Litecoin was the first major alternative cryptocurrency, using the Scrypt hash function instead of Bitcoin's SHA-256 to make specialized mining hardware less effective. Spacemint proposes using proofs of storage space instead of computational power for mining. Alternative cryptocurrencies aim to address drawbacks of Bitcoin like high energy use, lack of anonymity, and non-Turing complete scripts by using different consensus mechanisms like proofs of stake and storing useful data.

1. Alternative Cryptocurrencies
Stefan Dziembowski
University of Warsaw
Workshop on Bitcoin, Introduction to Cryptocurrencies,
Kfar Maccabiah, Ramat Gan, Israel, June 6-7, 2016

2. Drawbacks of Bitcoin’s PoWs
costs money
bad for
environment
1. high energy consumption
2. advantage for people with
dedicated hardware

3. Drawbacks of Bitcoin transaction
system
1. lack of real anonymity
2. non-Turing complete scripts
OP_DUP OP_HASH160
02192cfd7508be5c2e6ce9f1b6312b7f268476d2
OP_EQUALVERIFY OP_CHECKSIG

4. Natural questions
Can we have:
1. PoWs where there is no mining in hardware?
2. more energy-efficient PoWs?
3. PoWs doing something useful?
4. PoWs that are impossible to outsource (so there are no
mining pools)?
5. a cryptocurrency with real anonymity?
6. a cryptocurrency with Turing-complete scripts?
Answer to most of these questions: yes (but still some more
research is needed).

5. Alternative cryptocurrencies
a) Litecoin – a currency where hardware mining is
(supposedly) harder
b) Spacemint – a currency based on the Proofs of Space
c) Currencies based on the Proofs of Stake
d) Currencies doing some useful work (Primecoin,
Permacoin)
e) Zerocash – a currency with true anonymity
f) Ethereum – a currency with Turing-complete scripts
g) Other uses of the Blockchain technology
Disclaimers: (a) some of them are just academic
proposals, (b) this order is not chronologic.

6. Plan
1. Litecoin – a currency based on the
Scrypt hash function
2. Spacemint – a currency based on the
Proofs of Space
3. Currencies based on the Proofs of Stake
4. Currencies doing some useful work
(Primecoin, Permacoin)
5. Ethereum – a currency with Turing-
complete scripts
6. Other uses of the Blockchain technology

7. Litecoin
Released in Oct 2011 by Charles Lee.
Instead of SHA256 Litecoin uses scrypt hash function
introduced in:
Colin Percival, Stronger Key Derivation via Sequential Memory-
Hard Functions, 2009.
Idea: scrypt is a function whose computation requires a lot of
memory, so it’s hard to implement it efficiently in hardware
as of June 2016:
Market cap ≈ 226 million USD
1 L𝐓𝐂 ≈ 5 USD
really?

8. How scrypt works?
𝐕𝟏 = 𝐇(𝐗) 𝐕𝟐 = 𝐇(𝐕𝟐)𝐕𝟎 = 𝐗 𝐕 𝑵−𝟏 = 𝐇(𝐕 𝐍−𝟐). . .
second phase: compute the output by accessing the table
”pseudorandomly”
Z ≔ 𝐇(𝐕 𝐍−𝟏)
for i = 0 to N − 1 do
𝐣 ∶= 𝐗 𝐦𝐨𝐝 𝐍
Z ≔ 𝐇(𝐙 ⊕ 𝐕𝐣)
output Z
computing scrypt(X)
init phase: fill-in at table of length 𝐍 with pseudorandom expansion of 𝐗.
𝐕𝟎 𝐕𝟏 𝐕𝟐 𝐕𝟑 𝐕𝟒 𝐕𝟓 𝐕𝟔 𝐕𝟕 𝐕𝟖 𝐕𝟗
result (for N = 10):

9. What is known about scrypt?
[Percival, 2009]:
• it can be computed in time 𝑶(𝐍),
• to compute it one needs time 𝐓 and space 𝐒 such that
𝐒 × 𝐓 = 𝛀 𝐍 𝟐
this holds even on a parallel machine.
Pictorially:
a circuit
computing
scrypt
output
input
T
S

