Tutorial: The Ouroboros Protocol Family
Advances in Financial Technologies, 2019
Christian Badertscher & Aggelos Kiayias
The University of Edinburgh & IOHK 2
…
… transaction
immutable
an The Goal of Blockchain Protocols Blockchain of Goal The …
ledger Implement ▪ 3
…
… valid) (if (immutable) ledger ledger the changed access into be can Immutable Ledger Properties Ledger Immutable can’t transactions included Ledger Get Everyone Submit ▪ ▪ ▪ ▪ The Ledger Functionality
4 The Ledger Functionality
▪ The functionality formalizes the relevant blockchain properties and the limited capabilities of an adversary. - E.g., common state, well-formed blocks, recent transactions etc.
5 The Ledger Functionality
▪ The functionality formalizes the relevant blockchain properties and the limited capabilities of an adversary. - E.g., common state, well-formed blocks, recent transactions etc. ▪ Important: It captures the service provided to any cryptographic protocol. Applications: Incentive Mechanisms, Poker, general MPC
6 Realizing the Ledger
▪ Implement an immutable transaction ledger…
But: …
▪ Avoid a central trusted entity … ▪ Allow dynamic and easy participation ▪ Be permissionless and accessible to anyone (read and write)
7 Realizing the Ledger
▪ The case of Bitcoin: ▪ Parties repeatedly try to solve cryptographic puzzles. A solution allows to create a block and append it to the chain.
8 Realizing the Ledger
▪ The case of Bitcoin: ▪ Parties repeatedly try to solve cryptographic puzzles. A solution allows to create a block and append it to the chain.
B0
Genesis Block
9 Realizing the Ledger
▪ The case of Bitcoin: ▪ Parties repeatedly try to solve cryptographic puzzles. A solution allows to create a block and append it to the chain.
B0 B1
Lottery-style (simplified):
Find nonce N s.t. Hash(N, tx…, Hash(Bi-1)) < T
Observation: More hashing power → better chances to produce blocks.
10 Realizing the Ledger
▪ The case of Bitcoin: ▪ Parties repeatedly try to solve cryptographic puzzles. A solution allows to create a block and append it to the chain.
B0
A Tree Structure (Forks)
11 Realizing the Ledger
▪ The case of Bitcoin: ▪ Parties repeatedly try to solve cryptographic puzzles. A solution allows to create a block and append it to the chain.
B0
Blockchain Properties [GKL15,PSS17]:
Common-prefix (CP): Honest miners share a consistent common prefix. Chain-growth (CG): The number of blocks increases over time. Chain-quality (CQ): A guaranteed fraction of honestly contributed blocks.
→ Ledger can be realized assuming honest majority of hashing power
12 Realizing the Ledger
A very nice blockchain feature: Dynamic availability (DA). - Parties join and leave at will. They need to bootstrap a chain when (re-) joining. → Easy in Bitcoin: “longest-chain rule” (general: most difficult chain). - Number of online/offline parties changes over time → Analysis must account for that. - No a priori knowledge of participation levels is required by the protocol. - Unannounced disappearance.
13 Realizing the Ledger
▪ The case of Bitcoin: ▪ Parties repeatedly try to solve cryptographic puzzles. A solution allows to create a block and append it to the chain.
B0
▪ Bitcoin is not energy efficient as the hash-based lottery consumes a lot of energy to ensure the protocol’s security.
14 Realizing the Ledger
▪ The case of Bitcoin: ▪ Parties repeatedly try to solve cryptographic puzzles. A solution allows to create a block and append it to the chain.
B0
▪ Bitcoin is not energy efficient as the hash-based lottery consumes a lot of energy to ensure the protocol’s security.
Proof-of-Stake to the rescue! 15 Realizing the Ledger
Proof-of-Stake Blockchains: - Use stake (a virtual resource) instead of hashing power. - Miners = Stakeholders. - Next stakeholder to produce block elected with probability proportional to stake.
16 Realizing the Ledger
Proof-of-Stake Blockchains: - Use Stake (a virtual resource) instead of hashing power. - Miners = Stakeholders. - Next stakeholder to produce block elected with probability proportional to stake.
Two categories: Nakamoto-style consensus (e.g., Ouroboros, Snow White) BFT-style consensus (e.g., Algorand, Casper, Ouroboros-BFT)
17 Realizing the Ledger
Proof-of-Stake Blockchains: - Use Stake (a virtual resource) instead of hashing power. - Miners = Stakeholders. - Next stakeholder to produce block elected with probability proportional to stake.
Complications of PoS vs. PoW: - PoS has costless simulation: No physical resources to create blocks: several transaction histories could be generated “in the adversaries head”. - Long-Range attacks in the threat model: Adversary tries to deceive (new) participants into believing the “wrong” history (which are cheap to generate). 18 Tutorial Overview
▪ The development steps of a pure PoS-based blockchain protocol in the dynamic availability setting. ▪ Security follows from the “honest majority of stake” assumption.
▪ Start with the initial version and refine it until all the security requirements are achieved.
