if that adversary has a significant advantage over other mempool to prevent transaction backlog. IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS 4

With a fixed block size, s, and the size of mempool Algorithm 1: Computing Baseline Stake B being s, we can compute the number of blocks required M Input: l, j, tsort Sorted (id, f, s) to empty the mempool (i.e., to make s 0). It is desirable E ← T 1 Initialize: size = 0, fee = 0 to completely fill the blocks with transactionsM ≈ such that the 2 for i = 1 ... l 1 do total size of each block must be equal to the standard block − 3 foreach (id, f, s) tsort do size of the cryptocurrency ( i s). A complete block also T ∈ 4 i i (id, f, s) means that the miner is able|B to|≈ obtain B a maximum rewards B ← B ∪ T 5 size = size + (s (id, f, s)) from the mining fee paid by each transaction. In light of ∈ T 6 fee = fee + (f (id, f, s)) these design restrictions, the number of blocks in each epoch ∈ T 7 remove (id, f, s) from tsort can be computed using (6). T 8 if (size s) then ( ≤ B 0 , > 9 continue l s s . = Ms B M (6) 10 else B , s < s s B M 11 i = fee ST The number of blocks is computed by dividing the mempool 12 fee = 0; size = 0 size by the standard block size in (6). 13 for i = l do 14 foreach (id, f, s) tsort do Epoch Duration. The epoch duration E is the product T ∈ D 15 i (id, f, s) of the number of blocks produced in the epoch and the B ← T 16 fee = fee + (f (id, f, s)) standard block time. Furthermore, the difference in the ∈ T 17 remove (id, f, s) from tsort if (tsort = ) publishing time between two subsequent blocks should be T ∅ equal to the standard block time to avoid undesirable delays then 18 i = fee in the block generation or the ledger update [22]. ST return: i, i B ST 3.4 Block Auction 3.3 Baseline Stake Once, the baseline stakes and epoch length are determined, the smart contract announces them to the network. The In the next phase, the smart contract computes a baseline nodes query the baseline stakes corresponding to each block stake i for each block i in the epoch. In light of the and compare them with their balance. A node is qualified decentralizationST and fairnessB objectives outlined in §3.1, the for mining only if its balance exceeds the baseline stake. baseline stakes must satisfy the following principle objec- To extend mining opportunities to more peers, the smart tives: 1) The baseline stakes must be small enough to allow contract forces peers to place one bid per block. It is possible mining opportunities to a large subset of miners (c n). that a node qualifies for multiple blocks as a candidate 2) The baseline stakes must also be large enough to prevent≈ miner. However, a node can only place the bid on one block. fraudulent activities and compensate victim parties. 3) The Since the blocks are sorted in a descending order based outcome of each mined block must proportionally benefit on the value of the transaction fees, a greedy candidate can the candidate miners according to their commitments. select a block based on the reward incentive. The process Theoretically, the subset of candidate miners can be of block auction is carried out in multiple phases. In the maximized by setting the baseline stakes to a negligible first phase, the qualified peers notify the smart contract and place their bids on each block. As a result, the smart value ( i 0, i), such that the entire network becomes eligibleST for mining.' ∀ However, this may challenge the two contract obtains a list of candidate miners from the network (c n), with a balance exceeding the baseline stake. In the subsequent principle objectives that prevent fraud and pro- ⊂ mote incentivized reward distribution. The challenge is to next phase, the smart contract selects the final list of miners construct a scheme that meets all three principle objectives. (k c) and asks them to make a final commitment for their selected⊂ block. After all the commitments are locked, the In algorithm 1 we present an efficient design for comput- smart contract assigns blocks to the corresponding miners, ing baseline stakes that meet the requirements. First, we sort the miners verify each transaction, and receive the rewards. all transactions in the mempool in a descending order, based Below, we outline the details of each auction phase. on their transactions fee. Next, we fill the first block with the transactions from the mempool while monitoring the size of the block. Once the block size reaches the standard block 3.4.1 Selecting Candidate Miners size ( i = s), the baseline stake is computed as the sum In the first phase, the peers compare their balance with of theSB fee of allB the transactions in the block. The procedure the baseline stakes of all blocks published by the smart is repeated for the subsequent l 1 blocks. All of the blocks contract. The peers then select a block of their choice for computed in the cycle are equal− to the standard block in which their balance exceeds the baseline stake, and place size, and their stakes are the sum of transaction fee of all a stake bid. In algorithm 2, we show how an individual the transactions in the block. The remaining transactions are peer surveys the network conditions and places his bid on a then put into the last block ( i = l). Once the algorithm certain block. The bid commitment consists of a percentage finishes the execution, the smartB contractB will have a set of balance remaining after the baseline stake is subtracted blocks and their corresponding baseline stakes ( i i). from the current balance (lines 8-9). We take this approach Since the baseline stake for a block is the sum ofST transaction∈ B for two reasons. First, the balance committed beyond the fee, a miner’s stake can be used to reimburse if he cheats. baseline stake can be later used to additionally reimburse IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS 5

