On the (in)security of Proofs-of-Space based Longest-Chain Blockchains
Mirza Ahad Baig, Krzysztof Pietrzak
TL;DR
This work analyzes the security of proofs-of-space (PoSpace) based longest-chain blockchains under dynamic resource availability. It formalizes a model with honest space exceeding adversarial space by a factor $φ>1$, while per-block space can vary within $[1/(1+ε),1+ε]$ and space replotting incurs a delay $ρ$, then introduces a deterministic forking game to quantify adversarial leverage. The main result is an impossibility theorem: for every chain-selection rule $Λ$, an adversary can construct a fork of length $ℓ$ that will win, with $ℓ$ scaling roughly as $Θ(ρ φ^2/ε)$ and a precise bound given by the derived expression; a near-matching upper bound is shown for a specific rule $Λ_{tent}$. This shows that no PoSpace-based Nakamoto-style longest-chain protocol can be secure under dynamic availability without additional assumptions or mechanisms. The paper discusses how existing PoSpace systems like Chia and Filecoin circumvent the impossibility by integrating time proofs or registration and BFT-like consensus, and highlights open problems including tightening the bounds and designing secure chain-selection rules under realistic models.
Abstract
The Nakamoto consensus protocol underlying the Bitcoin blockchain uses proof of work as a voting mechanism. Honest miners who contribute hashing power towards securing the chain try to extend the longest chain they are aware of. Despite its simplicity, Nakamoto consensus achieves meaningful security guarantees assuming that at any point in time, a majority of the hashing power is controlled by honest parties. This also holds under ``resource variability'', i.e., if the total hashing power varies greatly over time. Proofs of space (PoSpace) have been suggested as a more sustainable replacement for proofs of work. Unfortunately, no construction of a ``longest-chain'' blockchain based on PoSpace, that is secure under dynamic availability, is known. In this work, we prove that without additional assumptions no such protocol exists. We exactly quantify this impossibility result by proving a bound on the length of the fork required for double spending as a function of the adversarial capabilities. This bound holds for any chain selection rule, and we also show a chain selection rule (albeit a very strange one) that almost matches this bound. Concretely, we consider a security game in which the honest parties at any point control $φ>1$ times more space than the adversary. The adversary can change the honest space by a factor $1\pm \varepsilon$ with every block (dynamic availability), and ``replotting'' the space takes as much time as $ρ$ blocks. We prove that no matter what chain selection rule is used, in this game the adversary can create a fork of length $φ^2\cdot ρ/ \varepsilon$ that will be picked as the winner by the chain selection rule. We also provide an upper bound that matches the lower bound up to a factor $φ$. There exists a chain selection rule which in the above game requires forks of length at least $φ\cdot ρ/ \varepsilon$.