The Combinatorics of the Longest-Chain Rule: Linear Consistency for Proof-of-Stake Blockchains

Erica Blum, Aggelos Kiayias, Christopher Moore, Saad Quader, Alexander Russell

Research output: Chapter in Book/Report/Conference proceedingConference contribution


Blockchain data structures maintained via the longest-chain rule have emerged as a powerful algorithmic tool for consensus algorithms. The technique—popularized by the Bitcoin protocol—has proven to be remarkably flexible and now supports consensus algorithms in a wide variety of settings. Despite such broad applicability and adoption, current analytic understanding of the technique is highly dependent on details of the protocol’s leader election scheme. A particular challenge appears in the proof-of-stake setting, where existing analyses suffer from quadratic dependence on suffix length. We describe an axiomatic theory of blockchain dynamics that permits rigorous reasoning about the longestchain rule in quite general circumstances and establish bounds—optimal to within a constant—on the probability of a consistency violation. This settles a critical open question in the proof-of-stake setting where we achieve linear consistency for the first time. Operationally, blockchain consensus protocols achieve consistency by instructing parties to remove a suffx of a certain length from their local blockchain. While the analysis of Bitcoin guarantees consistency with error 2-k by removing O(k) blocks, recent work on proof-of-stake (PoS) blockchains has suffered from quadratic dependence: (PoS) blockchain protocols, exemplified by Ouroboros (Crypto 2017), Ouroboros Praos (Eurocrypt 2018) and Sleepy Consensus (Asiacrypt 2017), can only establish that the length of this suffx should be Θ(k2). This consistency guarantee is a fundamental design parameter for these systems, as the length of the suffix is a lower bound for the time required to wait for transactions to settle. Whether this gap is an intrinsic limitation of PoS—due to issues such as the “nothing-at-stake” problem—has been an urgent open question, as deployed PoS blockchains further rely on consistency for protocol correctness: in particular, security of the protocol itself relies on this parameter. Our general theory directly improves the required suffix length from Θ(k2) to Θ(k). Thus we show, for the first time, how PoS protocols can match proof-of-work blockchain protocols for exponentially decreasing consistency error. Our analysis focuses on the articulation of a two-dimensional stochastic process that captures the features of interest, an exact recursive closed form for the critical functional of the process, and tail bounds established for associated generating functions that dominate the failure events. Finally, the analysis provides an explicit polynomial-time algorithm for exactly computing the exponentially-decaying error function which can directly inform practice.
Original languageEnglish
Title of host publicationProceedings of the 2020 ACM-SIAM Symposium on Discrete Algorithms
Number of pages20
ISBN (Electronic)978-1-61197-599-4
Publication statusPublished - 8 Jan 2020
EventACM-SIAM Symposium on Discrete Algorithms (SODA20) - Salt Lake City, United States
Duration: 5 Jan 20208 Jan 2020
Conference number: 2020


ConferenceACM-SIAM Symposium on Discrete Algorithms (SODA20)
Abbreviated titleSODA
CountryUnited States
CitySalt Lake City
Internet address

Fingerprint Dive into the research topics of 'The Combinatorics of the Longest-Chain Rule: Linear Consistency for Proof-of-Stake Blockchains'. Together they form a unique fingerprint.

Cite this