19 Tutorial Overview – Main Content
Ouroboros Semi-adaptive adversaries, synchrony “Classic” Strong mathematical framework (Crypto 17)
Ouroboros Praos (Eurocrypt 2018)
Ouroboros Genesis (CCS 2018)
Ouroboros Chronos (In submission, 2019)
20 Tutorial Overview – Main Content
Ouroboros Semi-adaptive adversaries, synchrony “Classic” Strong mathematical framework (Crypto 17)
+ Adaptive Adversaries Ouroboros + Network Delay (“semi-synchronous”) Praos (Eurocrypt 2018)
Ouroboros Genesis (CCS 2018)
Ouroboros Chronos (In submission, 2019)
21 Tutorial Overview – Main Content
Ouroboros Semi-adaptive adversaries, synchrony “Classic” Strong mathematical framework (Crypto 17)
+ Adaptive Adversaries Ouroboros + Network Delay (“semi-synchronous”) Praos (Eurocrypt 2018)
+ Full dynamic availability Ouroboros + Bootstrapping from Genesis Genesis (CCS 2018)
Ouroboros Chronos (In submission, 2019)
22 Tutorial Overview – Main Content
Ouroboros Semi-adaptive adversaries, synchrony “Classic” Strong mathematical framework (Crypto 17)
+ Adaptive Adversaries Ouroboros + Network Delay (“semi-synchronous”) Praos (Eurocrypt 2018)
+ Full dynamic availability Ouroboros + Bootstrapping from Genesis Genesis (CCS 2018)
+ Only based on same-speed assumption. Ouroboros + Bootstrapping state and time from genesis Chronos (In submission, 2019)
23 Tutorial Overview – Main Content
Ouroboros Semi-adaptive adversaries, synchrony “Classic” Strong mathematical framework (Crypto 17)
+ Adaptive Adversaries Ouroboros + Network Delay (“semi-synchronous”) Praos (Eurocrypt 2018)
+ Full dynamic availability Ouroboros + Bootstrapping from Genesis Genesis (CCS 2018)
+ Only based on same-speed assumption. Ouroboros + Bootstrapping state and time from genesis Chronos (In submission, 2019) = PoS blockchain in the DA setting without global clocks. 24 Tutorial Overview – Additional Features
Ouroboros “Classic” Ouroboros BFT (Crypto 17) An extremely simple BFT protocol that follows Ouroboros from the Ouroboros Classic analysis Praos (Eurocrypt 2018)
Ouroboros Ouroboros Genesis Crypsinous (CCS 2018) (S&P 2019) Ouroboros with Privacy Ouroboros Chronos (In submission, 2019)
25 Ouroboros – Protocol Design
Ouroboros Semi-adaptive adversaries, synchrony “Classic” Strong mathematical framework (Crypto 17)
+ Adaptive Adversaries Ouroboros + Network Delay (“semi-synchronous”) Praos (Eurocrypt 2018)
+ Full dynamic availability Ouroboros + Bootstrapping from Genesis Genesis (CCS 2018)
+ Only based on same-speed assumption. Ouroboros + Bootstrapping state and time from genesis Chronos (In submission, 2019) = PoS blockchain in the DA setting without global clocks. 26 The General Picture and Assumed Resources
Blockchain Blockchain Protocol Clock Protocol Functionality
Random Oracle Blockchain Arbitrary Protocol Strategy
Diffusion Network
Genesis Blockchain Arbitrary Block Protocol Strategy
Setup Resources
27 The General Picture and Assumed Resources - Synchrony: Time-stamps, slots - Unpredictability: Hash-functions - Communication: Multicast/Broadcast, limited delay Δ Blockchain Blockchain Protocol Clock Protocol Functionality
Random Oracle Blockchain Arbitrary Protocol Strategy
Diffusion Network
Genesis Blockchain Arbitrary Block Protocol Strategy
Setup Resources
28 Ouroboros – Protocol Design
Epoch 1 Epoch 2
29 Ouroboros – Protocol Design
= Public address: verification key vkj of a signature scheme
+ = A number of coins (tokens) sj associated to vkj Random seed
G
Epoch 1 Epoch 2
30 Ouroboros – Protocol Design
In each round:
+ 1.) Determine the current longest valid chain. Random 2.) Determine Slot-Leadership seed 3.) Slot leader: Pack transactions, create and publish block
G
Epoch 1 Epoch 2
31 Ouroboros – Protocol Design
In each round:
+ 1.) Determine the current longest valid chain. Random 2.) Determine Slot-Leadership seed 3.) Slot leader: Pack transactions, create and publish block
G
Epoch 1 Epoch 2
32 Ouroboros – Protocol Design
Slot Leadership in Classic: Random process (“Coin Tossing”)
+ Random F( , , , seed, slot) → seed
G
Epoch 1 Epoch 2
33 Ouroboros – Protocol Design
Slot Leadership in Classic: Random process (“Coin Tossing”)
+ Random F( , , , seed, slot) → seed
For example: G
EpochBiased1 -Coin Toss Epoch 2
34 Ouroboros – Protocol Design
Slot Leadership in Classic: Random process (“Coin Tossing”)
+ Random F( , , , seed, slot) → seed
For example: G
1 6
EpochBiased1 -Coin Toss Epoch 2
35 Ouroboros – Protocol Design
Slot Leadership in Classic: Random process (“Coin Tossing”)
+ Random F( , , , seed, slot) → seed
For example: G
1 1 6 3
EpochBiased1 -Coin Toss Epoch 2
36 Ouroboros – Protocol Design
