Ouroboros Praos: An Adaptively-Secure, Semi-Synchronous Proof-of-Stake Blockchain Bernardo David, Peter Gazi, Aggelos Kiayias, and Alexander Russell Eurocrypt Eur ocrypt 2018
Aayush Naik Mahtab Sandhu Distributing Trust and Blockchains
Table of contents
1. Introduction 2. Proof-of-Stake 3. Ouroboros 4. The Blockchain Goal 5. Ouroboros Praos 6. Security Analysis
1
Table of contents
1. Introduction 2. Proof-of-Stake 3. Ouroboros 4. The Blockchain Goal 5. Ouroboros Praos 6. Security Analysis
1
Introduction
Overview
• What is proof proof-of-stake -of-stake?? • A simple simple solu solutio tion n • A simple simple solution solution - with a major problem problem • Our Ourobor oboros os • The Blockc Blockchain hain Goal Goal • Ourobor Ouroboros os Pr Praos aos
2
Why Proof-of-Stake?
• Proof-of-Work is wasteful • Stake is a good indicator of commitment and interest in the system
3
Proof-of-Stake
Proof-of-Stake
• It’s a protocol for leader selection. • Basic idea is that the leader is chosen as a function of the stake a user holds. • Leader of every epoch/time instance should be independent of previous leaders.
4
A Simple Solution
• Pick a random ”coin id”. Owner of the coin is the leader.
5
A Simple Solution - Randomness in Blockchain
• Pick a random ”coin id”. Owner of the coin is the leader. • Hash the blockchain thus far. Use that to determine the next the leader.
6
A Simple Solution - A Major Problem
• Pick a random ”coin id”. Owner of the coin is the leader. • Hash the blockchain thus far. Use that to determine the next the leader. • Rejection Sampling : Once an adversary becomes the leader, they can keep becoming the leader .
7
Ouroboros
Communication Model
• Ouroboros assumes a simple synchronous model where time is quantized and divided into slots. • Honest Members broadcast and receive their messages in the same time slot. • Adversarial parties may send arbitrary messages to arbitrary subsets , arriving at arbitrary times.
8
Protocol Overview
• Epoch Sequence of R slots organised together as an epoch. • Stake distribution : distribution of Stake(Value) among the members in the previous epoch. • Randomness: output of a multi-party computation run in the previous epoch. • Slot Leader : The member allowed to create a block in that slot decided randomly • Leader schedule : Slot leaders for the current epoch sampled from (randomness, Stake distribution).
9
Static Analysis
• Analysing one Epoch with R slot starting t at the genesis block. • Stake distribution is static is stored in the genesis block along with the public keys • Leaders are elected independently according to relative stake Stake of U Pr [Li = U ] = Total Stake
• Leader schedule is public at start of epoch
10
Static Analysis - Valid Blockchain
A Valid block chain in this setting: • Starts with genesis block • Each slot contains non-conflicting valid transactions signed by the slot leader. • A sequence of block(slots), associated with a increasing slot numbers are appended to longest chain, even if a slot leader misses it’s slot the next one take it’s place
11
Leader Selection
A leader selection process with respect to stakeholder distribution S = (vk1 , s 1 ) , ... , (vkn ,sn ), (D,F) is a pair consisting of a distribution and a deterministic function and uses MPC protocol to generate the random seed for the function such that, when ρ ← D it holds for all sl j ∈ {slq , ... slR }, FS,ρ,sl j outputs U i ∈ U1 , ... , Un
12
What the Adversary can do
• Unlike Bitcoin adversary, Here a adversary knows entire of Leaders ahead of time • Adversary can also generate multiple block per slot and broadcast it to different subsets of members. • Adversary can take or control (1-ϵ)/2 part of the Epoch chain . with ϵ being relative stake of the honest members.
13
The Blockchain Goal
Persistence
Persistence: Once a node of the system proclaims a certain transaction tx as stable, the remaining nodes, if queried, will either report tx in the same position in the ledger or will not report as
stable if any transaction in conflict to tx. Specifically, a transaction is declared stable if and only if it is in a block that is more than k blocks deep in the ledger.
