Owner: @Marcin Pawlowski
Reviewers: š¢@Alexander Mozeika š¢@Youngjoon Lee š¢@Frederico Teixeira š¢@Mehmet š¢@Daniel Sanchez Quiros š¢@Ćlvaro Castro-Castilla š¢@Daniel Kashepava š¢@Thomas Lavaur š¢@Antonio
The privacy of a Proof-of-Stake (PoS) system is defined by the inability of an adversary to learn:
While a node can be de-anonymized based on the content of its block proposals, this angle of attack is mitigated by Private Proof of Stake systems. However, a node can also be de-anonymized based on its network activity. An adversary can observe the nodeās network behavior and link the node to the proposal it sends. Because a nodeās relative stake correlates with its network activity in all PoS systems, observing a nodeās behavior for some time enables the adversary to estimate the nodeās stake. It is this network-based de-anonymization that is addressed by the Blend Protocol, allowing Nomos to achieve a truly Private PoS system.
The Blend Protocol is designed as a way to allow nodes to send block proposals that cannot be linked back to them. The idea is to make it very difficult and costly for someone trying to figure out who sent a proposal and what stake they hold. Because the protocol spreads messages out over many nodes, it becomes even harder to attack, which enhances network privacy. The Blend Protocol ****increases the time to link the sender to the proposal by at least $300$ times, which makes the stake inference highly impractical (Impact of the Blend Protocol on the Time to Link and Time to Infer the Stake).
The Blend Protocol targets a specific set of requirements that differentiate it from mixnets and other general-purpose anonymous communication systems. It achieves probabilistic unlinkability in a highly decentralized environment with low bandwidth cost but high latency. It hides the sender of a block proposal, making it costly for an adversary to learn its origin with high confidence. The cost of attacking the network is high due to decentralization and the economic value of a stake needed to add a single node. The protocol works well even when many nodes are involved and not much data is being sent, but it may take longer for proposals to be delivered.
In this document, we present a succinct description of the Blend protocol, which is one of the Nomos Services (Nomos Services) and is responsible for providing censorship resistance and network-level privacy for the block producers of the Nomos Bedrock (Nomos Bedrock), the foundational layer of Nomos.
All Proof of Stake (PoS) systems have an inherent privacy problem ā the stake of the node determines the nodeās behavior. That is, by observing the nodeās behavior (or impact of the node on the system), one can infer the nodeās stake. More precisely, the stake that is discovered is relative to the stake involved in the PoS ā stake that is used for the PoS purposes by the adversary. There are two things that can be observed:
Observing the content of the blocks makes it possible to execute a tagging attack. The consequence of a successful attack is that the stake of a node can be learned by controlling which transactions are included in the proposals built by the node. This is achieved by submitting a transaction only to the mempool of a targeted node ā thus creating a difference in the transactions seen by this node compared to the other nodes ā and observing the time when this transaction is included in the block.
The tagging attack can be addressed by designing a mempool in such a way that the node has an attestation that the transaction was seen by the majority of the network, which makes the adversaryās ability to manipulate the view of the node severely limited. This is to some extent addressed by the NomosDA (Data Availability Network Specification), where nodes receive an attestation that a certain type of transaction was seen by many nodes.
Observing the network activity of the node leads to an easier but still powerful attack that can also disclose the node stake even after the tagging attack is mitigated. That is, a nodeās stake can be inferred by observing the frequency of the messages node emits during a particular portion of time ā this attack is addressed by the Blend protocol.
The Blend protocol achieves network-level leader-proposal unlinkability with statistical indistinguishability. That is, a leader cannot be linked back to its proposal and cannot be distinguished from its peers based on its network behavior. This property translates into an increased difficulty of learning the nodeās stake through the nodeās network behavior.
To have a truly privacy-preserving system, we need to apply both techniques simultaneously. Solving one without the other will not suffice.