10. An observation
[Alwen, Serbinenko, STOC’15]: this definition is not
strong enough.
The adversary that wants to compute scrypt in parallel
can “amortize space”. Example:
S S S
T
𝟑𝐒
𝟐
can be
computed in
parallel as
follows:
Note:
𝟑𝐒
𝟐
≪ 𝟑𝐒.
So: the bound provided by Percival is meaningless.
circuitfor
scrypt
circuitfor
scrypt
circuitfor
scrypt

11. The contribution of [Alwen and Serbinenko]
1. the “right” definition:
2. a construction that satisfies this definition (uses
advanced graph theory).
a circuit
computing
scrypt
T
S
instead of looking at 𝐒 × 𝐓. . . look at the sum of
memory cells used over
time
“the area on the picture”

12. Open problem
Prove security of the
scrypt function in the
[Alwen, Serbinenko]
model.

13. Plan
1. Litecoin – a currency based on the
Scrypt hash function
2. Spacemint – a currency based on the
Proofs of Space
3. Currencies based on the Proofs of Stake
4. Currencies doing some useful work
(Primecoin, Permacoin)
5. Ethereum – a currency with Turing-
complete scripts
6. Other uses of the Blockchain technology

14. Spacemint
[Sunoo Park, Krzysztof Pietrzak, Albert Kwon, Joël Alwen,
Georg Fuchsbauer, Peter Gaži, Eprint 2015]
Based on the Proofs of Space [D., Faust, Kolmogorov, and
Pietrzak, CRYPTO 2015]
Main idea: Replace work by disk space.
Advantages:
• no “dedicated hardware”,
• less energy wasted (“greener”).

15. Example of an application other than
cryptocurrencies
Goal: prevent malicious users from opening lots of fake
accounts.
Method: force each account owner to “waste” large part
of his local space.
Important: the space needs to be allocated as long as the
user uses the service.
cloud computing service
(e.g. email system)

16. Main difference from PoWs
To prove that one wasted n CPU cycles one needs to
perform these cycles.
while:
To prove that one wasted n bytes one does not need
touch all of them.

17. Advantages
• more energy-efficient
• no “hardware acceleration”
• cheaper (user can devote their unused disk space)

18. The security definition

19. How to measure time and space
Time is measured in terms of the calls
to a random oracle 𝑯.
Space is measured in blocks of length 𝑳
(outputs of 𝑯).
E.g. 𝑳 = 𝟐𝟓𝟔.
block
𝑳

20. The general scenario
verify prove
R
𝑵 blocks of length 𝑳.
...
𝐈𝐧𝐢𝐭(𝐈𝐝)
𝐏𝐫𝐨𝐨𝐟
𝐏𝐫𝐨𝐨𝐟 proveverify
prover’s memory
verifer prover
output ∈ {𝐚𝐜𝐜𝐞𝐩𝐭, 𝐫𝐞𝐣𝐞𝐜𝐭}
𝐈𝐝, 𝑵 𝐈𝐝, 𝑵
The proof is done with respect to an identifier 𝐈𝐝 (e.g. email address).
𝐈𝐝 should be unique for each execution
(e.g. can contain a nonce from a verifier)

21. How to define security of a PoS
Properties:
• completeness,
• soundness, and
• efficiency.
If the prover is honest then
the verifier will always
accept the proof.
less trivial to define

22. How to define the efficiency?
Let us show a very simple (but not efficient)
PoS.
Note: we have not defined the security yet, so
it’s just an “informal example”.

23. A “trivial PoS”
𝑹 = (𝑹 𝟏, … , 𝑹 𝑵)
𝑱 ⊆ 𝟏, … , 𝑵
such that 𝑱 = 𝒌
𝑹𝒊 𝒊∈𝑱
R
𝐏𝐫𝐨𝐨𝐟
checks if
the answer
is correct
Note: if 𝑹 is generated pseudorandomly then he need to store
only the seed.
Easy to see:
to pass the verification the
prover needs to store ≈ 𝑹
data.
Problem:
the initialization phase
requires the verifier to do a lot
of work
𝐈𝐧𝐢𝐭random
𝒌 – security
parameter