Slot Leadership in Classic: Random process (“Coin Tossing”)
+ Random F( , , , seed, slot) → seed
For example: G
1 1 1 6 3 2 EpochBiased1 -Coin Toss Epoch 2
37 Ouroboros – Protocol Design
Slot Leadership in Classic: Random process (“Coin Tossing”)
+ Random F( , , , seed, slot) → seed
G
Epoch 1 Epoch 2
Simplified model “Semi-adaptive” (will be strengthened later): - Adversary cannot adaptively react on the (public) slot-leader schedule. (As an approximation: think of a static corrupted set of parties) 38 Ouroboros – Protocol Design
In each round:
+ 1.) Determine the current longest valid chain. Random 2.) Determine Slot-Leadership seed 3.) Slot leader: Pack transactions, create and publish block
G
Epoch 1 Epoch 2
39 Ouroboros – Protocol Design
Hash pointer to prev. block Content / Transactions + Block structure: Slot number Random Signature of slot leader seed
G
Epoch 1 Epoch 2
40 Ouroboros – Protocol Design
In each round:
+ 1.) Determine the current longest valid chain. Random 2.) Determine Slot-Leadership seed 3.) Slot leader: Pack transactions, create and publish block
G
Epoch 1 Epoch 2
41 Ouroboros – Protocol Design
Chain Selection Rule: Adopt a valid new chain if it is longer and does not fork by more than k blocks from local chain. + Random Otherwise, keep local chain. seed
G
Epoch 1 Epoch 2
Simplified model: no newcomers, full participation (will be strengthened later).
42 Ouroboros – Protocol Design
Chain Selection Rule: Adopt a valid new chain if it is longer and does not fork by more than k blocks from local chain. + Random Otherwise, keep local chain. seed Protection against long-range attacks (to be discussed later). G
Epoch 1 Epoch 2
Simplified model: no newcomers, full participation (will be strengthened later).
43 Ouroboros – Protocol Design
In each round: Pointer to prev. block 1.) Determine the current longest valid chain. Transactions 2.) Determine Slot-Leadership Slot number + 3.) Slot leader: Pack transactions, create and publish block Random Signature of leader seed
G
Epoch 1 Epoch 2
44 Ouroboros – Protocol Design
Epoch Switch:
1.)Pointer New Staketo prev. Distribution block Transactions + 2.) NewSlot Epoch number Seed Random Signature of leader seed
G
Epoch 1 Epoch 2
45 Ouroboros – Protocol Design
Epoch Switch:
1.)Pointer New Staketo prev. Distribution block → AsTransactions reported by transactions + 2.) NewSlot Epoch number Seed Random Signature of leader seed
G
Epoch 1 Epoch 2
46 Ouroboros – Protocol Design
Epoch Switch:
1.)Pointer New Staketo prev. Distribution block Transactions + 2.) NewSlot Epoch number Seed Random A slightlySignature more of complex leader process seed
G
Epoch 1 Epoch 2
47 Ouroboros – Protocol Design
Epoch Switch:
1.)Pointer New Staketo prev. Distribution block Transactions + 2.) NewSlot Epoch number Seed Random A slightlySignature more of complex leader process seed
G
Epoch 1 Epoch 2 A secure implementation (MPC) that achieves a randomness beacon. - PVSS, messages packed into blocks
48 Ouroboros – Protocol Design
Epoch Switch:
1.)Pointer New Staketo prev. Distribution block Transactions + 2.) NewSlot Epoch number Seed Random A slightlySignature more of complex leader process seed
G
Epoch 1 Epoch 2 Randomness-Beacon Functionality: - Emits a random value at start of epoch - Cannot be predicted ahead of time and not tampered 49 Ouroboros – Protocol Design Summary
+ Random seed
G
50 Ouroboros – Protocol Design Summary
+ Random seed
G
Randomness Beacon
51 Ouroboros – Protocol Design Summary
+ + Random Random seed seed
G
Note: Randomness Majority of honest stake required Beacon from each new distribution.
52 Ouroboros – Protocol Design Summary
+ + Random Random seed seed
G
Randomness Randomness Beacon Beacon
53 Ouroboros – Protocol Design Summary
+ + Random Random + seed seed Random seed
G
Randomness Randomness Beacon Beacon
54 Ouroboros – Protocol Design Summary
+ + Random Random + seed seed Random seed
G
Randomness Randomness Beacon Beacon
55 Ouroboros – Analysis
▪ Analysis of first epoch
▪ Lifting to multiple epochs (inductive argument)
56 Ouroboros – Analysis of First Epoch
Life is not perfect... and some forks will emerge…
We need a careful analysis! + Random seed
G
v Epoch 1
57 A General Analytical Approach: The Forkable String Analysis Slots are assigned a symbol from an alphabet. The symbol signifies whether honest parties speak, adversaries speak or no-one speaks.
58 A General Analytical Approach: The Forkable String Analysis Slots are assigned a symbol from an alphabet. The symbol signifies whether honest parties speak, adversaries speak or no-one speaks.