Algorithm 2: Selecting Candidate Miners Algorithm 3: Final Selection of Miners

Input: i, i Input: C(mc, bc, c),M(mj, hj) ST B P 1 Initialize: pBlock ; // block list 1 Initialize: cList 2 for m N(mn, bn) do 2 foreach i do ∈ B 3 foreach i = 1...l do 3 if for first item in Sorted C(mc, bc, c) P P 4 if bn > i then is unique then ST 5 pBlock i ; // potential block 4 Assign: Block to the miner at first index ← B Output: pBlock 5 else 6 Select: i pBlock ; // select block B ∈ 6 Put all C(mc, bc, c) with same c in list cList 7 for i i do P P ST ∈ B 7 Query: (M(mj, hj)) 8 rBalance = bn i ; // balance left (x)×rBalance− ST 8 sort cList based on value of mc in(M(mj, hj)) 9 c = ; // stake committed S 100 9 Select mc with minimum value of hj 10 c c; P ← S 10 Cold Start if hj = 0, select one with highest bid return: C(mc, bc, c) P 11 Assign: Block to the Selected Miner the victim, in case the miner misbehaves. This also increases conflicts, and assigns blocks to the selected miners. In Fig.3, the fraud penalty for malicious miners and enforces fair we provide the abstraction of the network’s state after the mining practices. Second, the percentage commitment is smart contract finalizes the list of miners for each block. useful in determining the risk factor associated with the commitment of the miner. If a candidate miner x has a higher balance bx than a competing miner y with balance 3.5 Block Mining by, and x makes 15% commitment of (bx i), while y makes 20% commitment of (b ), then− theST preference y i Once miners are finalized, the smart contract initiates a will be given to y, for showing− higher ST commitment. This request for the final stake commitment. The final commit- method also helps in democratizing the network since the ment ensures that a candidate miner has not spent his percentage stake are always in the range [0–100], where balance after making the initial commitment. In response, all miners will have equal opportunities to participate in the selected miners confirm their final bids and deposit the block auction. This also challenges the hegemony of their balance to the smart contract. The smart contract locks rich stakeholders and decentralizes the network by offering their balance and assigns respective blocks to each miner. mining opportunities to more peers. The miners consult the blockchain and the “UTXO” set to 3.4.2 Finalizing Miners validate the authenticity of each transaction. If a transac- tion fraudulent, the miner notifies the smart contract and Once the smart contract receives a percentage of stake removes the transaction from the block. committed by the candidate miners, it then finalizes the subset of miners (k c) that are designated to process each When all transactions are verified, the smart contract block. For each block,⊂ it sorts the percentage bids committed employs a signature scheme to prevent blockchain forks and by all candidate miners, and assigns the blocks based on assert ownership of the blocks. The signature scheme used the winning bids. The winning bid for each block is the by the smart contract is a tuple (KeyGen, Sign, Verify), where each algorithm is defined as follows. 1) KeyGen(1u): given highest percentage stake c committed by the candidate P a security parameter u U, the key generation algorithm miner. However, there are cases that may cause conflicts ∈ in the final selection process. In the following, we present generates a pair of private and public keys, namely sk pk. those cases and remedies to address them. 2) Sign(sk, m): a deterministic algorithm that takes as an in- put a message m and the private key sk, and generates Case 1: Equal bids. It is possible to have more than one high ∈ M but equal percentage stakes committed by the candidate a signature σ corresponding to m. The message m here is the miners. For example, a candidate miner x commits 30% of block produced by the smart contract. 3) Verify(pk, m, σ): pk his balance for a block i, while another candidate miner y a verification algorithm that takes the public key , the also commits 30% of hisB balance for the same block. Since message m, and the signature σ as inputs, and outputs 0 if σ only one miner is selected for a block, the smart contract has is an invalid signature of m and 1 otherwise. This algorithm to pick one of the two candidates. To resolve this conflict, is used by network peers to verify the block authenticity. the smart contract keeps a record M(mj, hj) of all of the Once the miner verifies all transactions, he generates a public/private key pair, and signs the message i, with his previous blocks computed and their respective miners. It B x private key Sign(sk, i), computes the hash of the block then queries that record and compares how many blocks B y H( i), and sends the block to the smart contract. The smart and have computed prior to the current epoch, and the B one with less prior blocks is selected (algorithm 3). contract authenticates the block by using the public key pk Case 2: Cold start. Assuming a case where both x and y of the miner and releases the block to the network. Upon have not computed any block before, the contract checks the receiving the block, nodes in the network also validate the balance of both candidate miners and selects the one with miner’s signatures. This process prevents forks in case an a greater balance. This fulfills the third objective defined adversary publishes a counterfeit block to the network. in §3.3, whereby miners with the higher balance benefit When an epoch ends after ep, the mempools at each for their overall stake. In algorithm 3, we describe how node are filled by transactions exchangedD during the epoch. the smart contract selects the final list of miners, resolves The probability of z number of transactions arriving at a IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS 6 s r s r e e n i n i

M this inconsistency, K must agree upon a common mempool

M

d e e t z a i

l state to output consistent parameters for the next epoch. d a i n d i n F

a For a common the mempool state, the miners execute C PBFT protocol. In Fig.4, we give an overview of the PBFT- based consensus and for more details we refer the reader to [16]. In a cryptocurrency network, where the number of peers can be in the thousands, applying PBFT can be infeasible. However, in e-PoS, PBFT is executed among

A miners. Since k in an epoch is much less than n, PBFT l l

n

o can be applied efficiently. The smart contract randomly d e s

k i specifies a primary replica in which will share its mempool n

n e

t view with other replicas and obtain consensus. To ensure w

Fig. 3.o A overview of e-PoS-based blockchain system consisting of r

k that all replicas faithfully execute the protocol, we create network peers, candidate miners, and finalized miners. The shades of blocks represent their stakes and reward in descending order. a dependency between epochs. Miners’ rewards are not released by the contract until the next epoch is successfully initiated. Therefore, to favor self interest, miners will initiate Request Pre-Prepare Prepare Commit Reply Client the next epoch and its smart contract. In Fig.5, we provide

Primary a complete workflow of e-PoS starting from computing the baseline stake to block mining by the final list of miners K.

Replica 1 Benefits and Limitation of Using Mempool. In e-PoS we use the mempool to derive the epoch length and the baseline Replica 2 stakes. Our mempool-based approach is novel since it has not be adopted by existing PoS models. In this section, we Replica 3 succinctly summarize the key aspects of our technique. In blockchain systems, mempool is a repository of un- Fig. 4. PBFT protocol overview where client issues a request to the confirmed transactions from which miners select transac- primary replica. The primary broadcasts the transaction to all the other tions for blocks. Ideally, if the block size is equal to the replicas. The replicas validate the transaction and share their view with mempool size, there is no transaction backlog and all trans- each other. The process of transaction verification follows four stages, namely Pre-Prepare, Prepare, Commit, and Reply. The transaction, in actions are processed within the expected time. However, in this case will be the mempool view issued by the primary itself. practice, there is usually a transaction backlog that can harm the blockchain system as shown in [23]. mempool during the epoch can be computed using (7), and Acknowledging the role of a mempool in transaction the new size of mempool s can be calculated using (8). M processing, we use it to determine the epoch length. Our z λT z λDep approach is indeed innovative since the existing PoS-based (λT ) e (λ ep) e P (z arrivals in T ) = = D (7) schemes do not use mempool to determine the epoch length. z ! z ! Moreover, this approach gives us two additional benefits. s = λ T = λ i t = λ ep (8) M × × B × B × D The first benefit is that based on the epoch length and In the next step, the miners k c calculate the param- duration, e-PoS can guarantee a new block at the average eters for the next epoch. For parameter⊂ calculation, miners block time. In the existing blockchain system (i.e., Bitcoin), must agree upon the mempool state so that their baseline while the expected time for a new block is 10 minutes, the stakes, block size, and epoch lengths are consistent. In inter-arrival time between two blocks cannot≈ be guaranteed blockchain systems, mempool states can vary across nodes. to follow the expected time. As a result, the transaction In Bitcoin, for example, the mempool state can change due confirmation can be delayed. In e-PoS, we address this to the varying mempool size limits specified by each node or problem by fixing the epoch duration. the network asynchrony. In Bitcoin, nodes can arbitrarily set The second benefit is that mempool allows us to de- the mempool size to prevent RAM overloading. Therefore, termine the baseline stake for each block. In the existing nodes with different RAM sizes have different mempool blockchain systems, miners tend to prioritize transactions sizes, which can cause inconsistency in our model. based on the transaction fee. Similarly, in e-PoS, we sort The mempool size can also vary due to network asyn- transactions based on the transaction fee in different blocks. chonry typically created by (1) the transaction propagation Each block has a different transaction fee and a candidate delay, and (2) the network topology. Since Bitcoin nodes are miner with a higher balance can bid on a block with a higher spread across autonomous systems [14], [25], the transaction fee. This bidding process ensures that miners with a higher exchange among nodes can experience varying delay. As a balance are rewarded proportional to the stake that they result, nodes that experience high transaction propagation commit. If any miner misbehaves during the protocol, his delay may not receive a transaction in their mempool prior stakes are used to compensate the affected parties. to executing e-PoS. Moreover, at any time, there are 10K While the mempool-based approach has several bene- Bitcoin nodes, and the default connectivity limit is 125≈ [14]. fits, it has a limitation as well. As mentioned earlier, the Therefore, the network does not form a completely con- mempool state can vary across miners due to which they nected topology due to which the transaction propagation may compute different baseline stakes and epoch length. To does not follow the broadcast model [22]. As a result, the prevent that, we use PBFT to ensure that miners agree upon mempool state can vary across nodes at any time. To prevent consistent values of baseline stakes and epoch lengths. IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS 7