24. Efficiency
verifier prover
𝐈𝐧𝐢𝐭 𝐩𝐨𝐥𝐲(𝐥𝐨𝐠 𝑵 , 𝒌) 𝐩𝐨𝐥𝐲(𝑵)
𝐏𝐫𝐨𝐨𝐟 𝐩𝐨𝐥𝐲(𝐥𝐨𝐠 𝑵 , 𝒌) 𝐩𝐨𝐥𝐲(𝐥𝐨𝐠 𝑵 , 𝒌)
We require that the computing time of the parties is as
follows:
Note:
this also imposes limit on communication complexity.
Remark:
In our protocols 𝐩𝐨𝐥𝐲 is small (e.g.: 𝐩𝐨𝐥𝐲 𝐥𝐨𝐠 𝑵 , 𝒌 = 𝐤 ⋅ 𝐥𝐨𝐠 𝑵).

25. How to define soundness?
Informally:
we want to force a cheating prover to constantly
waste a lot of memory.

26. What would be the goal of a cheating prover?
“Compress” 𝑹:
verify prove
...
Init(Id)
proof
proofverify
𝑿
𝑵 𝟎 ≪ 𝑵 “blocks”
prove
𝑹
𝑵

27. Observation: a cheating prover has a simple
(but inefficient) winning strategy.
Init(Id)
erase 𝑹 but store all the
messages from the verifier:
each time
before the
proof:
erase 𝑹
X
𝐩𝐨𝐥𝐲(𝐥𝐨𝐠 𝑵 , 𝒌)
answer by
simulating
expand by
simulating
Rproof
X
Moral:
we need to restrict the power of
a cheating prover.

28. Restrictions on cheating prover
We restrict his operating time.
We say that 𝑷 is an
𝑵, 𝑻 -cheating prover
if:
size of
𝑷’s storage
time used by 𝑷
during 𝐏𝐫𝐨𝐨𝐟
(we also have a variant of a definition with a restriction on
𝑷 ‘s space during proof).
Note: no restrictions on 𝑷’s computing power during 𝐈𝐧𝐢𝐭.

29. Security definition
A protocol is a 𝑵, 𝑻 -Proof of Space if it is
complete, efficient, and sound.
∀
𝑵, 𝑻
-cheating
prover
𝐚𝐜𝐜𝐞𝐩𝐭𝐬
P( ) ≤ 𝐧𝐞𝐠𝐥(𝐤)

30. The constructions

31. Why is constructing the PoS schemes hard?
Time-memory tradeoffs
R
X
time
𝑵
R
𝑵
𝑵
Instead of storing 𝑵 blocks
the adversary stores 𝑵 blocks
and before every 𝐏𝐫𝐨𝐨𝐟 phase
computes 𝑹 in time 𝑵.
For example:

32. Example of a time-memory
tradeoff: function inversion
𝑭: 𝟎, 𝟏 𝒏 → 𝟎, 𝟏 𝒏 – a random permutation
Fact: 𝑭 can be inverted efficiently if one can do
precomputation and store the result in memory of
size 𝟐 𝒏
.
1. compute F on every 𝒙 ∈ 𝟎, 𝟏 𝒏
and
put every 𝒙, 𝑭 𝒙 into a table 𝑻
2. sort the table 𝑻 by the
second column
𝒙 𝟎 𝑭 𝒙 𝟎
𝒙 𝟏 𝑭 𝒙 𝟏
𝒙 𝟐 𝑭 𝒙 𝟐
𝒙 𝟑 𝑭 𝒙 𝟑
𝒙 𝟑 𝑭 𝒙 𝟑
𝒙 𝟎 𝑭 𝒙 𝟎
𝒙 𝟐 𝑭 𝒙 𝟐
𝒙 𝟏 𝑭 𝒙 𝟏

33. Can we build a PoS out of it?
No 
[M. Hellman, 1980]: a time-memory tradeoff exists for
this problem:
𝑭 can be inverted in time 𝑵 given pre-processing in
space 𝑵.

