Proofs of Proof-of-Stake with Sublinear Complexity

Popular Ethereum wallets (e.g., MetaMask) entrust centralized infrastructure providers (e.g., Infura) to run the consensus client logic on their behalf. As a result, these wallets are light-weight and high-performant, but come with security risks. A malicious provider can completely mislead the wallet, e.g., fake payments and balances, or censor transactions. On the other hand, light clients, which are not in popular use today, allow decentralization, but at inefficient linear bootstrapping complexity. This poses a dilemma between decentralization and performance. In this paper, we design, implement, and evaluate a new proof-of-stake (PoS) superlight client with logarithmic bootstrapping complexity. Our key insight is to leverage the standard existential honesty assumption, i.e., that the verifier (client) is connected to at least one honest prover (full node). The proofs of PoS take the form of a Merkle tree of PoS epochs. The verifier enrolls the provers in a bisection game, in which the honest prover is destined to win once an adversarial Merkle tree is challenged at sufficient depth. We implement a complete client that is compatible with mainnet PoS Ethereum to evaluate our construction: compared to the current light client construction proposed for PoS Ethereum, our client improves time-to-completion by 9x, communication by 180x, and energy usage by 30x. We prove our construction secure and show how to employ it for other proof-of-stake systems such as Cardano, Algorand, and Snow White.