This paper investigates the security of Nakamoto’s longest-chain consensus under multi-resource constraints—storage (S), time (V), and computation (W)—focusing on designing a weight function Γ(S,V,W) that ensures resilience against private double-spending attacks when honest participants collectively control a majority of resources. Method: We establish the first comprehensive security classification framework for multi-resource Nakamoto consensus, proving that any secure Γ must be first-order homogeneous in both V and W. Using both continuous and discrete models, we unify proof-of-stake capacity, verifiable delay functions (VDFs), and diverse proof-of-work schemes. Contribution/Results: We derive a general closed-form expression for secure weight functions. Our analysis confirms existing designs—Γ = W (Bitcoin) and Γ = SV (Chia)—as special cases, and further proves, for the first time, that novel combinations such as √(W₁)√(W₂) and min(W₁,W₂) are also secure while offering superior resistance to centralization. This work provides a rigorous theoretical foundation and practical guidance for multi-resource consensus protocols.

The blocks in the Bitcoin blockchain record the amount of work W that went into creating them through proofs of work. When honest parties control a majority of the work, consensus is achieved by picking the chain with the highest recorded weight. Resources other than work have been considered to secure such longest-chain blockchains. In Chia, blocks record the amount of space S (via a proof of space) and sequential computational steps V (via a VDF). In this paper, we ask what weight functions Γ(S,V,W) (that assign a weight to a block as a function of the recorded space, speed, and work) are secure in the sense that whenever the weight of the resources controlled by honest parties is larger than the weight of adversarial parties, the blockchain is secure against private double-spending attacks. We completely classify such functions in an idealized "continuous" model: Γ(S,V,W) is secure against private double-spending attacks if and only if it is homogeneous of degree one in the timed resources V and W, i.e., αΓ(S,V,W)=Γ(S,αV, αW). This includes Bitcoin rule Γ(S,V,W)=W and Chia rule Γ(S,V,W) = SV. In a more realistic model where blocks are created at discrete time-points, one additionally needs some mild assumptions on the dependency on S (basically, the weight should not grow too much if S is slightly increased, say linear as in Chia). Our classification is more general and allows various instantiations of the same resource. It provides a powerful tool for designing new longest-chain blockchains. E.g., consider combining different PoWs to counter centralization, say the Bitcoin PoW W_1 and a memory-hard PoW W_2. Previous work suggested to use W_1+W_2 as weight. Our results show that using {sqrt}(W_1){cdot}{sqrt}(W_2), {min}{W_1,W_2} are also secure, and we argue that in practice these are much better choices.