34. Main technique
𝑮 = (𝑽, 𝑬) – a directed acyclic graph with 𝑽 = 𝑵.
𝑯𝐈𝐝 – a hash function that depends on 𝐈𝐝.
(for example 𝑯 𝑰𝒅 𝒙 = 𝑯′(𝑰𝒅||𝒙) for some other hash function 𝑯′)
We construct 𝑹 = 𝑹 𝟏, … , 𝑹 𝑵 by recursively labelling vertices 𝑽 as
follows:
1 2
3 4
5
𝑹 𝟏 = 𝑯 𝑰𝒅(𝟏) 𝑹 𝟐 = 𝑯 𝑰𝒅(𝟐)
𝑹 𝟑 = 𝑯 𝑰𝒅(𝟑, 𝑹 𝟏, 𝑹 𝟐) 𝑹 𝟒 = 𝑯 𝑰𝒅(𝟒, 𝑹 𝟐)
𝑹 𝟓 = 𝑯 𝑰𝒅(𝟓, 𝑹 𝟑, 𝑹 𝟒)
Note: every 𝑮 induces a function 𝒇 𝑮 of a form 𝐈𝐝 ↦ (𝑹 𝟏, … , 𝑹 𝑵).

35. Very informally
A graph that is bad if it can be “quickly” labeled if one
stores a “small” number of labels.
Example of a bad graph:
1 2 3 N…
𝑵 𝑵
The adversary that stores labels in positions
𝟏, 𝑵, 𝟐 𝑵, … can compute every label in 𝑵 steps.
Call a graph good if it is not bad.

36. How to build a PoS from a good
graph?
Problem: the entire 𝑹 needs to be sent to the verifier.
𝑹 = (𝑹 𝟏, … , 𝑹 𝑵)
𝑱 ⊆ 𝟏, … , 𝑵
such that 𝑱 = 𝒌
𝑹𝒊 𝒊∈𝑱
𝐈𝐝, 𝑵 𝐈𝐝, 𝑵
Compute
𝑹 = 𝑹 𝟏, … , 𝑹 𝑵 ≔ 𝒇 𝑮 𝐈𝐝
𝐈𝐧𝐢𝐭
𝐏𝐫𝐨𝐨𝐟

37. Solution: let the prover commit to 𝑹 with a
Merkle tree.
𝑹 𝟏 𝑹 𝟐 𝑹 𝟑 𝑹 𝟒
𝑯(𝑹 𝟏, 𝑹 𝟐) 𝑯(𝑹 𝟑, 𝑹 𝟒)
𝑹 𝟓 𝑹 𝟔 𝑹 𝟕 𝑹 𝟖
𝑯(𝑹 𝟓, 𝑹 𝟔) 𝑯(𝑹 𝟕, 𝑹 𝟖)
C
Recall: Merkle trees allow to efficiently prove that each block
𝑹𝒊 was included into the hash 𝑪.
This is done by sending 𝐌𝐞𝐫𝐤𝐥𝐞𝐏𝐫𝐨𝐨𝐟 𝑹𝒊
𝐌𝐞𝐫𝐤𝐥𝐞𝐏𝐫𝐨𝐨𝐟 𝑹 𝟓 =
𝑹 𝟔, 𝑯 𝑹 𝟔, 𝑹 𝟕 , …𝐌𝐞𝐫𝐤𝐥𝐞(𝑹 𝟏, … , 𝑹 𝟖)

38. New 𝐈𝐧𝐢𝐭 phase
𝐌𝐞𝐫𝐤𝐥𝐞(𝑹)
𝐈𝐝 𝐈𝐝
Compute
𝑹 = 𝑹 𝟏, … , 𝑹 𝑵 ≔ 𝒇 𝑮 𝐈𝐝
b c
a
𝑹 𝒃 𝑹 𝒄
𝑹 𝒂
checks if
𝑹 𝒂 = 𝑯 𝑰𝒅 𝒂, 𝑹 𝒃, 𝑹 𝒄
if yes, then we say
that 𝒂 is consistent
repeat 𝒌 times

39. New 𝐏𝐫𝐨𝐨𝐟 phase
In the 𝐏𝐫𝐨𝐨𝐟 phase the prover opens the Merkle
commitment to every 𝑹𝒊 he is asked about.
𝑱 ⊆ 𝟏, … , 𝑵
such that 𝑱 = 𝒌
𝑹𝒊 𝒊∈𝑱

40. Easy to see
𝑮 − a graph to which a malicious prover committed.
If the consistency check was ok for 𝒌 times, then most
likely:
a large fraction of nodes in 𝑮 is consistent.

