Search on this page or go to global search
Searching...
9 MIN2 FEB 2026
The Importance of Proposer Anonymity
Why neutral consensus depends on hiding who proposes blocks
L
Logos
Tech
Blockchain
Logos stack
Share
Identifiable block proposers enable censorship, coercion, and stake inference in proof-of-stake systems. Logos prevents this through private leadership elections and anonymous broadcasting.
In decentralised blockchain networks, protecting the identity of block proposers has traditionally been considered a secondary concern. Bitcoin miners operate pseudonymously, while Ethereum validators register publicly to participate in consensus.
However, proposer privacy is not merely about maintaining anonymity; it provides critical protection against a range of adversarial threats that can compromise the neutrality and security of the network.
When adversaries can identify block proposers, they gain the ability to target them for censorship, coercion, or even physical threats. A known proposer might face pressure from hostile actors to exclude certain transactions, or be subjected to denial-of-service attacks that prevent them from participating in the network. Beyond immediate threats, the ability to link proposals to proposers enables adversaries to infer proposers’ stake over time, creating additional vectors for targeting high-value participants.
Logos addresses these concerns through a combination of private leadership elections and anonymous broadcasting, creating a system where proposers can participate in consensus without revealing their identity or stake.
This article explores why proposer privacy matters, examines the limitations of existing approaches, and demonstrates how the Logos Blockchain's architecture provides robust protection for block proposers.
The problem with a public leader schedule
In most proof-of-stake consensus protocols, including Ethereum’s Gasper protocol, the consensus leaders are pseudorandomly selected in advance based on their relative stake, with a leader schedule published periodically. On Ethereum, the schedule is published at the beginning of each epoch: a period of 32 slots, or approximately 6.4 minutes.
This advance notice creates a window of opportunity for adversaries to prepare targeted attacks. As noted by Ethereum researcher Lightclient, knowing who will propose blocks in advance allows attackers to time denial-of-service attacks, attempt to bribe or coerce proposers, or prepare infrastructure to censor specific transactions.
One such attack, known as "validator sniping", can be used to steal MEV by taking down validators scheduled to propose right before the attacker’s slots. The attacker can then produce blocks with transactions that should have been processed by the targeted validators, effectively stealing MEV and transaction fee revenue from honest participants. The predictability of the schedule transforms what should be a decentralised process into a series of known targets.
Mitigating these risks within Ethereum's architectural framework would require expensive hardware solutions. Validators could theoretically use dedicated firewall devices and anonymous broadcasting networks to protect their identity, but these solutions impose significant bandwidth and cost requirements. For a protocol that already requires 32 ETH to participate as a validator, adding further hardware costs creates even higher barriers to entry and pushes the network toward centralisation.
The fundamental issue is architectural: when the consensus protocol itself reveals proposer identities in advance, no reasonable amount of operational security can fully protect participants.
The solution must be built into the protocol layer, not bolted on afterwards.
Private leadership elections
Cryptarchia, the private proof-of-stake consensus protocol underlying the Logos Blockchain, takes a different approach by eliminating the public leader schedule entirely. In Cryptarchia, the leadership election is run locally by each participant, and the winner uses zero-knowledge proofs to demonstrate that they have a right to propose a block for a given slot.
No global announcement reveals who won the lottery or how much stake they hold, and no leader schedule is published in advance. This local election process is reminiscent of the proof-of-work mining algorithm, which is run independently by each miner and the results of which are known only after the winning miner proposes a block.
In Cryptarchia, time is divided into slots, with each slot presenting an opportunity for a consensus leader to propose a new block. To determine if they've won the right to propose for a slot, each participant with an eligible Logos note produces a lottery ticket by hashing together some information related to the note and the slot in question. Importantly, there is no need to register the note and no minimum note value required to be eligible for the leadership election.
The ticket described above is compared to a threshold that depends on the note's value relative to the total stake. Due to the Logos Blockchain’s anonymity properties, the total eligible stake cannot be obtained directly. Instead, each participant must estimate the total stake value based on network activity.
If the ticket falls below the threshold, the note has won the election, and its owner can propose a block. The calculation happens privately on each participant's machine, with no communication required until a winner actually publishes a block. When publishing a block, the proposer includes a zero-knowledge “proof of leadership” that demonstrates that their note won the election for that slot, without revealing the note’s value.
The limitations of private leadership elections
Private leadership elections have an important limitation: they don't prevent a proposer's identity from being revealed once they publish a block. Without additional protection, network observers can use traffic analysis to link proposals to their source. An adversary monitoring the network can observe which node first broadcasts a new block and infer that this node is likely the proposer.