Such a string gives rise to a family of admissible graphs that describe all that can happen in an execution that follows longest chain:
59 A General Analytical Approach: The Forkable String Analysis Slots are assigned a symbol from an alphabet. The symbol signifies whether honest parties speak, adversaries speak or no-one speaks.
Such a string gives rise to a family of admissible graphs that describe all that can happen in an execution that follows longest chain:
The analysis reveals that the vast majority of strings (under proper conditions) have admissible graphs that translate to well behaved protocol executions. 60 Forks: Abstracting Protocol Executions
Characteristic string: 0: Slot belongs to exactly one honest party. 1: Slot belongs to a malicious coalition : Slot cannot be claimed (e.g. if election process would assign no leader)
61 Forks: Abstracting Protocol Executions
Genesis
honest Characteristicparty string: 0: Slotproduces belongs to exactly one honest party. 1: Slotblock belongs 1 to a malicious coalition : Slot cannot be claimed (e.g. if election process would assign no leader)
62 Forks: Abstracting Protocol Executions
Genesis
adversary honest serves party Characteristic string: block 3 to produces 0: Slot belongs to exactlyhonest one honest party. 1: Slotblock belongs 1 to a malicious coalition : Slot cannot be claimedparty (e.g. if election process would assign no leader)
63 Forks: Abstracting Protocol Executions
adversary Characteristic string: serves 0: Slot belongs to exactly one honestblock party. 6 to 1: Slot belongs to a malicious coalitionhonest : Slot cannot be claimed (e.g. if processparty would assign no leader)
64 Forks: Abstracting Protocol Executions
adversary serves block 1 Characteristic string: to honest party 0: Slot belongs to exactly one honest party. (Δ=3) 1: Slot belongs to a malicious coalition : Slot cannot be claimed (e.g. if process would assign no leader)
65 Forks: Abstracting Protocol Executions
Fork with delay Δ=3
adversary serves block 1 Characteristic string: to honest party 0: Slot belongs to exactly one honest party. (Δ=3) 1: Slot belongs to a malicious coalition : Slot cannot be claimed (e.g. if process would assign no leader)
66 Forks: Abstracting Protocol Executions
adversary Characteristic string: serves block 12 0: Slot belongs to exactly one honest party. to honest party 1: Slot belongs to a malicious coalition : Slot cannot be claimed (e.g. if process would assign no leader)
67 Forks: Abstracting Protocol Executions
Important Property: Depth of honest nodes increases (from left to right) if more than Δ slots apart. (Lower bound on the depth of the fork)
68 Combinatorics of Characteristic Strings
▪ Given a characteristic string can we classify the family of forks that it permits? ▪ Characteristic string is drawn according to a specific probability distribution: bias toward 0 (by honest-majority assumption). ▪ Forkable string: those strings that allow a fork with two tines of length equal to the height of the fork.
69 FocusCombinatorics on this particular of structure:Characteristic Strings
→ Analysis shows that this is a very unlikely structure to occur (as a ▪functionGiven of a the characteristic length of the stringsampled can string). we classify the → Note:family Also of unlikely forks that as a it subgraph permits? of any execution, i.e., no execution▪ Characteristic has such string a bad is drawndivergence according point to (anda specific thus we have CP). probability distribution. ▪ Forkable string: those strings that allow a fork with two tines of length equal to the height of the fork.
70 Drawing from Bitcoin analysis
5 At the core of the analysis 4 Difference: lies a 1D Random Walk 3 1.) #PoWs of 2 adversary in (Probability the adversary finds a POW) time segment 1 - 0 2.) #PoWs of -1 honest parties “Uniquely successful rounds” in time segment -2 ( = Probability an honest party finds a POW) -3 -4 -5 71 Drawing from Bitcoin analysis
5 At the core of the analysis 4 Difference: lies a 1D Random Walk 3 1.) #PoWs of 2 adversary in (Probability the adversary finds a POW) time segment 1 - 0 2.) #PoWs of -1 honest parties “Uniquely successful rounds” in time segment -2 ( = Probability an honest party finds a POW) -3
-4 - A favorable step is downwards. -5 - Such a step is more likely by assumption . 72 from PoW to PoS
▪ Winning a slot for the honest parties (even uniquely) does not necessarily constitute a favorable step in the random walk.
“Nothing-at-stake”: The adversary may reuse an opportunity to issue a block in multiple paths of a fork
73 Forkable Strings (for simplicity we do only the {0,1} case)
For a tine t, the following quantities are of interest to the adversary:
• gap(t): length difference with leading honest node. • reserve(t): number of adversarial slots after end of t. • reach(t) := reserve(t) - gap(t).