14
Liveness
Liveness: If all honest nodes in the system attempt to include a
certain transaction then after the passing of transaction confirmation time. All nodes, if queried and responding honestly, will report it to be stable.
15
Three Equivalent Elementary Properties
1. k-Common Prefix (k − CP); with parameters k ∈ N. The chains C 1, C 2 possessed by two honest parties at the onset of the slots sl1 ⪯ sl2 are such that C 1 ⪯ C 2, where C1 denotes the chain obtained by removing the last k blocks from C 1, and ⪯ denotes the prefix relation. 2. Chain Quality ( CQ); with parameters µ ∈ (0, 1] and k ∈ N. Consider any portion of length at least k of the chain possessed by an honest party at the onset of a round; the ratio of blocks originating from the adversary is at most 1 − µ. We call µ the chain quality coefficient.
16
Three Equivalent Elementary Properties
3. Chain Growth ( CG)l with parameters τ ∈ (0, 1], s ∈ N. Consider the chains C 1, C 2 possessed by two honest parties at the onset of two slots sl1 , sl 2 with sl 2 at least s slots ahead of sl 1 . Then it holds that len (C 2) − len(C 1) ≤ τ s. We call τ the speed coefficient. If a chain satisfies these three properties, then, it can be shown that it is very difficult for an adversary to ”fork” a chain. We’ll show some of this analysis later.
17
Ouroboros Praos
Stronger Assumptions
• Semi-Synchronous Communication ; As opposed to Ouroboros, where all honest parties communicate in the same slot; we allow the adversary A to selectively delay any messages sent by honest parties for up to ∆ ∈ N. • Much Stronger Adversary ; The adversary has the ability to corrupt parties without delay. These conditions, especially the second one, would completely destroy the original Ouroboros protocol, since, the adversary knows the leaders of the next epoch. The only restrictions that remain are that the adversary has minority stake, and that the stake shifts at a bounded rate.
18
Local, Private Leader Selection using VRFs
We use a cryptographic primitive called, Verifiable Random Functions (VRFs) to enable local and private leader selection. Verifiable Random Function : Evaluatesk (input) = (output, proof ) Verify pk (input, output, proof ) = 0 or 1
19
Local, Private Leader Selection using VRFs
Leader selection lottery for stakeholder U i : Evaluatesk (rnd, slot) < φ(stakei )
where rnd is the randomness generated for that epoch, slot is the slot number and φ is a sublinear function of the stake. The VRF is designed such that the adversary can’t generate keys that give an unfair advantage. The probability with which stakeholder U i is selected pi = φ (αi ) = 1 − (1 − f )αi where α i is the relative stake of U i and f is parameter of the protocol. Note that It’s possible that there may be no or more than one leaders in a slot.
20
Key Evolving Signature
We use another cryptographic primitive called, Key Evolving Signature (KES). It’s a signature scheme in which: • A public-private key pair, pk, and sk are generated. • After every time sk is used to sign, it is deleted, and a new secret key sk ′ is generated. • The corresponding public key, pk remains the same. • It is impossible to forge old signatures with new keys.
21
Hashing for Dirty Randomness - Solving Rejection Sampling
Recall the simple solution proposed in the beginning. Using the two primitives above, we can use that solution without the adversary being able to do rejection sampling. Every block contains an additional VRF-value from the leader. The block or blockchain can then be hashed to provide randomness for the next epoch. We don’t need to do any multi-party computation for randomness anymore.
22
Security Analysis
Definitions
Genesis Block: The genesis block B 0 contains the list of stakeholders identified by a label U i , their respective public keys and respective
stakes S0 =
(
vrf kes dsig kes dsig (U1 , v vrf ) ( , v , v , s , ..., U , v 1 n n , v n , v n , sn ) 1 1 1
�
23
Definitions
Block: A block B = (sl j , st, d, B , σ j ) generated at a slot sl j ∈ {sl1 , ..., slR } contains the current st ∈ {0, 1}λ (hash of previous block), data d ∈ {0, 1}∗ , the slot number sl j , a block proof B and σ j , a signature on ( st, d, sl j , B ) under the signing key for the time period of slot sl j of the stakeholder U i generating the block.