If proposers can be linked to their proposals, they can be targeted based on the content of the blocks they publish. Proposers may therefore proactively engage in self-censorship to avoid offchain consequences. A proposer who fears being targeted by criminal gangs, for example, might exclude sensitive transactions from their blocks rather than risk being identified. This behaviour, while seemingly prudent, compromises the neutrality of the entire network.
The ability to link a proposer to their proposals also allows observers to infer a participant's relative stake from their onchain activity. This is because, in proof-of-stake systems, the probability of winning a leadership election is proportional to relative stake. An adversary who can link proposals to proposers can count how often each participant proposes blocks over time, using this frequency to estimate their stake.
According to calculations by the Logos team, without additional protection, an adversary could infer a node's relative stake (assuming it has 0.1% of total stake) in approximately 24 days of observation. If a participant’s relative stake can reliably be inferred from network activity, large stakeholders may face targeted attacks.
For protocol founders and those with significant onchain funds, being singled out by criminals is not just a theoretical concern. Real-world violence, including armed robbery, kidnappings, torture, and even murder, has been perpetrated with the goal of stealing Bitcoin from known individuals. Despite its locally run mining algorithm, Bitcoin is clearly not immune to deanonymisation via network analysis, and high token values provide perverse incentives for criminal actors. This type of attack, which has been increasingly common in recent years, can only be mitigated effectively by true proposer anonymity.
These limitations demonstrate that while private leadership elections are necessary for proposer privacy, they are not sufficient. The protocol must also ensure that block proposals cannot be linked to their source after the fact through network analysis.
Blending for proposer anonymity
The Logos Blockchain introduces additional protection for proposers through the Blend Network, an anonymous broadcasting protocol specifically designed for proposer privacy. The Blend Network makes it difficult to link a proposer to their proposal by routing the proposal message through multiple nodes before broadcasting it to the entire network.
The path a message takes is obscured by making it difficult to distinguish from other messages’ paths, with random delays and artificial traffic adding further obfuscation. The Blend Protocol involves several key components:
  • Layered encryption: The proposer selects the nodes through which to relay their proposal, progressively encrypting the message such that each node in the path can only decrypt one layer.
  • Dissemination: A Blend node forwards received messages to all its peers. If it can decrypt the outer encryption layer, it relays the decrypted message after a random delay.
  • Cover traffic: Blend nodes also generate artificial messages with random data that are encrypted and disseminated in the same way as genuine data messages.
Anonymity properties of the Blend Network
The combination of these techniques provides strong proposer anonymity guarantees. When a proposer sends a block through the Blend Network, observers face multiple layers of uncertainty.
The dissemination process ensures that the origin of a message cannot be distinguished from subsequent relays. Progressive decryption and random delays prevent observers from linking incoming and outgoing messages at each hop in the relay path. In addition, the presence of cover traffic makes it impossible for observers to distinguish between real block proposals and dummy messages.
According to the Logos team's analysis, for an adversary controlling 10% of Blend nodes observing a node with 0.1% relative stake, it would take more than 10 years to deanonymise a proposer with 50% probability, or infer their stake with 60% probability, when routing proposals through the Blend Network. This represents a significant improvement over the 24 days needed for deanonymisation without the Blend Network’s obfuscation strategies.
Conclusion
Proposer privacy is not a luxury; it is a fundamental requirement for a truly decentralised and censorship-resistant blockchain. When proposers can be identified and targeted, the network becomes vulnerable to coercion, denial-of-service attacks, and systematic censorship. When relative stake can be inferred, large stakeholders face disproportionate risks that may drive them out of the network.
The Logos Blockchain addresses these challenges through a layered approach to privacy. Cryptarchia's private leadership elections ensure that no public schedule reveals future proposers, eliminating the window of opportunity for preemptive attacks. The Blend Network's anonymous broadcasting protocol prevents network analysis from linking proposals to their source, protecting both identity and relative stake. Together, these mechanisms create a system where participants can engage in consensus without fear of targeting or surveillance.
Sources and further reading
 
Logos is an open-source movement aiming to revitalise civil society. We need coders, writers, designers, and all forward thinkers to join us. To get involved, head to the Logos Contribute portal and submit a proposal.
Discussion
No discussion yet.
From Offline to Online Piracy: A Genealogy of Logos
J
Jarrad Hope
24 January 2024
Logos Dev Update: What’s Next for the Technology Stack in 2026
L
Logos
13 January 2026
The Bitcoin of Governance: Logos and the End of Westphalia
S
Sev Bonnet
C
Community
23 January 2026
Freedom needs builders
Stay ahead with the latest updates
Logos
GithubWork With UsTerms & ConditionsPrivacy PolicySecurity