74 Forkable Strings
For a tine t, the following quantities are of interest to the adversary:
• gap(t): length difference with leading honest node. • reserve(t): number of adversarial slots after end of t. • reach(t) := reserve(t) - gap(t).
gap(t) = 4
75 Forkable Strings
For a tine t, the following quantities are of interest to the adversary:
• gap(t): length difference with leading honest node. • reserve(t): number of adversarial slots after end of t. • reach(t) := reserve(t) - gap(t).
reserve(t) = 3
76 Forkable Strings
For a tine t, the following quantities are of interest to the adversary:
• gap(t): length difference with leading honest node. • reserve(t): number of adversarial slots after end of t. • reach(t) := reserve(t) - gap(t).
reach(t) = -1
77 Forkable Strings
For a tine t, the following quantities are of interest to theCan adversary: the adversary catch up with “longest chain” with this tine? • gap(t): length difference with leading honest node. • reserve(t): number of adversarial slots after end of t. • reach(t) := reserve(t) - gap(t).
reach(t) = -1
78 Forkable Strings
Looking at a fork F in general, we are interested in:
• reach(F): max reach(t) • margin(F): second highest & disjoint reach(t’)
reach(t) = -1
reach(ṫ) = 0 t’ reach(t') = -1
79 Forkable Strings
Looking at a fork F in general, we are interested in:
• reach(F): max reach(t) • margin(F): second highest & disjoint reach(t’)
reach(t) = -1 reach(F) = 0
reach(ṫ) = 0 t’ reach(t') = -1 margin(F) = -1
80 Forkable Strings
If second highest allows to catch up with Looking at a forklongest: F in general, margin wenon are-negative. interested in:
• reach(F): max reach(t) • margin(F): second highest & disjoint reach(t’)
reach(t) = -1 reach(F) = 0
reach(ṫ) = 0 t’ reach(t') = -1 margin(F) = -1
81 Reach & Margin
Define:
휌(w) = maxF reach(F) 휇(w) = maxF margin(F)
• Fact: w is forkable (adversary wins) iff 휇(w) ≥ 0.
• We want to prove that the density of forkable strings among all strings is tiny (assuming Hamming weight is below 1/2).
• We consider a 2D random walk defined by the pair ( 휌 ( w ), 휇 ( w )) where w is a binomial random variable.
82 Recursive Formula for Reach & Margin
83 Recursive Formula for Reach & Margin
reach and margin decrement
84 Recursive Formula for Reach & Margin
reach never reach and drops below 0 margin decrement
85 Recursive Formula for Reach & Margin
it is possible for the adversary to compensate for the reach never reach and margin, by drops below 0 margin sacrificing reach decrement
86 2D Random Walk margin
reach
probability an honest party wins a slot probability the adversary wins a slot
87 2D Random Walk margin
reach
probability an honest party wins a slot probability the adversary wins a slot
88 2D Random Walk margin
reach
probability an honest party wins a slot probability the adversary wins a slot
89 2D Random Walk margin
reach
probability an honest party wins a slot probability the adversary wins a slot
90 2D Random Walk margin
reach
probability an honest party wins a slot probability the adversary wins a slot
91 Analysis
Analysis shows:
92 Analysis
푅(푡), 푀(푡): Reach resp. margin after 푡 푛 steps of the random walk Analysis(“coarse shows: grained steps of the walk”).
93 Analysis
Analysis shows:
94 Analysis
Analysis shows:
95 Analysis
Analysis shows:
96 Analysis
An improved analysis shows an error bound of
“The Combinatorics of the Longest-Chain Rule: Linear Consistency for Proof-of-Stake Blockchains” by EricaAnalysis Blum and Aggelos shows Kiayias: and Cristopher Moore and Saad Quader and Alexander Russell.
97 Analysis
Conclusion: - Characteristic string not forkable (w.h.p.) → No long diverging paths - Common prefix achieved (w.h.p.) Analysis shows:
98 Also: Chain Growth & Quality
Chain Quality: any sufficiently long section along a (viable) tine must contain an honest node with overwhelming probability. (→ Otherwise, #0’s < #1’s)
Chain Growth: The #0’s support growth and by the above, the growth is reflected in any viable tine (with a small discount).
99 Also: Chain Growth & Quality
Chain Quality: any sufficiently long section along a (viable) tine must contain an honest node with overwhelming probability. (→ Otherwise, #0’s < #1’s)
Chain Growth: The Viable#0’s support tines: growth Correspond and by the above, to chains the that growth is reflected in areany viablelong tineenough (with a smallto be discount). adopted by an honest party at a given time.
100 Lifting To Multiple Epochs
101 Lifting To Multiple Epochs
+ Random seed
G
Randomness Beacon
102 Lifting To Multiple Epochs
+ Properties CP, CG, CQ Random seed
G
Randomness Beacon
103 Lifting To Multiple Epochs
+ - CG+CQ: All honest parties report Random a green block. seed - CP: Agreement on green block.
G
Randomness Beacon
104 Lifting To Multiple Epochs
- CG+CQ: All honest parties report + + Random Random seed a green block. seed - CP: Agreement on green block.
Epoch Randomness: Has to be released after fixing the G stake distribution.
Randomness Beacon
105 Lifting To Multiple Epochs
“Smooth Epoch Boundaries” Distribution of entire characteristic string is uniquely defined for this execution and dominated by a binomial distribution favoring 0’s over 1’s (as before).
G
106 Incentives
How to make honest parties participate?
• Costs • Such as verifying transactions, packaging them in the right order. • Rewards • Such as collecting fees.
Problem: Pure chain quality underrepresents the honest parties’ effort: Effort in maintaining the inputs is not rewarded proportionally.
107 Incentives
How to make honest parties participate?
• Costs • Such as verifying transactions, packaging them in the right order. • Rewards • Such as collecting fees.