Smart Contract by Miners K Rest of the Network Initialize: C(mc, bc) := 0,K(mk, bk) := 0 Network Size: (mn, bn) N Execute PBFT and Compute: l, i, i Await: Baseline stakes for next epoch Fill blocks, Compute baseline stakes,B epochSB length SB Send: Baseline stakes to the network i Receive: Baseline stakes from the smart contract −−−−−−→ Smart−−−−−−−−−−−−−−−−−−−−−−−− Contract by Miners K −−−−−−−−−−−−−−−−−−−−−−−Candidate Miners Compare: Baseline stakes with balance bn Await: List of candidate miners C(mc, bc, c) Select: Target block to be mined i P Pc B Receive: Bids from network nodes Send: Bid on the target block c ←−−−−− P Compute: List of candidate miners and bids C(mc, bc, c) P Smart−−−−−−−−−−−−−−−−−−−−−−−− Contract −−−−−−−−−−−−−−−−−−−−−−−Final List Sort: Bids for each blocks c i Await: Final list of miners P ∈ B Compute: Final list of miners K(mk, bk) K(mk,bk) Send: Final list K(mk, bk) Receive: Final list of miners −−−−−−−−−−→Pk Receive: Final commitment Send: Final commitment k K←−−−−−(m ,b ),Bi P Assign: Blocks to each miner k k Verify: Transactions in the blocks (id, f, s) −−−−−−−−−−−→Bi,Sign(sk,Bi) T Verify: Signatures Verify(pk, m, σ) Generate and Send: Signatures Sign(sk, i) ←−−−−−−−−−−−− B −−−−−−−−−−−−−−−−−−−−−−−− −−−−−−−−−−−−−−−−−−−−−−− Fig. 5. Information workflow between smart contract executed by K for the next epoch. The smart contract computes baseline stakes and receives bids for each block. It then selects the miner list K for the next round. Rewards are released only when the next epoch ends successfully.

4 FEASIBILITY ANALYSIS OF e-PoS are selected at random, in e-PoS, we compliment each miner based on the relative stake that they commit. 4.1 Meeting Requirements

Decentralization. To achieve decentralization and overcome 4.2 Security Analysis of e-PoS skews associated with the conventional PoS, e-PoS applies two conditions: percentage stake commitment and one block In this section, we evaluate e-PoS under notable PoS-based per miner approach during an epoch. The percentage stake attacks. Previously, in section 3.5, we showed that the signa- provides equal opportunities to miners to place a bid on the ture scheme prevents blockchain forks. Some other attacks block of their choice, thereby increasing decentralization. discussed in this section are the majority attacks, stake theft, One block per epoch ensures that an almost unique set and nothing-at-stake. In the following, we analyze each of miners benefits from the fee rewards during the epoch. attack in an e-PoS-based system. For each attack, we assume This also contributes to decentralization and encourages fair a polynomial-time adversary , with knowledge of e-PoS. A mining. Another feature of e-PoS is the conflict resolution For the majority attacks, we assume the has accumulated A when more than one miner meet the criteria. For instance, more than 50% stake in the system. Although the majority if all miners put 99% balance as stake beyond the baseline attacks are naturally less probable in PoS compared to stake, the smart contract consults its mining repository to PoW, since accumulating 50% stakes in a system is more select the miner who has mined less blocks in the past. difficult than acquiring 50% hash rate. However, assuming Relative Reward. Another objective is the relative reward the worst case, we will demonstrate that e-PoS makes the of miners with respect to their stakes. If a miner puts higher attack infeasible for an adversary with 50% stakes. For stake stakes than others, then he must also receive higher mining theft and nothing-at-stake, we assume the adversary knows rewards. We meet that condition by sorting transactions about the operations and communication model of e-PoS, based on their mining fee and calculating baseline stakes ac- and the adversary tries to cheat or halt the auction process. cordingly. In e-PoS, the first block 1 and its corresponding Majority Attack. First, we analyze the notion of fairness baseline stake are greater thanB the subsequent blocks defined in §3.1, in which the adversary with 50% stakes SB1 and their baseline stakes. Furthermore, the last block l (1) launches a majority attack to double-spend, and (2) B and its baseline stake l are less in size and reward than wins each subsequent block auction. In e-PoS, we show that any other block in theSB epoch. Therefore, a rich miner can the probability successfully launching a majority attack is always opt for the blocks higher in the hierarchy of the negligible (2), and the probability of mining consecutive chain to obtain more rewards, while a poor miner can select blocks with 50% hash rate is less than 1 (5). blocks from a lower hierarchy of the chain. This scheme To show that e-PoS achieves fairness, assume n peers in is also applied during a conflict between two miners who the system with a combined balance of α + β coins. Further put equal stakes for a target block. If the two miners have assume that the adversary acquires (α=0.51) coins, and β no history in the mining repository of the smart contract, a is uniformly divided among the remaining n 1 peers. In miner with higher balance is selected. Therefore, e-PoS also the conventional design, (3) will be 1 and the− adversary is considers each miner based on his risk potential. In contrast guaranteed to win the next block. In comparison, assume to the other notable schemes [26], [27], [28], where miners that all peers in e-PoS are greedy, making equal bids of IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS 8