41. How to deal with the inconsistent
nodes?
graph 𝑮: 𝒙 inconsistent
nodes
The adversary can “save” memory
by not storing these 𝒙 blocks.
Observation: such an adversary
with memory 𝑵 𝟎 can be
“simulated” by an adversary with
memory 𝑵 𝟎 + 𝒙 that commits to a
graph with no inconsistent nodes.

42. Techniques
We construct good graphs such that the time-memory
tradeoffs for computing 𝒇 𝑮 are bad.
For this we use techniques from graph pebbling.
The constructions are based on tools from graph theory:
• hard to pebble graphs of Paul, Tarjan, Celoni, 1976,
• superconcentrators, random bipartite expander graphs,
and
• graphs of Erdos, Graham, Szemeredi, 1975.
The details are in the paper.

43. The results of [DFKP15]
We construct a 𝒄 𝟏 𝑵, 𝒄 𝟐 𝑵 −Proof of Space.
(for some constants 𝒄 𝟏, and 𝒄 𝟐)
We also have a construction that is secure when the
prover’s space during the execution is restricted.
Caveat: in the model we need a “simplifying
assumption” that the adversary can explicitly state
which block he knows.

44. A question
How to construct a
cryptocurrency on top of PoS?

45. Why cannot the PoS’s be used to
directly replace the PoWs?
1. PoW is single-phase, while PoS has the Init
phase
2. How to make the reward proportional to
invested resources?
3. Where does the challenge come from? (we will
talk later about it)

46. Single-phase vs. “with initialization”
random 𝒙
proof 𝒔 random 𝒙
proof 𝒔
commitment 𝑪 ≔
(Merkle(f(Id)),Id)
Note: the consistency
check can be performed
in the proof phase
Good news: also PoS is “public coin”.
PoW: PoS:
prover verifier prover verifier

47. The solution
Every user who joins the system “declares” how
much space he can devote. This is done as follows:
Gen (secret key sk, public key pk)runs
𝑹 𝟏, … , 𝑹 𝑵 = 𝒇 𝐩𝐤
𝑪 ≔ 𝐌𝐞𝐫𝐤𝐥𝐞 𝑹 𝟏, … , 𝑹 𝑵
Take a PoS scheme
𝒇 – the function that fills-in the memory
transaction 〈𝐜𝐨𝐦𝐦𝐢𝐭, 𝑪, 𝐩𝐤 〉
Note: no need to run
the consistency check
(this is done later)

48. How to make the reward proportional
to invested resources?
Suppose we have 5 miners, with the
following proportion of space:
How to determine who has the right to
extend the chain in from a given block?

49. Observation
Let 𝑵 𝟏, … , 𝑵 𝒌 be the memory sizes of the miners.
Suppose 𝑵 𝟏 = ⋯ = 𝑵 𝒌.
Suppose we have a random challenge 𝒙.
Observe that the PoS of [DFKP15] is public-coin.
Let every miner execute the PoS with respect to this
challenge:
In Bitcoin the
challenge was
the previous
block.
𝒙
𝒔 𝟓𝒔 𝟐 𝒔 𝟑 𝒔 𝟒𝒔 𝟏
𝑮: 𝟎, 𝟏 ∗ → {𝟏, … , 𝑾} –
a hash function (with
very large 𝑾)
𝑷𝒊 is the winner if 𝑮( 𝒔 𝒊) is larger than all the other 𝑮( 𝒔 𝒋)’s.
𝑷 𝟏 𝑷 𝟐 𝑷 𝟑 𝑷 𝟒 𝑷 𝟓
proofs

50. Easy to see:
For each 𝑷𝒊 his probability of
winning is equal to 𝟏/𝒌.
This is because for a given
commitment 𝑪 and a the challenge
𝒙 the solution 𝒔 is uniquely
determined.
Note: this is not true if
one can change 𝑪.
This is why we require
the miners to post
commitments on the
blockchain
If it was not the case then a malicious miner could try
different 𝒔’s.
Hence we would be back in the Proof of Work scenario.