Problem: Pure chain qualityKey Idea:underrepresents the honest parties.Main effort Effort is inrelated maintaining to input contributionthe inputs is→ notDeclare rewarded it to be proportionally. a separate task.
108 Incentives
Solution: Input Endorsers • Each slot elects an additional stakeholder (or a set of stakeholders) to contribute inputs. • Using a parallel lottery. • Like the 2-for-1 mechanism in PoW as in GKL analysis or Fruitchains.
• Endorsed inputs are permitted in the blockchain any time within a small window following and inclusive the slot that elects them.
Outer Block Input Block
Input Block
109 Incentives
Solution: Input Endorsers • Each slot elects an additional stakeholder (or a set of stakeholders) to contribute inputs. • Using a parallel lottery. • Like the 2-for-1 mechanism in PoW as in GKL analysis or Fruitchains.
• Endorsed inputs are permitted in the blockchain any time within a small window following and inclusive the slot that elects them.
Outer Block → Overall #Input blocks Input Block proportional to stake.
Input Block
→ Protocol becomes a Nash equilibrium for an appropriate reward function (that rewards input blocks in an aggregate fashion over a sequence of blocks). 110 Ouroboros BFT
Ouroboros “Classic” Ouroboros BFT (Crypto 17) An extremely simple BFT protocol that follows Ouroboros from the Ouroboros Classic analysis Praos (Eurocrypt 2018)
Ouroboros Ouroboros Genesis Crypsinous (CCS 2018) (S&P 2019) Ouroboros with Privacy Ouroboros Chronos (In submission, 2019)
111 Ouroboros BFT
Ouroboros “Classic” Ouroboros BFT (Crypto 17) An extremely simple BFT protocol that follows Ouroboros from the Ouroboros Classic analysis Praos (Eurocrypt 2018) Central Observation: OuroborosA characteristic string (assume binary)Ouroboros with Hamming- Genesis weight less than 1/3 is notCrypsinous forkable. (CCS 2018) (S&P 2019) Ouroboros with Privacy Ouroboros Chronos (In submission, 2019)
112 Ouroboros – Praos & Genesis
Ouroboros Semi-adaptive adversaries, synchrony “Classic” Strong mathematical framework (Crypto 17)
+ Adaptive Adversaries Ouroboros + Network Delay (“semi-synchronous”) Praos (Eurocrypt 2018)
+ Full dynamic availability Ouroboros + Bootstrapping from Genesis Genesis (CCS 2018)
+ Only based on same-speed assumption. Ouroboros + Bootstrapping state and time from genesis Chronos (In submission, 2019) = PoS blockchain in the DA setting without global clocks. 113 Ouroboros – Praos & Genesis
Ouroboros Semi-adaptive adversaries, synchrony “Classic” Strong mathematical framework (Crypto 17)
+ Adaptive Adversaries Ouroboros + Network Delay (“semi-synchronous”) Praos Stronger(Eurocrypt 2018) cryptographic primitives needed: + Full dynamic availability - ToOuroboros enable private lottery + Bootstrapping from Genesis - ToGenesis fully mitigate adaptive corruptions (CCS 2018)
+ Only based on same-speed assumption. Ouroboros + Bootstrapping state and time from genesis Chronos (In submission, 2019) = PoS blockchain in the DA setting without global clocks. 114 Ouroboros – Praos & Genesis
Ouroboros Semi-adaptive adversaries, synchrony “Classic” Strong mathematical framework (Crypto 17)
+ Adaptive Adversaries Ouroboros + Network Delay (“semi-synchronous”) Praos (Eurocrypt 2018)
+ Full dynamic availability Ouroboros + Bootstrapping from Genesis Genesis (CCS 2018) Newcomers should be able+ Only to joinbased the on same-speed assumption. Ouroboros + Bootstrapping state and time from genesis systemChronos without the extra help of existing parties.(In submission, 2019) = PoS blockchain in the DA setting without global clocks. 115 Ouroboros – Praos & Genesis
Ouroboros Semi-adaptive adversaries, synchrony “Classic” Strong mathematical framework (Crypto 17)
+ Adaptive Adversaries Ouroboros + Network Delay (“semi-synchronous”) Praos (Eurocrypt 2018)
+ Full dynamic availability Ouroboros + Bootstrapping from Genesis Genesis (CCS 2018) Genesis Security Proof
+ Only based on same-speed assumption. Ouroboros + Bootstrapping state and time from genesis Chronos (In submission, 2019) = PoS blockchain in the DA setting without global clocks. 116 Cryptographic Tools to Protect against Adaptive Adversaries
117 Cryptographic Tools to Protect against Adaptive Adversaries
Verifiable random functions (VRF) – with unpredictability under malicious key generation. (푉푅퐹. 퐺푒푛, 푉푅퐹. 퐸푣푎푙, 푉푅퐹. 푉푒푟푖푓푦) → Output appears pseudo-random (for a new input) → Input and output are verifiably tied together → Output cannot be biased by crafting strange keys → Purpose: Allow private leader-election and thereby a more realistic attacker model (mitigate adaptive attacks).
