Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Computing Optimal Manipulations in Cryptographic Self-Selection Proof-of-Stake Protocols

Matheus V. X. Ferreira, Aadityan Ganesh, Jack Hourigan, Hannah Huh, S. Matthew Weinberg, Catherine Yu

TL;DR

The paper addresses the question of how much a strategic actor can manipulate leadership in cryptographic self-selection for Proof-of-Stake protocols. It introduces a principled, computational approach that recasts the problem as finding fixed points of nonlinear sampling operators and uses controlled truncation, discretization, and inflation/deflation to bound errors with provable guarantees. The authors develop a LinearCSSPA variant, propose an ideal fixed-point simulation, and provide practical algorithms to approximate the optimal adversarial reward and strategy, including finite-sample methods and precomputation techniques. Their experimental results tighten prior bounds (e.g., for a 10% stake, 0.1–well-connected adversaries lead at most about 10.15% of rounds) and highlight the crucial role of network connectivity in the profitability of manipulation, with broader implications for designing less manipulable leader selection schemes.

Abstract

Cryptographic Self-Selection is a paradigm employed by modern Proof-of-Stake consensus protocols to select a block-proposing "leader." Algorand [Chen and Micali, 2019] proposes a canonical protocol, and Ferreira et al. [2022] establish bounds $f(α,β)$ on the maximum fraction of rounds a strategic player can lead as a function of their stake $α$ and a network connectivity parameter $β$. While both their lower and upper bounds are non-trivial, there is a substantial gap between them (for example, they establish $f(10\%,1) \in [10.08\%, 21.12\%]$), leaving open the question of how significant of a concern these manipulations are. We develop computational methods to provably nail $f(α,β)$ for any desired $(α,β)$ up to arbitrary precision, and implement our method on a wide range of parameters (for example, we confirm $f(10\%,1) \in [10.08\%, 10.15\%]$). Methodologically, estimating $f(α,β)$ can be phrased as estimating to high precision the value of a Markov Decision Process whose states are countably-long lists of real numbers. Our methodological contributions involve (a) reformulating the question instead as computing to high precision the expected value of a distribution that is a fixed-point of a non-linear sampling operator, and (b) provably bounding the error induced by various truncations and sampling estimations of this distribution (which appears intractable to solve in closed form). One technical challenge, for example, is that natural sampling-based estimates of the mean of our target distribution are \emph{not} unbiased estimators, and therefore our methods necessarily go beyond claiming sufficiently-many samples to be close to the mean.

Computing Optimal Manipulations in Cryptographic Self-Selection Proof-of-Stake Protocols

TL;DR

The paper addresses the question of how much a strategic actor can manipulate leadership in cryptographic self-selection for Proof-of-Stake protocols. It introduces a principled, computational approach that recasts the problem as finding fixed points of nonlinear sampling operators and uses controlled truncation, discretization, and inflation/deflation to bound errors with provable guarantees. The authors develop a LinearCSSPA variant, propose an ideal fixed-point simulation, and provide practical algorithms to approximate the optimal adversarial reward and strategy, including finite-sample methods and precomputation techniques. Their experimental results tighten prior bounds (e.g., for a 10% stake, 0.1–well-connected adversaries lead at most about 10.15% of rounds) and highlight the crucial role of network connectivity in the profitability of manipulation, with broader implications for designing less manipulable leader selection schemes.

Abstract

Cryptographic Self-Selection is a paradigm employed by modern Proof-of-Stake consensus protocols to select a block-proposing "leader." Algorand [Chen and Micali, 2019] proposes a canonical protocol, and Ferreira et al. [2022] establish bounds on the maximum fraction of rounds a strategic player can lead as a function of their stake and a network connectivity parameter . While both their lower and upper bounds are non-trivial, there is a substantial gap between them (for example, they establish ), leaving open the question of how significant of a concern these manipulations are. We develop computational methods to provably nail for any desired up to arbitrary precision, and implement our method on a wide range of parameters (for example, we confirm ). Methodologically, estimating can be phrased as estimating to high precision the value of a Markov Decision Process whose states are countably-long lists of real numbers. Our methodological contributions involve (a) reformulating the question instead as computing to high precision the expected value of a distribution that is a fixed-point of a non-linear sampling operator, and (b) provably bounding the error induced by various truncations and sampling estimations of this distribution (which appears intractable to solve in closed form). One technical challenge, for example, is that natural sampling-based estimates of the mean of our target distribution are \emph{not} unbiased estimators, and therefore our methods necessarily go beyond claiming sufficiently-many samples to be close to the mean.
Paper Structure (43 sections, 37 theorems, 46 equations, 4 figures, 2 tables)

This paper contains 43 sections, 37 theorems, 46 equations, 4 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Very Brief Technical Highlight
  3. Related Work
  4. Preliminaries
  5. Primitives
  6. Cryptographic Self-Selection
  7. Model
  8. The Adversarial Game and Reward
  9. Biased Seeds and Stopping Times
  10. The Omniscient Adversary
  11. Estimating the Optimal Adversarial Reward
  12. A Linear Version of $\mathop{\mathrm{CSSPA}}\nolimits(\alpha, \beta)$
  13. The Ideal Simulation
  14. The Optimal Solution
  15. Moving from Ideal to Practical
  16. ...and 28 more sections

Key Result

Theorem 1

Let $S(X, \alpha)$ be any balanced scoring function. Then, for all $n \in \mathbb{N}$ and $(\alpha_i )_{1 \leq i \leq n}$, the random variables are identically distributed for $X, X_1, \dots, X_n \sim U[0, 1]$.

Figures (4)

  • Figure 1: Marginal reward vs adversarial stake. Legend: orange--upper bound from FHWY22; blue-- tight upper bound for the omniscient adversary; green-- un-inflated simulated upper bound for $\beta = 1$; red-- reward from the $1$-lookahead strategy in FHWY22.
  • Figure 2: Marginal reward vs adversarial stake. Legend: brown-- un-inflated simulated upper bounds for $\beta = 1$; red-- un-inflated simulated upper bounds for $\beta = 0.5$; blue-- un-inflated simulated upper bounds for $\beta = 0$.
  • Figure 3: Marginal reward vs network connectivity. Legend: orange-- un-inflated simulated upper bound for $\alpha = 0.25$, blue-- un-deflated simulated lower bound for $\alpha = 0.25$
  • Figure 4: Omniscient adversarial reward vs adversarial stake. The blue line maps the reward of the honest strategy while the red curve maps the upper bound on the omniscient adversarial reward from FHWY22. The yellow and the green curve are the non-closed form upper bound and the upper bound in \ref{['thm:OmniSummary']} respectively. The non-closed form upper bound is tight up to an additive error of $10^{-7}$.

Theorems & Definitions (54)

  • Definition 1: Ideal Verifiable Random Function (Ideal $\textsc{VRF}$)
  • Example 1: $\textsc{VRF}$s through digital signatures
  • Definition 2: Balanced Scoring Functions
  • Theorem 1
  • Definition 3: Cryptographic Self-Selection Protocol $A$ (CSSPA); FHWY22
  • Definition 4: Logarithmic Scoring Function
  • Definition 5: Exponential Distribution
  • Lemma 1: Lemma 2.1 from FHWY22
  • Lemma 2: Lemma 4.3 from FHWY22
  • Definition 6: $\mathop{\mathrm{CSSPA}}\nolimits(\alpha, \beta)$
  • ...and 44 more