99% of their balance. In that case, the probability that the the victim. Since the baseline stake for each block ( i i) adversary mines the next block becomes: is the cumulative sum of transaction fee in theST block,∈ theB 1 baseline stake acts as an insurance. If one or more transac- Pr( mines the next block in e-PoS α 0.5) = (9) tions are compromised, the baseline stake covers them by A | ≥ n reimbursing their fee. The penalty is derived from the final This is to be noted that if the adversary splits his stake stake committed by the selected miner. Since the final stake among p nodes and each node places a bid of 99%, then the is the percentage balance remaining after the baseline stake, success probability can increase from 1/n to p/n. Neverthe- therefore, the difference ( c i) is used as a penalty. less, as long as there is one honest party in the system, p < n, Nothing at Stake. An argumentP − ST against the non-blocking the probability remains less than 1. In our system, p = n progress of PoS-based applications is called nothing-at-stake means that the adversary controls all nodes in the system [29]. The argument states that a PoS application would halt which is an infeasible assumption in practice. Another way if no miner puts anything on stake. In e-PoS, this condition to express this is that as long as the adversary does not is less likely to arise due to following reasons. First, the hold 100% coins in the system, his probability of winning problem of nothing-at-stake occurs due to centralization of the next block auction remains less than 1. In contrast, in mining. If there are fewer miners in the system, they can the conventional PoS models, with 51% coins, the adversary collude to halt the progress. In e-PoS, our main goal is to wins the next auction with probability 1 (3). break that collusion and centralization. As such, and since Next, we analyze the success probability of launching a mining opportunity is offered to a wider set of stakeholders majority attack (i.e., mining a longer private chain with m (see Table 1), e-PoS will provide equal or better non-blocking consecutive blocks) to replace the public chain. Note that in progress than other PoS schemes. Additionally, the issuer e-PoS, the smart contract maintains a record of miners who or recipient of a transaction would naturally want a non- mine blocks. Provided that, we present two cases in which blocking progress of the system so that their transactions are the adversary launches a majority attack. In the first case, confirmed in time. As such, if there is no miner participating we assume the adversary does not control any other node in the auction process, the smart contract can simply lower in the system. In the second case, we assume the adversary the threshold for the baseline stake to allow the sender or controls p nodes in the system, divides his balance among the receiver of the transaction to mine the block. them, and allows them to put a maximum bid on each block. PBFT Fault Tolerance. As mentioned in section 3.5, k miners For the first case, the probability that the adversary mines in an epoch execute PBFT to obtain a common mempool two successive blocks with α 0.5 becomes ( 1 ) ( 1 ). view. In PBFT, assuming f faulty replicas, the system re- ≥ n × n−1 Therefore, the probability that adversary mines m subse- quires 3f + 1 replicas to behave honestly [16]. In other quent blocks to double-spend becomes: words, 70% miners are expected to behave honestly for ≈ m successful execution of e-PoS. To motivate honest mining, Y 1 Pr( double-spends in e-PoS α 0.5) = . (10) we create a dependency among epochs such that the smart A | ≥ n i i=0 − contract does not release rewards to miners until the next Eq. (10) shows that for a large value of n (a large network epoch is executed correctly. Moreover, if any faulty replica size), the probability of double-spending through a majority is detected, its rewards can be withheld as a penalty. attack becomes negligible. For the second case, the adver- sary’s probability of mining the first block becomes p/n, 5 SIMULATIONS AND RESULTS and the probability of mining the subsequent block becomes Now we present the simulations results to validate the per- (p 1)/(n 1). As such, the probability that adversary mines − − formance of e-PoS compared to conventional PoS schemes. m subsequent blocks to double-spend becomes: We construct three PoS models, namely the random selec- m tion, priority selection, and e-PoS selection. In the random Y p i Pr( double-spends in e-PoS α 0.5) = − . (11) selection, a miner is randomly chosen from the network to A | ≥ n i i=0 − mine the next block. The miner selects the highest paying In Eq. (11), keeping a realistic assumption that p = n, the ad- transactions from the mempool and publishes the block. versary cannot successfully double-spend with6 probability In priority selection, and following the conventional PoS 1. In other PoS models, with 51% coins, the adversary could scheme the miner with more balance is selected for the double-spend with probability 1 (2). Our analysis shows that next block. This design is similar to the existing PoS mod- e-PoS achieves more fairness than conventional PoS models. els applied in cryptocurrencies such as Peercoin, where a Stake Theft. If the adversary is a malicious candidate miner preference is given to the rich miners. To capture that, we assume a subset of greedy miners in the priority selection who commits a very high stake c to the smart contract, and later spends it, he might beP able to game the system. that participate in every block auction and try to win using However, to counter that, we introduced the final stake their high balance. Finally, in the e-PoS selection, we imple- commitment in §3.5. The smart contract confirms that the ment the extended PoS scheme as described in §3. Miners final stake commitment is equal to the initial commitment with balance greater than the baseline stake are allowed to to proceed with the block assignment. Therefore, it prevents place a percentage bid for the block auction. a malicious candidate miner from gaming the system. If the adversary is among the selected miners, and 5.1 Network Overview invalidates one or more transactions in a block, the smart To faithfully model a system closer to the existing contract will punish the adversary by awarding his stake to blockchain applications, we randomly select a network size IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS 9

Original Original Original 6000 Random Priority ePoS 4000 10000 4000 Peers Peers Peers 2000 2000 5000

0 0 0 0 10000 20000 0 20000 40000 60000 0 5000 10000 15000 20000 Balance Balance Balance

(a) Random selection Epoch length = 200 (b) Priority selection Epoch length = 200 (c) e-PoS Epoch length = 200 Fig. 6. Simulation results. Original is the balance distribution prior to the execution. Accordingly, Random, Priority, and e-PoS are the balances after executing the three schemes. The wider gap on the x-axis means that the overall stake in the system has skewed after the execution.

20000 Random 70000 Priority 11000 ePoS baseline stake baseline stake baseline stake 60000 15000 10000 50000 9000 40000 10000 30000

Balance Balance Balance 8000

5000 20000 7000 10000

0 0 6000 0 10 20 30 40 50 0 10 20 30 40 50 0 10 20 30 40 50 Blocks Blocks Blocks (a) Random Selection (b) Priority Selection (c) e-PoS Selection

Fig. 7. Comparison of baseline stake ST i and the balance in the three scheme. In the random selection, half of the miners have balance less than ST i ∈ Bi. This scheme is unfair since miners can easily cheat. In e-PoS, the balances are marginally greater than the baseline stake. in the range of 8,000–9,000 nodes. This is close to the average and obtain all fee rewards. The accumulation of rewards size of Bitcoin network [30]. For each node, we assign a bal- among few miners creates a skew, thereby impacting the ance bn randomly distributed between 0 and 20,000 coins. decentralization property of the scheme. As shown on the In Bitcoin, the average number of transactions per block is x-axis, the balance of these miners increases after the epoch, 2,000. To reflect that, we fix the standard block size s to and there is little to no change in the balance of other miners. B accommodate only 2,000 transactions. Next, we randomly The random selection scheme achieves a higher decen- select the mempool size s between 1–100 blocks to obtain M tralization by distributing block rewards among randomly the epoch length as defined in (6). For each scheme in the selected set of peers in the system. The maximum balance of experiment, we run the simulation for l = 200, and evaluate peers, shown on the x-axis, is less compared to the priority the balance of nodes towards the end of epoch. selection scheme, showing the reward distribution among a larger set of miners. The x-axis shows that the maxi- 5.2 Evaluation Parameters mum balance achieved by a cluster of miners is much less We evaluate each design based on its capability of providing (25,000) compared to the priority selection scheme (40,000). decentralization and fairness guarantees. Decentralization is Moreover, y-axis shows the number of peers in each cluster, measured by βe and βc from (1). Additionally, to evaluate indicating that the lower the height of histogram on y-axis, decentralization in the case of random selection, we use βr. the more distributed is the block reward. As shown in (1), the greater the value of γ, the more decen- Fig.6 also shows that compared to the other two schemes tralized a scheme is compared to the other. Furthermore, the e-PoS is more decentralized and distributes rewards to the fairness and security is measured by comparing the balance maximum set of candidate miners. It can be observed that of the miners with the baseline stake. If the balance before the range of the x-axis, denoting the maximum balance the auction is greater than or equal to the baseline stake acquired by any user, is less than the two other schemes. (b K(m , b ), the system is considered as secure. k k k i To evaluate the security we plot the baseline stake of We∈ evaluate each≥ design ST under these conditions. each block in the first epoch, and the respective balance of each miner. As defined in §5.2, if the balance of the miner 5.3 Results and Evaluation bk K(mk, bk) is greater than the baseline stake i, the In Fig.6, and Fig.7, we report the simulation results. In miner∈ will be disincentivized from cheating. OurST plot in Fig.6, we cluster the balance of peers at the start and end Fig.7 shows that the random selection scheme is unfair and of each epoch to capture the distribution of rewards among vulnerable to attacks, since half of the miners had lower peers. Clustering the balance in histogram bins is useful in balance than the baseline stake. In comparison, the priority presenting the overall state of the network without showing selection and e-PoS are resilient against attacks since each the balance of each node. The figure shows that in priority miner had a higher relative balance than the baseline stake. selection, a subset of rich miners is able to win each auction In e-PoS, the balance of the miner is marginally greater than IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS 10