118 Cryptographic Tools to Protect against Adaptive Adversaries
Key evolving signature scheme (KES)
(퐾퐸푆. 퐺푒푛, 퐾퐸푆. 푆푖푔푛, 퐾퐸푆. 푈푝푑푎푡푒, 퐾퐸푆. 푉푒푟푖푓푦) → Operates as normal signature scheme (unforgeable) → Key updates: All values signed “in the past” remain unforgeable even if party gets corrupted after the update. → Purpose: Protect previous actions and thereby allow realistic corruption model (tolerate “immediate corruptions”).
119 Ouroboros Praos/Genesis: Basic Operation
Epoch - 2 Epoch - 1 Current epoch
120 Ouroboros Praos/Genesis: Basic Operation
- In each slot, each party evaluates slot-leadership. Private election, proportional to stake, including recent randomness from the chain
- A slot leader extends a chain by creating the block for this slot.
Epoch - 2 Epoch - 1 Current epoch
121 Ouroboros Praos/Genesis: Basic Operation
Epoch - 2 Epoch - 1 Current epoch
122 Ouroboros Praos/Genesis: Basic Operation
Epoch - 2 Epoch - 1 Current epoch
123 Ouroboros Praos/Genesis: Basic Operation
1) Agreement on stake distribution Epoch - 2 Current epoch
124 Ouroboros Praos/Genesis: Basic Operation
Simple Randomness-Beacon Implementation: Current seed := Hash of verifiably random values from the chain. 푉푅퐹. 퐸푣푎푙 "NONCE", 푝푟푒푣푖표푢푠 푠푒푒푑, 푠푙표푡 푠푘푖
1) Agreement on stake distribution. Epoch - 2 Current epoch 2) Agreement on randomness. 3) Randomness affected by honest block(s)
125 Ouroboros Praos/Genesis: Basic Operation Lottery in each slot:
A party i is leader if and only if 푉푅퐹. 퐸푣푎푙 "TEST", 풔풆풆풅, 푠푙표푡 < 푇(푠푡푎푘푒 ) 푠푘푖 푖
- Empty slots possible - Multiple leaders possible - Leadership proof from VRF.
1) Agreement on stake distribution. Epoch - 2 Current epoch 2) Agreement on randomness. 3) Randomness affected by honest block(s)
126 Ouroboros Praos/Genesis: Details on Leader Election
푉푅퐹. 퐸푣푎푙 "TEST", 풔풆풆풅, 푠푙표푡 < 푇(푠푡푎푘푒 ) 푠푘푖 푖
ℓ푉푅퐹 → 푇 푠푡푎푘푒푖 = 2 휑푓(푟푒푙. 푠푡푎푘푒푖)
푥 → 휑푓 푥 = 1 − (1 − 푓)
127 Ouroboros Praos/Genesis: Details on Leader Election
푉푅퐹. 퐸푣푎푙 "TEST", 풔풆풆풅, 푠푙표푡 < 푇(푠푡푎푘푒 ) 푠푘푖 푖
ℓ푉푅퐹 → 푇 푠푡푎푘푒푖 = 2 휑푓(푟푒푙. 푠푡푎푘푒푖)
푥 → 휑푓 푥 = 1 − (1 − 푓)
Some remarks:
1.) Active slot coefficient: 휑 푓 1 = 푓 ; slot empty with prob. 1 − 푓 .
2.) Independent aggregation property: 1 − 휑푓 푥푖 = ෑ(1 − 휑푓 푥푖 ) 푖 푖 → Probability of leadership independent of distribution to addresses. → The concave (and subadditive as 휑 푓 0 = 0 ) property eases the analysis.
128 Recall: Chain-Selection Rule
G Local
129 Recall: Chain-Selection Rule
G Local
1
130 Recall: Chain-Selection Rule
G Local
1
131 Recall: Chain-Selection Rule
G Local
1
2
132 Attention: Longest Chain Rule Does not Work
G Local
2
Family of long-range attacks (e.g., stake-bleeding [GKR18])
133 Recall: Chain-Selection Rule
Chain Selection Rule [e.g., DGKR18] :
Adopt a valid new chain… G Local 1) …if it is longer and does not fork by more than k blocks from local chain. 1 Otherwise, keep local chain.
2
134 At first sight…
… it seems one would require one of the following:
1.) Online parties maintain a moving checkpoint → Joining parties need advice.
2.) A fixed and known lower bound on participation → No flexible participation, protocol might be stalled.
135 Ouroboros – Praos & Genesis
Ouroboros Semi-adaptive adversaries, synchrony “Classic” Strong mathematical framework (Crypto 17)
+ Adaptive Adversaries Ouroboros + Network Delay (“semi-synchronous”) Praos (Eurocrypt 2018)
+ Full dynamic availability Ouroboros + Bootstrapping from Genesis Genesis (CCS 2018)
+ Only based on same-speed assumption. Ouroboros + Bootstrapping state and time from genesis Chronos (In submission, 2019) = PoS blockchain in the DA setting without global clocks. 136 The Genesis Chain-Selection Rule
… it seems one would require one of the following:
1.) Online parties maintain a moving checkpoint → Joining parties need advice.
2.) A fixed and known lower bound on participation → No flexible participation, protocol might be stalled. We do not require either of these!