51. But what if the 𝑵𝒊’s are not equal?
We need a function 𝑫 𝑵 𝒊
such that the following condition
yields a winner with probability
𝑵𝒊
𝑵 𝟏 + ⋯ + 𝑵 𝒌
Turns out that
𝑫 𝑵 𝒊
(𝒔) ≔ 𝑮(𝒔)/𝑾 𝟏/𝑵 𝒊
is such a function (the details are in the paper).
𝑷𝒊 is the winner if 𝑫 𝑵 𝒊
(𝒔𝒊) is larger than all the
other 𝑫 𝑵 𝒊
(𝒔𝒋)’s.

52. Quality of the
blockchain
Using the function 𝑫 𝑵 𝒊
we can also define the quality
of the block chain.
First, let 𝒗𝒊 ≔ 𝑫 𝑵 𝒊
𝒔𝐢 .
Define:
𝑸 𝒗𝒊 ≔ 𝐦𝐢𝐧
𝑵
𝐏𝐫 𝒗𝒊 < 𝒘: 𝒘 ← 𝑫 𝑵(𝑼) ≥ 𝟏/𝟐
in Bitcoin it is its length
𝒔 𝟏 𝒔 𝟐 𝒔 𝟑 𝒔 𝟒 𝒔 𝟓 𝒔 𝟔
the space required to get a better proof than 𝒗𝒊
on a random challenge with probability 1/2.
Then let the total quality of blockchain to be equal to the
sum of 𝑸𝒊’s.
uniform

53. This solution need some small
modifications
1. To avoid bad events that happen with small
probability we need to limit the maximal
𝑸𝒊 that counts
(this limit is imposed with respect to the
median of other 𝑸𝒊
′
s).

54. 2. What if the amount of space in the system
increases dramatically?
Then the adversary that “starts computing the blockchain from
the beginning” can produce a better quality chain (even if his
memory is <1/2 of the total).
Solution: only last 1000 block count (note: it requires
checkpoints)
time
space

55. Where does the challenge 𝒙 come from?
1. Use a NIST beacon or some other trusted source –
not a good solution for a “fully distributed” currency.
2. “Ask” some other miner – possible but complicated
(what if he is not online?)
3. [Bitcoin solution]: Use some previous block.
not so easy as in
Bitcoin...

56. Problems with using previous block:
By manipulating the transaction list the miner can
produce different 𝒙𝒊
′
𝑠.
𝒙i 𝒙i+1
transactions
from period
i+1
H
This again would lead to Proofs of Work...
this is called
“grinding”

57. Solution
The challenge does not depend on the transactions.
Spacemint blockchain syntax:
Block 𝑩𝒊+𝟏
s𝑖+1
signature
transactions
Block 𝑩𝒊
s𝑖
signature
transactions
Block 𝑩𝒊+𝟐
s𝑖+2
signature
transactions
signature
chain
proof
chain
x 𝒊+𝟏 = 𝑯(s𝒊) x 𝒊+𝟐 = 𝑯(s𝒊+𝟏)

58. Yet another problem
Suppose there is a fork
blocki+1
blocki+2 block’i+2
blocki+3
If 𝐛𝐥𝐨𝐜𝐤 𝐢+𝟐
′
gives a challenge that is “good” for him,
then it’s better for him to work on this chain
Note: in Bitcoin working on a shorter chain never made sense.

59. Solution: look deeper in the past
The challenge for block 𝒊 is a hash of block 𝒊 − 𝟏𝟐𝟎.
Why not to look deeper into the past?
We do not want the miners to know that they can
stay long offline (so they could erase their disks)

60. A more subtle problem
In Proofs of Work mining costs, while in Proofs of Space it is
“for free”.
So a miner that sees a fork the best (selfish) strategy is to work
on both chains.
In this case he “wins” in both cases!
blocki
blocki+1
blocki+2 block’i+2
blocki+3 block’i+3
A similar problem shows up in “Proofs of Stake”:
“The problem with Proofs of Stake is that there is nothing at stake”

61. Solution: penalize such behavior
blocki
blocki+1
blocki+2 block’i+2
blocki+3 block’i+3
discovers that these
blocks were signed
by the same party
posts a transaction with a
“proof” of this, and gets a
reward
(the party that signed 2
blocks looses her reward)

62. Full description of the protocol
See [PPKAFG 2015].
This paper contains also a game-theoretic model and a
security proof.