TABLE 1 created coins and the mining fee of transactions. As such, Simulation results recorded for each scheme. Mean ST i is the average the baseline stake in e-PoS-based Bitcoin would require of baseline stakes of all the blocks in the epoch. Mean b is the k adding the coinbase reward as well, the baseline stake for average balance of all the miners before mining. Unq ki are unique number of miners selected. each block( i = i + 12.5BTC). Moreover,in Bitcoin, ST ST Scheme l Mean i Mean bk Unq ki β Mean γ the standard block size is 1MB, and there is no cap on ST 50 8626.2 10056.9 50 0.0062 0 mempool size. However, due to selective mining, there is Random 100 7346.2 9778.3 96 0.0120 0.0005 often a transaction backlog that reduces the system effi- 200 4892.7 9834.7 192 0.0240 0.0010 ciency. Moreover, varying the hash rate often increases the 50 8626.2 53680.7 10 0.0012 0.0005 Priority 100 7346.2 34614.7 60 0.0075 0.005 time between publication of two subsequent blocks, which 200 4892.7 23327.9 160 0.0200 0.005 at times exceeds 50 minutes. If Bitcoin employs e-PoS, all 50 8626.2 8783.7 50 0.0062 0 blocks will be published at the exact time and in each epoch e-PoS 100 7346.2 7435.1 100 0.0125 0 all transactions will be processed. 200 4892.7 4948.2 200 0.0250 0 Mining Record. In e-PoS, the smart contract maintains a the required threshold, showing a trade-off between decen- mining record, M(mj, hj), in which the history of each tralization and security, and e-PoS meets both requirements. mining node is maintained for a future reference. This In Table1, we report the empirical results obtained from record is consulted if there is a conflict in the block auction, the simulations. In particular, we highlight the decentral- and preference is given to the miner with fewer blocks. In ization parameter β obtained from (1), the unique number Bitcoin, the smart contract can achieve this by mapping the of miners, mean baseline stake, and the mean balance of mining record to the IP addresses of nodes. Nodes in Bitcoin miners prior to block mining. It can be observed that as the connect using IP addresses, and these IP addresses are also number of blocks per epoch increases, the decentralization used as reputation indicators for the node [30]. parameter of e-PoS increases more than random selection The mining record can also be maintained with respect and priority selection. More specifically, and by deriving γ to the accounts held by each user. However, we observe that from (1), we observe that βe βc= 0.005, and βe βr= 0.001 in Bitcoin and Ethereum, a node with a single IP address can − − after the third epoch. Since we asserted that if the value of easily generate multiple accounts. This allows an adversary γ is greater than 0, then e-PoS is deemed to achieve higher to split his balance into multiple accounts using the same decentralization than its competitive schemes. Simulation node, and place multiple bids in each epoch. results complement our assertion. In blockchain systems, creating new accounts is easier than creating a new IP address. For example, if the ad- versary wants to create p unique IP addresses to influence PPLICATIONS OF 6 A e-PoS the mining record, he must either launch p unique nodes By replacing the actual stake with percentage stake, a cryp- or shut down his existing node and restart with a new tocurrency can mitigate centralization of miners. Also, by IP address. We note that both methods are costly. If the driving baseline stakes and number of blocks from the adversary launches p unique blockchain nodes, he must mempool, the security and efficiency of the system can be download the entire blockchain ledger at each node and significantly improved. However, as with any new scheme, concurrently manage them for each auction. In contrast, if there are application-oriented challenges address before e- he restarts his existing machine to acquire a new IP address, PoS adoption by a cryptocurrency such as Bitcoin. his node can take up to several minutes to synchronize Bitcoin network consists of nodes running a software with the network [30], [31]. If the next epoch starts while client (Bitcoin Core) that implements Bitcoin protocols. To the adversary’s nodes are synchronizing, then they will not incorporate e-PoS, the Bitcoin community would have to be able to participate in the auction. Therefore, using IP release a new update that implements e-PoS atop the exist- addresses for mining record is a more useful approach than ing rules set by the system. Below, we mention some other using accounts since switching IP addresses can be more changes that may be required if Bitcoin switches to e-PoS. expensive than switching multiple accounts. Bootstrapping. In e-PoS, each epoch has a dependency on It can be argued that a powerful adversary with more the previous epoch, where miners are required to achieve than 50% coins can afford to launch p machines, each with PBFT-based consensus over smart contract input values. To a unique IP address. In that case, if the adversary splits bootstrap e-PoS, the first epoch needs to be independent, his balance among p nodes then each node will have less since it will not have a dependency on any prior execution balance than the aggregate balance of the adversary before fragment. To achieve that, we propose an intuitive solution, splitting. As such, if p is large, the balance maintained by where any set of k miners in a cryptocurrency can launch each node in p will be smaller. Therefore, in an auction, an a hard fork on the cryptocurrency blockchain. Next, they honest miner with a higher balance can beat the dishonest can execute PBFT for the mempool state and launch the first miner in p with lower balance. To avoid that, the adversary epoch. Once the epoch is launched, the resulting blocks will needs to know the actual balance of each honest party in be announced to the network and all peers can switch to the the system and select the appropriate value of p. Since the new fork. All the subsequent rounds can follow the same balance of an honest party is always anonymous, the ad- procedure outlined in this paper. After the hard fork and the versary cannot compute the precise value of p to dominate bootstrap phase, any cryptocurrency can switch to e-PoS. the auction. In summary, using IP addresses to maintain a Baseline Stake and Epoch Length. In Bitcoin, 12.5 new mining record helps in disincentivizing an adversary. coins (coinbase rewards) are released when a new block Limitations and Future Directions. The smart contract rules is computed. The reward of miners include those newly can be encoded in the software clients such as Bitcoin Core. IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS 11

