Proof-of-Burn. presented at FinancialCryptographyandDataSecurity 2020

by Aggelos Kiayias, Dionysis Zindros, Kostis Karantias,

Summary : Proof-of-burn has been used as a mechanism to destroy cryptocurrency in a verifiable manner. Despite its well known use, the mechanism has not been previously formally studied as a primitive. In thispaper, we put forth the first cryptographic definition of what a proofof-burn protocol is. It consists of two functions: First, a function whichgenerates a cryptocurrency address. When a user sends money to thisaddress, the money is irrevocably destroyed. Second, a verification function which checks that an address is really unspendable. We propose thefollowing properties for burn protocols. Unspendability, which mandatesthat an address which verifies correctly as a burn address cannot be usedfor spending; binding, which allows associating metadata with a particular burn; and uncensorability, which mandates that a burn address isindistinguishable from a regular cryptocurrency address. Our definitioncaptures all previously known proof-of-burn protocols. Next, we designa novel construction for burning which is simple and flexible, makingit compatible with all existing popular cryptocurrencies. We prove ourscheme is secure in the Random Oracle model. We explore the applicationof destroying value in a legacy cryptocurrency to bootstrap a new one.The user burns coins in the source blockchain and subsequently createsa proof-of-burn, a short string proving that the burn took place, whichshe then submits to the destination blockchain to be rewarded with acorresponding amount. The user can use a standard wallet to conductthe burn without requiring specialized software, making our scheme userfriendly. We propose burn verification mechanisms with different securityguarantees, noting that the target blockchain miners do not necessarilyneed to monitor the source blockchain. Finally, we implement the verification of Bitcoin burns as an Ethereum smart contract and experimentallymeasure that the gas costs needed for verification are as low as standardBitcoin transaction fees, illustrating that our scheme is practical.