63. Open problem
Understand better the
bounds in these
constructions
(currently there are
many hidden
constants)

64. Plan
1. Litecoin – a currency based on the
Scrypt hash function
2. Spacemint – a currency based on the
Proofs of Space
3. Currencies based on the Proofs of Stake
4. Currencies doing some useful work
(Primecoin, Permacoin)
5. Ethereum – a currency with Turing-
complete scripts
6. Other uses of the Blockchain technology

65. Proofs of Stake
The “voting power” depends on how much money one
has.
Justification: people who have the money are naturally
interested in the stability of the currency.
Currencies: BlackCoin, Peercoin, NXT,
shares of coins “voting power”
≈

66. Challenges when constructing Proof-
of-Stake currencies
Similar to the Proofs of Space (note: Proofs of Stake is
a much earlier concept).
How to determine which miner has the right to extend
the chain?
How to prevent mining on many chains? (“There is
nothing at stake”)
How to prevent grinding?

67. Other problems
1. How to distribute initial money?
2. How to force coin owners to mine?

68. A potential speculative attack on
PoStake coins
[Nicolas Houy, It Will Cost You Nothing to 'Kill' a Proof-of-Stake Crypto-
Currency, 2014]
I am going to destroy
your currency by
buying > 𝟓𝟏% coins
and gaining the
voting majority
shall I sell
him my
coins?
if I believe
that he
succeeds then
I should sell
at any non-
zero price
if everybody thinks this way then the
coin price will quickly go close to zero
I buy the coins
now (cheaply)

69. Plan
1. Litecoin – a currency based on the
Scrypt hash function
2. Spacemint – a currency based on the
Proofs of Space
3. Currencies based on the Proofs of Stake
4. Currencies doing some useful work
(Primecoin, Permacoin)
5. Ethereum – a currency with Turing-
complete scripts
6. Other uses of the Blockchain technology

70. Idea
Can we have a currency that does
something useful?
Some ideas proposed:
• Permacoin [A. Miller, A. Juels, E. Shi, B. Parn, J. Katz,
Permacoin: Repurposing Bitcoin Work for Data
Preservation, 2014]
• Primecoin [Sunny King, Primecoin: Cryptocurrency
with Prime Number Proof-of-Work, 2013]

71. Permacoin
Main idea: parametrize PoWs with a large file 𝑭 (“too
large to store by individuals”).
To solve a PoW one needs to store some part of 𝑭.
(the more you store, the higher your probability is).

72. Why is it useful?
Can be used data that is useful for some purpose.
Difference between Permacoin and Spacemint:
• Permacoin is still a Proof of Work (consumes
energy)
• The data in Spacemint is random (in Permacoin it is
not random)
• Permacoin doesn’t scale (maybe in 20 years
everybody will have the library of congress data on his
mobile?)

73. Another nice feature of Permacoin
It’s PoWs are nonoutsourcable:
A miner in a mining pool can always steal the PoW
solution.
Hence: creating mining pools makes no sense.
See also:
[Miller, Kosba, Katz, Shi, Nonoutsourceable Scratch-
Off Puzzles to Discourage Bitcoin Mining Coalitions,
ACM CCS 2014]