Bitcoin Core is itself a smart contract with rules to generate, mempool, we incorporated PBFT consensus protocol. validate, and broadcast a transaction. Similarly, e-PoS rules Finally, another limitation of e-PoS is the marginal sac- can be encoded in Bitcoin Core to operate the blockchain rifice of anonymity due to historical dependency on IP application. Moreover, while e-PoS provides several features addresses. In e-PoS, the smart contract maintains a history of for a decentralized and fair blockchain system, it can be each miner through their IP addresses. Since blockchain in further improved to address the following limitations. e-PoS is a public ledger, anyone from outside the network The software clients of blockchain applications are vul- can query and obtain the IP addresses that have mined nerable to attacks [14]. The security of software clients is most blocks. Accordingly, the balance of the IP address can highly critical for e-PoS, and within the scope of this work, also be calculated. Although the IP addresses in Bitcoin we do not cover this aspect. Our simulations were executed and Ethereum nodes are currently public [30], it is perhaps on a prototype smart contract in which we did not face the worthwhile to increase the network anonymity by masking threat of external attackers. However, part of our ongoing those addresses. Our future work involves using techniques work is to securely integrate e-PoS in a modified version of to replace IP addresses with a new identity scheme in the Bitcoin Core and perform an end-to-end security analysis. mining repository. Moreover, besides e-PoS, if the IP usage e-PoS is a multi-phased protocol involving block auction, is replaced by secure yet anonymous identity schemes, then miner selection, and mempool agreement. The message it would benefit existing blockchain applications in general exchange in all these phases adds a time penalty to block by hardening their security against routing attacks [33]. mining. To analyze the time penalty, we use data from the Bitcoin network and try to map it on the e-PoS model. 7 RELATED WORK On average, a Bitcoin transaction takes 2.6 seconds to reach 1000 nodes [30]. In some cases, the delay can be as PoW Limitations. Energy inefficiency of PoW-based high as 8 seconds [30]. If we assume c=1000 candidate min- blockchain applications has been significantly highlighted ers, the primary replica will receive 1000 bids in parallel for before [34], [35], [36], [37]. Dwyer and Malone [35] firt the next epoch. The primary will then execute PBFT among observed the energy intensive computation performed by K miners to set the parameters for the next epoch. Since Bitcoin miners, and postulated it to become a major prob- the average Bitcoin mempool size is 6–10 times the block lem upon Bitcoin expansion. Bahri and Girdzijauskas [34] size, therefore, we can assume K=10 miners.≈ Prior work [32] analyzed the energy consumption of Bitcoin to achieve its shows that in a network size of 10 nodes, PBFT takes 17 core consensus protocol. Their estimates show that Bitcoin milliseconds. Therefore, the PBFT execution will be quick≈ consumes 39.5 TWh of electricity annually, on average. and the bottleneck will be created the bid transmission by Harald Vranken [38] looked into the sustainability of Bit- c to the primary replica in K. Logically, if the candidate coin and blockchains by performing a resource profiling of miners are more than 1000 (i.e., 10K in Bitcoin [30]), the bid major PoW-based blockchain applications. His work also transmission can be delayed by more than 8 seconds. As a attributes the growing energy footprint of the Bitcoin cryp- result, block mining will also be delayed. tocurrency to the endogenous PoW requirements. In some cryptocurrencies such as Bitcoin and Litecoin, PoS Limitations. Although PoS addresses the growing en- this delay can be easily tolerated since their block mining ergy problems of PoW [39], [40], [41], it is vulnerable to a time is 10 minutes and 2.5 minutes, respectively. However, series of attacks and introduces unfairness in the system. in Ethereum the block mining time is 20 seconds, and The phenomenon of “the rich gets richer” in mining has delay caused by the auction in e-PoS may≈ not be tolerable. been reported [42], [43], [44]. In PoS, the baseline stakes We acknowledge this limitation and note that the constraint create a partition in the network in which the number of is due to the network size and block mining policy. If the peers above the baseline continuously benefit from the fee Ethereum network switches to e-PoS, it will have to increase rewards. This keeps increasing the threshold for baseline the block mining time or limit the network size. stake and the margins of partition between the wealthy Another limitation of our work is the marginal sacrifice nodes and the rest of the network. Zheng et al. noticed on the fault tolerance of the system. While the smart contract this limitation of PoS, and highlighted the need for a new can prevent against the majority attacks, however, the key PoS algorithm. Towards that, Kiayias et al. [26] performed security bottleneck is PBFT’s fault tolerance prior to the a formal analysis of PoS-based blockchains using the PoW- execution of the smart contract. PBFT requires at least 70% based theoretical model proposed by Garay et al. [45]. They miners to behave honestly in an epoch. In other words, the formally specified the desirable security properties for a PoS system can only tolerate up to 30% malicious replicas. If an blockchain system, and using those properties they present adversary controls more than 30% of the miners in an epoch, a model called “Ouroboros.” Ouroboros uses a unique re- then e-PoS may not halt due to diverging mempool views. ward mechanism to incentivize PoS-based systems and neu- Therefore, the fault tolerance in e-PoS is low compared to tralize the selfish mining attacks. In Ouroboros, the authors the other PoW and PoS-based cryptocurrencies, where it is use a coin-flipping technique to introduce randomness in 50%. An alternative would be to eliminate PBFT from e-PoS. miner selection. However, as we have shown in Table 1, the However, as a requirement, we need a consensus over the random selection, despite its benefits, may sacrifice fairness. mempool size. In a synchronous environment, as originally To ensure fairness, it is important that the balance of each considered in Bitcoin [21], all nodes have the same mempool stakeholder must be above the baseline stake. In random state at any given moment. In practice, cryptocurrency net- selection (see 7(a)), the balance of a miner was often below works are asynchronous [14], and the mempool views may the baseline stake, which can compromise the security. not be consistent at all times. To achieve consensus over the Therefore, specific to the e-PoS design, random selection IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS 12

