With checkpointing (be it yearly), the same properties can be achieved by a proof-of-stake system. Without checkpointing proof-of-stake systems cannot make this claim. In- deed, it would be theoretically possible for an attacker to purchase old keys from a large number of former stakeholders, with no consequence to them. In this case, a stronger assumption is needed about participants, namely that a majority of current or former stakeholders cannot be cheaply corrupted into participating in an attack on the network. In this case, the role “stake” in the proof-of-stake is only to avoid adverse selection by malicious actors in the consensus group. 4 Potential Developments In this section, we explore some ideas that we’re specifically interested in inte- grating to the Tezos protocol. 4.1 Privacy Preserving Transactions One of the most pressing protocol updates will be the introduction of privacy preserving transactions. We know of two ways to achieve this: ring signatures and non-interactive zero-knowledge proofs of knowledge (NIZKPK). 4.1.1 Ring Signatures CryptoNote has built a protocol using ring signatures to preserve privacy. Users are able to spend coins without revealing which of N addresses spent the coins. Double spenders are revealed and the transaction deemed invalid. This works similarly to the coin-join protocol without requiring the cooperation of the ad- dresses involved in obfuscating the transaction. One of the main advantage of ring signatures is that they are comparatively simpler to implement than NIZKPK and rely on more mature cryptographic primitives which have stood the test of time. 4.1.2 Non Interactive Zero-knowledge Proofs of Knowledge Matthew Green et al. proposed the use of NIZKPK to achieve transaction untraceability in a blockchain based cryptocurrency. The latest proposition, Zerocash, maintains a set of coins with attached secrets in a Merkle tree. Com- mitted coins are redeemed by providing a NIZKPK of the secret attached to a coin in the tree. It uses a relatively new primitive, SNARKs, to build very small proofs which can be efficiently checked. This technique is attractive but suffers from drawbacks. The cryptographic primitives involved are fairly new and have not been scrutinized as heavily as the relatively simple elliptic curve cryptography involved in Bitcoin. 15
A Self-Amending Crypto-Ledger Position Paper Page 16 Page 18