The idea of digital currencies deployed in a distributed network secured via cryptographically and game-theoretically sound primitives rather than trust has been a point of discussion in limited circles of enthusiasts for decades before being formalized for the first time by David Chaum [Cha82]. Between then and the introduction of Bitcoin [Nak08] in 2008, numerous researchers [Cha82; LSS96; Wei98; VCS03; Sza05] in the field attempted to propose a viable digital currency protocol with mainstream acclaim.
The first mainstream breakthrough happened with release of the Bitcoin whitepaper [Nak08], which ushered a new era of research and enthusiasm. Built on top of a novel digital ledger called ”blockchain” and secured via a Proof-of-Work consensus protocol, inspired by [DGN04] and [Bac02], Bitcoin became the first truly decentralized digital currency, inspiring the work on other decentralized applications, such as decentralized DNS [Nam11] and distributed state machine [Woo19]. Soon after the release of Bitcoin, researchers started discovering numerous issues previously unbeknownst to the creator/s of Bitcoin. [KCW13; ES18; GKL15; SSZ17; PSS17; Bon16] have discovered deficiencies in the assumptions outlined in the Bitcoin whitepaper with regards to the consensus protocol and the economic model. Also, the paper [RS12] published by Ron and Shamir has been the first of many to demonstrate the ease of transaction analysis and the lack of anonymity that the Bitcoin users maintain.
The issue of excessive energy consumption required to retain the security guarantees of the data stored in the ledger has been another point of contention for the Bitcoin protocol. Throughout the years, multiple researchers have tackled the issue with various solutions, the majority of which revolved around a concept of ”one-vote-per-share” instead of ”one-vote-per-CPU”. The idea of Proof-of-Stake was first formalized in the Peercoin whitepaper [KN12], followed by [Ben+14; BG17]. A more formal approach was taken by [DPS16; Kia+17; Dav+18]. The protocols referenced above belong to a family of ”chain-based” Proof-of-Stake protocols, which essentially emulate the Proof-of-Work family of protocols while maintaining similar security assumptions. The downside of probabilistic finality of ”chain-based” was tackled by Algorand [Mic16], which utilized various novel techniques to guarantee instant finality while retaining the ”permission-lessness” of the underlying protocol. Unfortunately, the protocol came with it’s own disadvantages, mainly revolving around the security assumptions (67% of the circulating supply is required to be honest and participate in the consensus execution) as well as the committee (2000+) and certificate sizes.
Understanding the importance of anonymity, researchers began working on techniques to convert Bitcoin into an anonymity-preserving protocol. The initial idea was to utilize mixers, trusted services which
3 combine the inputs and outputs of multiple users into a single transaction. The downsides of the service was the reliance on trust as well as the lack of obfuscation of the amounts involved. The initial resurgence of interest in anonymity-preserving digital currencies was followed by the publications of [Sab13; Hop+19; Max15; NMM16; Poe16; Fau+18; Bun+19], which took differing approaches to the problem with differing outcomes. The resulting rise of interest, has seen multiple projects, such as Monero and Zcash, surge to popularity with preservation of anonymity being the main selling point.
2 Our Contributions
Our contributions include the development of a novel Private Proof-of-Stake protocol (to be discussed more thoroughly in Section 5.3), a permission-less Proof-of-Stake protocol with statistical finality guarantees (Section 5), a quasi- Turing-complete Virtual Machine with zero-knowledge proof verification capa- bility (Section 6) and a confidentiality-preserving account-based transaction