of miners can be counterproductive since it sidesteps the and presents a solution that can be used in the existing security requirements of the baseline stake. blockchain systems with various desirable properties. In a similar context, Diant et al. [28] presented SNOW 8 CONCLUSION WHITE, a variant of PoS-based consensus protocol that real- Due to the massive energy footprint and great computa- izes a secure application of PoS in permissionless blockchain tion requirements, PoW-based blockchain applications are systems. Similar to the work of [26], SNOW WHITE also becoming infeasible. In contrast, the popular alternative utilizes random selection of miners to achieve decentraliza- known as the Proof-of-Stake (PoS) suffers from network cen- tion. However, instead of the coin-flipping method in [28], tralization and unfairness. In this paper, we have introduced SNOW WHITE is an extension of the “Sleepy Consensus” [20] an extended form of PoS, termed as e-PoS, which introduces and introduces a dependency among the block headers to fairness in the blockchain network and resists centralization. achieve the notion of randomness. Finally, another notable We introduce a smart contract that runs atop the blockchain work is by Chen et al. [27], called Algorand, which uses and carries out a blind block auction. The smart contract message-passing Byzantine Agreement to achieve consen- applies policies to extend mining opportunities to a wider sus in large-scale distributed systems. Algorand requires set of network peers, and ensures fair reward distribution. significantly less energy to operate and it is currently being The execution of the smart contract is facilitated by miners deployed in a few blockchain systems. that run PBFT-based consensus over the mempool state. We Finally, two other notable PoS-based protocols are Dele- show, by simulation, that e-PoS meets its objectives and can gated Proof-of-Stake (DPoS) and Supernode Proof-of-Stake be applied to existing blockchain systems, such as Bitcoin. (SPoS). In (DPoS), the network participants vote to elect a team of witnesses that mines block [46]. SPoS is an extension REFERENCES of DPoS in which supernodes are elected to mine blocks [47]. [1] A. de Vries, “Bitcoin’s growing energy problem,” Joule, vol. 2, Compared to DPoS, SPoS guarantees a constant inter-arrival no. 5, pp. 801 – 805, 2018. [Online]. Available: http://www. block time and optimized data storage. In both protocols, sciencedirect.com/science/article/pii/S2542435118301776 [2] Digiconomist, “Bitcoin energy consumption index,” miners commit their stakes before mining a block. If miners July 2018. [Online]. Available: https://digiconomist.net/ misbehave, their stakes are confiscated. The key problem bitcoin-energy-consumption with this approach is that if the reward of misbehavior is [3] P. Jacquet and B. Mans, “Green mining: toward a less energetic greater than the stake, a miner can easily cheat, violating impact of cryptocurrencies,” CoRR, vol. abs/1801.07814, 2018. [Online]. Available: http://arxiv.org/abs/1801.07814 the fairness property. No mechanism binds stakes with fee [4] C. Xu, K. Wang, P. Li, S. Guo, J. Luo, B. Ye, and rewards to prevent malicious behavior. M. Guo, “Making big data open in edges: A resource- In e-PoS, we overcome this problem by using the concept efficient blockchain-based approach,” IEEE Trans. Parallel Distrib. Syst., vol. 30, no. 4, pp. 870–882, 2019. [Online]. Available: of baseline stake driven from the mempool. The mempool https://doi.org/10.1109/TPDS.2018.2871449 allows us to precisely calculate the baseline stakes for each [5] D. Deuber, N. Döttling, B. Magri, G. Malavolta, and S. A. K. block in an epoch and set the lower bound commitment. As Thyagarajan, “Minting mechanisms for blockchain - or - a result, the miner’s stake is always greater than or equal moving from cryptoassets to cryptocurrencies,” IACR Cryptology ePrint Archive, vol. 2018, p. 1110, 2018. [Online]. Available: to the baseline stake for each block. If a miner cheats, all https://eprint.iacr.org/2018/1110 victims can be compensated. This feature enables fairness in [6] Y. Jiao, P. Wang, D. Niyato, and K. Suankaewmanee, “Auction e-PoS and distinguishes it from both SPoS and DPoS. mechanisms in cloud/fog computing resource allocation for public blockchain networks,” IEEE Trans. Parallel Distrib. Syst., Another limitation of DPoS and SPoS is that they cannot vol. 30, no. 9, pp. 1975–1989, 2019. [Online]. Available: work in an asynchronous network. For instance, in SPoS, https://doi.org/10.1109/TPDS.2019.2900238 and all witnesses are expected to have a consistent network [7] Digiconomis_Community, “Ethereum energy consumption index view while mining blocks. However, as we extensively (beta),” Aug 2020. [Online]. Available: https://digiconomist.net/ ethereum-energy-consumption discuss in section 3.5, when the blockchain network size [8] C. Badertscher, P. Gazi, A. Kiayias, A. Russell, and V. Zikas, increases, the network can exhibit asynchrony which even- “Ouroboros genesis: Composable proof-of-stake blockchains with tually leads to inconsistency among miners. Both DPoS and dynamic availability,” IACR Cryptology ePrint Archive, vol. 2018, p. SPoS ignore the effect network asynchrony. In e-PoS, we 378, 2018. [Online]. Available: https://eprint.iacr.org/2018/378 [9] S. King and S. Nadal, “Ppcoin: Peer-to-peer crypto-currency with address asynchrony by using the PBFT consensus protocol proof-of-stake,” self-published paper, August, vol. 19, 2012. that synchronizes miners during epochs. [10] G. C. Fanti, L. Kogan, S. Oh, K. Ruan, P. Viswanath, Hybrid Designs. To address the limitations these con- and G. Wang, “Compounding of wealth in proof-of-stake cryptocurrencies,” CoRR, vol. abs/1809.07468, 2018. [Online]. sensus schemes, hybrid approaches have been adopted Available: http://arxiv.org/abs/1809.07468 to converge their benefits and reduce the attack surface. [11] A. Poelstra et al., “Distributed consensus from proof of stake is Duong et al. [48] proposed TwinsCoin; a secure and scal- impossible,” A Treatise on Altcoins, 2014. able hybrid blockchain protocol. Bentov et al. [49] pro- [12] M. Li, J. Weng, A. Yang, W. Lu, Y. Zhang, L. Hou, J. Liu, Y. Xiang, and R. H. Deng, “Crowdbc: A blockchain-based decentralized posed a hybrid blockchain protocol called Proof-of-Activity framework for crowdsourcing,” IEEE Trans. Parallel Distrib. (PoA) which upgrades the defense measures of blockchains Syst., vol. 30, no. 6, pp. 1251–1266, 2019. [Online]. Available: with low penalty on network communications and storage https://doi.org/10.1109/TPDS.2018.2881735 [13] V. Buterin, “"proof of work is the rich get space. Some notable attempts have been made to secure richer squared" says vitalik buterin,” Jul 2018. [On- blockchains against centralization and majority attacks [50], line]. Available: https://www.trustnodes.com/2018/07/10/ [51], [52], [53]. Despite these commendable efforts, there proof-work-rich-get-richer-squared-says-vitalik-buterin is still need for a practical solution that can be applied to [14] M. Saad, V. Cook, L. Nguyen, M. T. Thai, and A. Mohaisen, “Partitioning attacks on bitcoin: Colliding space, time, and logic,” existing cryptocurrencies to enable them to easily transition in IEEE International Conference on Distributed Computing Systems, to PoS. Our proposed model addresses these limitations, 2019. [Online]. Available: https://bit.ly/3o71GYq IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS 13