24
Definitions
Characteristic String : Let S = {sl1 , ..., slR } be a sequence of slots of length R . For a slot sl j , let P ( j) denote the set of parties assigned to
be slot leaders for slot j. We define the characterstic string w ∈ {0, 1, ⊥}R of S to be the random variable so that
w j =
⊥ if P = ∅
0
if |P ( j)| = 1 and the assigned party is honest
1
if |P ( j)| > 1 or a party in P (i) is adversarial
We denote by D f Z ,A the distribution of the random variable w = w 1 ...w R with the active slots coefficient f , adversary A and environment Z .
25
Definitions
∆-fork: Let w ∈ {0, 1, ⊥}k and ∆ be a non-negative integer. Let A = {i|w i ̸ = ⊥} denote the set of uniquely honest indices. A ∆ -fork for the string w is a directed rooted tree F = (V , E ) with a labelling l : V −→ {0} ∪ A so that (i) the root r ∈ V is given the label l (r ) = 0; (ii) each edge of F is directed away from the root; (iii) the labels along any directed path are strictly increasing; (iv) each uniquely honest index i ∈ H is the label of exactly one vertex of F ; (v) the function d : H −→ {1, ..., k} defined so that d (i) is the depth in F of the unique vertex v for which k(v ) = i , satisfies the following ∆-monotonicity property: if i , j ∈ H and i + ∆ < j , then d (i) < d ( j)
26
Delta Fork
Figure 1: A 3-fork. source - research paper
27
Definitions
∆-fork: Let w ∈ {0, 1, ⊥}k and ∆ be a non-negative integer. Let A = {i|w i ̸ = ⊥} denote the set of uniquely honest indices. A ∆ -fork for the string w is a directed rooted tree F = (V , E ) with a labelling l : V −→ {0} ∪ A so that (i) the root r ∈ V is given the label l (r ) = 0; (ii) each edge of F is directed away from the root; (iii) the labels along any directed path are strictly increasing; (iv) each uniquely honest index i ∈ H is the label of exactly one vertex of F ; (v) the function d : H −→ {1, ..., k} defined so that d (i) is the depth in F of the unique vertex v for which k(v ) = i , satisfies the following ∆-monotonicity property: if i , j ∈ H and i + ∆ < j , then d (i) < d ( j)
28
Semisynchronous to Synchronous Reduction
A semisynchronous characteristic string, corresponding to a ∆ -fork can be mapped to a synchronous characteristic which corresponds to a simple fork. This mapped fork can be shown to be an upper bound over the semisynchronous fork for various properties. The mapping is defined using, the function ρ∆ : {0, 1, ⊥}∗ −→ {0, 1}∗ inductively as follows: ρ∆ (ϵ) = ϵ, ρ∆ (⊥ || w ′ ) = ρ∆ (w ′ ), ρ∆ (1 || w ′ ) = 1 || ρ∆ (w ′ ), ρ∆ (0 || w ′ ) =
�
0 || ρ∆ (w ′ ) if w ′ ∈ ⊥∆−1 || {0, 1, ⊥}∗ , 0 || ρ∆ (w ′ ) otherwise.
29
A Simple Fork
Figure 2: A simple fork. source - research paper
30
Conclusion
Rigorous analysis can be done on the simple fork construct in an environment Z with F vrf , F kes and other cryptographic primitives to show that k-Common Prefix, Chain Quality, Chain Growth properties are satisfied. Thus, persistence and liveness is satisfied.
31
Experiment Results - Ouroboros
Figure 3: Transaction confirmation times in minutes that achieve assurance
99.9% against a hypothetical double spending attack with different levels of adversarial power. source - https://eprint.iacr.org/2016/889.pdf
32