74. Primecoin
Proof of Work: finding chains of primes.

75. Chains of primes
• Cunningham chain of the
first kind:
• 𝒑 𝟎
• 𝒑 𝟏 = 𝟐𝒑 𝟎 + 𝟏
• 𝒑 𝟐 = 𝟐𝒑 𝟏 + 𝟏
• 𝒑 𝟑 = 𝟐𝒑 𝟐 + 𝟏
• …
(all 𝒑𝒊’s are prime)
Example: 2, 5, 11, 23, 47,...
• Cunningham chain of the
second kind:
• 𝒑 𝟎
• 𝒑 𝟏 = 𝟐𝒑 𝟎 − 𝟏
• 𝒑 𝟐 = 𝟐𝒑 𝟏 − 𝟏
• 𝒑 𝟑 = 𝟐𝒑 𝟐 − 𝟏
• …
(all 𝒑𝒊’s are prime)
Example: 151, 301, 601,
1201,...
• bi-twin chain: 𝒑 𝟎, 𝒒 𝟎, 𝒑 𝟏, 𝒒 𝟏, 𝒑 𝟐, 𝒒 𝟐, … such that
• 𝒑 𝟎, 𝒑 𝟏, 𝒑 𝟐 are Cunningham chain of the first kind,
• 𝒒 𝟎, 𝒒 𝟏, 𝒒 𝟐 are Cunningham chain of the second kind, and
• each (𝒑𝒊, 𝒒𝒊) is a prime twin pair (i.e. 𝒒𝒊 = 𝒑𝒊 + 𝟐)
Famous Conjecture: for every 𝒌 there exist infinitely many
chains like this of length 𝒌.

76. Main idea of Primecoin
Proof of Work = “find as long chains as possible”
Some challenges:
1. Verification of a PoW solution
should be very efficient
Solution:
• limit the size of the numbers
• allow pseudoprimes
2. Quality measure of the solution should be more fine grained than
just the length of the chain.
Solution:
accept chains 𝒑 𝟏, 𝒑 𝟐, … , 𝒑 𝒌, 𝒑 𝒌+𝟏, where all 𝒑𝒊’s but the last one are
prime.
The quality of such a solution is equal to 𝒌 + 𝒓, where 𝒓 “measures
how close is 𝒑 𝒌+𝟏 to a prime”
“in terms of the Fermat test”
a “pseudoprime” is a composite
number 𝑛 that passes
Fermat test:
“check if 𝟐 𝒏−𝟏 = 𝟏 (𝐦𝐨𝐝 𝒏)”

77. Yet another question
How to “link” the solution to the hash of the previous
block 𝐁𝐢?
Answer:
Require 𝒑 𝟏 + 𝟏 to be a multiple of 𝑯(𝑩𝒊).
For more details see [Sunny King, Primecoin:
Cryptocurrency with Prime Number Proof-of-Work,
2013].

78. Research direction
Any other ideas for
“useful Proofs of
Work”?

79. Plan
1. Litecoin – a currency based on the
Scrypt hash function
2. Spacemint – a currency based on the
Proofs of Space
3. Currencies based on the Proofs of Stake
4. Currencies doing some useful work
(Primecoin, Permacoin)
5. Ethereum – a currency with Turing-
complete scripts
6. Other uses of the Blockchain technology

80. Ethereum – a “currency
designed for contracts”
main feature: Turing-complete scripts
the transaction ledger is maintained using the GHOST protocol of
Sompolinsky and Zohar
Developers: Gavin Wood, Jeffrey Wilcke, Vitalik Buterin, et al.
Initial release: 30 July 2015
currency unit: Ether (ETH)
as of 24.05.2016:
Market cap ≈ 1 billion USD
1 E𝐓𝐇 ≈ 12 USD
Main uses: decentralized organizations, prediction markets, and
many others…
Susceptible to verifier’s dilemma?

81. Research direction
Understand the
impact of verifier’s
dillema

82. Plan
1. Litecoin – a currency based on the
Scrypt hash function
2. Spacemint – a currency based on the
Proofs of Space
3. Currencies based on the Proofs of Stake
4. Currencies doing some useful work
(Primecoin, Permacoin)
5. Ethereum – a currency with Turing-
complete scripts
6. Other uses of the Blockchain technology

83. Namecoin (NMC)– a
decentralized DNS
Idea: use Bitcoin’s ledger as a DNS.
It maintains a censorship-resistant top level domain .bit.
The same blockchain rules as Bitcoin.
Placing a record costs 0.01 NMC.
Records expire after 36000 blocks (≈ 𝟐𝟎𝟎 days) unless
renewed.
this money is
“destroyed”

84. Thank you!

85. ©2016 by Stefan Dziembowski. Permission to make digital or hard copies of part or
all of this material is currently granted without fee provided that copies are made
only for personal or classroom use, are not distributed for profit or commercial
advantage, and that new copies bear this notice and the full citation.