[15] M. Saad, J. Spaulding, L. Njilla, C. A. Kamhoua, S. Shetty, The Web Conference, 2018, pp. 1165–1169. [Online]. Available: D. Nyang, and D. A. Mohaisen, “Exploring the attack surface http://doi.acm.org/10.1145/3184558.3191553 of blockchain: A comprehensive survey,” IEEE Commun. Surv. [35] K. J. O’Dwyer and D. Malone, “Bitcoin mining and its energy Tutorials, vol. 22, no. 3, pp. 1977–2008, 2020. [Online]. Available: footprint,” 2014. [Online]. Available: http://digital-library.theiet. https://doi.org/10.1109/COMST.2020.2975999 org/content/conferences/10.1049/cp.2014.0699 [16] M. O. T. de Castro, “Practical byzantine fault tolerance,” Ph.D. [36] P. Giungato, R. Rana, A. Tarabella, and C. Tricase, Sustainability, dissertation, Massachusetts Institute of Technology, Cambridge, vol. 9, no. 12, 2017. [Online]. Available: http://www.mdpi.com/ MA, USA, 2000. [Online]. Available: https://bit.ly/2JBJwix 2071-1050/9/12/2214 [17] N. Chondros, K. Kokordelis, and M. Roussopoulos, “On the [37] E. Symitsi and K. J. Chalvatzis, “Return, volatility and practicality of ’practical’ byzantine fault tolerance,” CoRR, vol. shock spillovers of bitcoin with energy and technology abs/1110.4854, 2011. [Online]. Available: http://arxiv.org/abs/ companies,” Economics Letters, vol. 170, pp. 127 – 1110.4854 130, 2018. [Online]. Available: http://www.sciencedirect.com/ [18] Y. Kwon, J. Liu, M. Kim, D. Song, and Y. Kim, “Impossibility of science/article/pii/S0165176518302350 full decentralization in permissionless blockchains,” ser. AFT ’19. [38] H. Vranken, “Sustainability of bitcoin and blockchains,” Current Association for Computing Machinery, 2019, p. 110–123. [Online]. Opinion in Environmental Sustainability, vol. 28, pp. 1 – 9, Available: https://doi.org/10.1145/3318041.3355463 2017, sustainability governance. [Online]. Available: http://www. [19] A. Kiayias, H. Zhou, and V. Zikas, “Fair and robust multi- sciencedirect.com/science/article/pii/S1877343517300015 party computation using a global transaction ledger,” in [39] J. Spasovski and P. Eklund, “Proof of stake blockchain: Annual International Conference on the Theory and Applications of Performance and scalability for groupware communications,” Cryptographic Techniques EUROCRYPT, 2016, pp. 705–734. [Online]. in International Conference on Management of Digital EcoSystems Available: https://doi.org/10.1007/978-3-662-49896-5_25 MEDES, 2017, pp. 251–258. [Online]. Available: http://doi.acm. [20] R. Pass and E. Shi, “Fruitchains: A fair blockchain,” in ACM org/10.1145/3167020.3167058 Symposium on Principles of Distributed Computing, PODC, 2017, pp. [40] M. Bartoletti, S. Lande, and A. S. Podda, “A proof- 315–324. [Online]. Available: https://doi.org/10.1145/3087801. of-stake protocol for consensus on bitcoin subchains,” in 3087809 International Workshop on Financial Cryptography and Data Security, [21] S. Nakamoto, “Bitcoin: A peer-to-peer electronic cash system,” 2017, pp. 568–584. [Online]. Available: https://doi.org/10.1007/ Online, https://bitcoin.org/bitcoin.pdf, 2008. 978-3-319-70278-0_36 [22] J. A. Garay, A. Kiayias, and N. Leonardos, “The bitcoin backbone [41] L. Fan and H. Zhou, “iChing: A scalable proof-of-stake blockchain protocol with chains of variable difficulty,” in International in the open setting (or, how to mimic nakamoto’s design via Cryptology Conference on Advances in Cryptology CRYPTO, proof-of-stake),” IACR Cryptology ePrint Archive, vol. 2017, p. 656, 2017, pp. 291–323. [Online]. Available: https://doi.org/10.1007/ 2017. [Online]. Available: http://eprint.iacr.org/2017/656 978-3-319-63688-7_10 [42] Z. Zheng, S. Xie, H. Dai, X. Chen, and H. Wang, “An overview [23] M. Saad, M. T. Thai, and A. Mohaisen, “POSTER: deterring of blockchain technology: Architecture, consensus, and future DDoS attacks on blockchain-based cryptocurrencies through trends,” in International Congress on Big Data, 2017, pp. 557–564. mempool optimization,” in ACM Asia Conference on Computer and [Online]. Available: https://doi.org/10.1109/BigDataCongress. Communications Security, 2018, pp. 809–811. [Online]. Available: 2017.85 https://goo.gl/4kgiCM [43] L. Ren, “Proof of stake velocity: Building the social currency of the [24] M. Saad, L. Njilla, C. A. Kamhoua, J. Kim, D. Nyang, and digital age,” Self-published white paper, 2014. A. Mohaisen, “Mempool optimization for defending against ddos [44] I. Bentov, A. Gabizon, and A. Mizrahi, “Cryptocurrencies attacks in pow-based blockchain systems,” in IEEE International without proof of work,” in International Conference on Financial Conference on Blockchain and Cryptocurrency, 2019, pp. 285–292. Cryptography and Data Security, 2016, pp. 142–157. [Online]. [Online]. Available: https://doi.org/10.1109/BLOC.2019.8751476 Available: https://doi.org/10.1007/978-3-662-53357-4_10 [25] M. Saad, A. Anwar, A. Ahmad, H. Alasmary, M. Yuksel, and [45] J. A. Garay, A. Kiayias, and N. Leonardos, “The bitcoin A. Mohaisen, “Routechain: Towards blockchain-based secure backbone protocol: Analysis and applications,” in Annual and efficient BGP routing,” in IEEE International Conference International Conference on the Theory and Applications of on Blockchain and Cryptocurrency, 2019, pp. 210–218. [Online]. Cryptographic Techniques, 2015, pp. 281–310. [Online]. Available: Available: https://doi.org/10.1109/BLOC.2019.8751229 https://doi.org/10.1007/978-3-662-46803-6_10 [26] A. Kiayias, A. Russell, B. David, and R. Oliynykov, “Ouroboros: [46] B. Wang, Z. Li, and H. Li, “Hybrid consensus algorithm A provably secure proof-of-stake blockchain protocol,” in based on modified proof-of-probability and dpos,” Future Annual International Cryptology Conference on Advances in Internet, vol. 12, no. 8, p. 122, 2020. [Online]. Available: Cryptology, CRYPTO, 2017, pp. 357–388. [Online]. Available: https://doi.org/10.3390/fi12080122 https://doi.org/10.1007/978-3-319-63688-7_12 [47] Blockchain_Community, “Supernode proof of stake complete [27] J. Chen and S. Micali, “Algorand: A secure and efficient guide by moonking9998,” Jul 2019. [Online]. Available: https: distributed ledger,” Theor. Comput. Sci., vol. 777, pp. 155–183, 2019. //tinyurl.com/y3ecf2xq [Online]. Available: https://doi.org/10.1016/j.tcs.2019.02.001 [48] T. Duong, A. Chepurnoy, L. Fan, and H. Zhou, “Twinscoin: [28] P. Daian, R. Pass, and E. Shi, “Snow white: Robustly A cryptocurrency via proof-of-work and proof-of-stake,” in reconfigurable consensus and applications to provably secure International Workshop on Blockchains, Cryptocurrencies, and proof of stake,” in International Conference on Financial Cryptography Contracts, 2018. [Online]. Available: https://bit.ly/383qScA and Data Security, 2019, pp. 23–41. [Online]. Available: https: [49] I. Bentov, C. Lee, A. Mizrahi, and M. Rosenfeld, “Proof //doi.org/10.1007/978-3-030-32101-7_2 of activity: Extending bitcoin’s proof of work via proof of [29] J. Martinez and J. Martinez, “Understanding proof of stake: stake [extended abstract]y,” SIGMETRICS Performance Evaluation The nothing at stake theory,” Jun 2018. [Online]. Available: Review, vol. 42, no. 3, pp. 34–37, 2014. [Online]. Available: https://bit.ly/3az1jlw http://doi.acm.org/10.1145/2695533.2695545 [30] Bitnodes, “Global bitcoin nodes distribution.” [Online]. Available: [50] T. Duong, A. Chepurnoy, and H. Zhou, “Multi-mode cryptocur- https://bitnodes.earn.com/ rency systems,” IACR Cryptology ePrint Archive, vol. 2018, p. 129, [31] B. Community, “Bitcoin core version history,” 2018, https:// 2018. [Online]. Available: http://eprint.iacr.org/2018/129 bitcoin.org/en/version-history. [51] W. Li, S. Andreina, J. Bohli, and G. Karame, “Securing [32] H. Sukhwani, J. M. Martínez, X. Chang, K. S. Trivedi, and proof-of-stake blockchain protocols,” in International Workshops A. Rindos, “Performance modeling of PBFT consensus process on Data Privacy Management, Cryptocurrencies and Blockchain for permissioned blockchain network (hyperledger fabric),” in Technology, 2017, pp. 297–315. [Online]. Available: https: Symposium on Reliable Distributed Systems, 2017, pp. 253–255. //doi.org/10.1007/978-3-319-67816-0_17 [Online]. Available: https://doi.org/10.1109/SRDS.2017.36 [52] J. Spasovski and P. W. Eklund, “Proof of stake blockchain: [33] M. Apostolaki, A. Zohar, and L. Vanbever, “Hijacking bitcoin: Performance and scalability for groupware communications,” in Routing attacks on cryptocurrencies,” in IEEE Symposium on International Conference on Management of Digital EcoSystems, 2017, Security and Privacy, 2017, pp. 375–392. [Online]. Available: pp. 251–258. [Online]. Available: http://doi.acm.org/10.1145/ https://doi.org/10.1109/SP.2017.29 3167020.3167058 [34] L. Bahri and S. Girdzijauskas, “When trust saves energy: A [53] Team Rocket, “Snowflake to avalanche: A novel metastable con- reference framework for proof of trust (pot) blockchains,” in sensus protocol family for cryptocurrencies,” 2018.