Thanks to a more involved Chain-Selection Rule
137 The Genesis Chain-Selection Rule
138 The Genesis Chain-Selection Rule
G
Now
139 The Genesis Chain-Selection Rule
G
Time-Interval after fork
Now INT
(Protocol parameter: size of INT) 140 The Genesis Chain-Selection Rule
Genesis Rule:
GAdopt a valid new chain…
1) …if it is longer and does not fork by more than k blocks from local chain.
2) … or if it forks by more than k blocks but has higher block density on interval INT.
Otherwise, keep local chain. Time-Interval after fork
Now INT
141 Ouroboros – Praos & Genesis
Ouroboros Semi-adaptive adversaries, synchrony “Classic” Strong mathematical framework (Crypto 17)
+ Adaptive Adversaries Ouroboros + Network Delay (“semi-synchronous”) Praos (Eurocrypt 2018)
+ Full dynamic availability Ouroboros + Bootstrapping from Genesis Genesis (CCS 2018) Genesis Security Proof
+ Only based on same-speed assumption. Ouroboros + Bootstrapping state and time from genesis Chronos (In submission, 2019) = PoS blockchain in the DA setting without global clocks. 142 Roadmap of Security Proof of Genesis
▪ Security of Ouroboros Genesis with the old chain selection rule (=Praos) and dynamic participation but no newly joining parties.
▪ Security for joining parties: new Genesis rule in action.
143 Roadmap of Security Proof of Genesis
▪ Security of Ouroboros Genesis with the old chain selection rule (=Praos) and dynamic participation but no newly joining parties.
▪ Security for joining parties: new Genesis rule in action.
144 Security under dynamic Participation
▪ Recall the Fork abstraction:
5 7 9 10
0 2
5 6 7 10 11
0 ꓕ 0 ꓕ ꓕ 1 0 1 ꓕ ꓕ 0 1 0 145 Security under dynamic Participation
▪ Recall the Fork abstraction:
5 7 9 10 A substantial CP-violation (divergence) occurs only with negligible probability if: 0 2 Majority of active stake is honest. 5 6 7 10 11
0 ꓕ 0 ꓕ ꓕ 1 0 1 ꓕ ꓕ 0 1 0 146 Security under dynamic Participation
▪ Recall the Fork abstraction:
5 7 9 10 A substantial CP-violation (divergence) occurs only with negligible probability if: 0 2
5 6 7 10 11
0 ꓕ 0 ꓕ ꓕ 1 0 1 ꓕ ꓕ 0 1 0 147 Security under dynamic Participation
• Dynamic Participation: Dependent variables, biased lottery in favor of honest parties → Martingales
• We show Common Prefix, Chain Growth, Chain Quality
• Realizes the ledger (composable analysis)
148 Roadmap of Security Proof of Genesis
▪ Security of Ouroboros Genesis with the old chain selection rule (=Praos) and dynamic participation but no newly joining parties.
▪ Security for joining parties: new Genesis rule in action.
149 Security of the Genesis Rule
Claim 1: If a party is always up-to-date and using the Genesis chain- selection rule, she will never adopt a chain that forks by more than k blocks (compared to her local chain in any round).
Claim 2: Using the Genesis chain-selection rule, a newly joining party will adopt a recent chain with large common prefix w.r.t. honest parties. No other advice than the genesis block is needed.
150 Security of the Genesis Rule
Claim 1: If a party is always up-to-date and using the Genesis chain- selection rule, she will never adopt a chain that forks by more than k blocks (compared to her local chain in any round).
Claim 2: Using the Genesis chain-selection rule, a newly joining party will adopt a recent chain with large common prefix w.r.t. honest parties. No other advice than the genesis block is needed.
151 Claim 1 – Proof Idea
Interval INT Now
152 Claim 1 – Proof Idea
Interval INT Now
153 Claim 1 – Proof Idea
Now Interval INT First honest slot after INT
154 Claim 1 – Proof Idea
A substantial divergence! Hence, situation does not occur.
Interval INT Now
Covered by previous “Praos” analysis.
155 Security of the Genesis Rule
Claim 1: If a party is always up-to-date and using the Genesis chain- selection rule, she will never adopt a chain that forks by more than k blocks (compared to her local chain in any round).
Claim 2: Using the Genesis chain-selection rule, a newly joining party will adopt a recent chain with large common prefix w.r.t. honest parties. No other advice than the genesis block is needed.
156 Claim 2 – Proof Idea
First newly joining party
t0
157 Claim 2 – Proof Idea
First newly joining party
t0
158 Claim 2 – Proof Idea
If decides to adopt a “good” chain C, then so does
t0
159 Claim 2 – Proof Idea
G C
t0
160 Claim 2 – Proof Idea
G C
C’
t0
161 Claim 2 – Proof Idea A substantial divergence does not occur.
G C
C’
t0
Covered by previous analysis of
new chain-selection rule 162 Privacy in Ouroboros: Crypsinous
Ouroboros “Classic” Ouroboros BFT (Crypto 17)
Ouroboros Praos (Eurocrypt 2018)
Ouroboros Ouroboros Genesis Crypsinous (CCS 2018) (S&P 2019) Genesis with Privacy Ouroboros Chronos (In submission, 2019)
163 Privacy in Ouroboros: Crypsinous
Ouroboros Problem Summary: “Classic” Ouroboros BFT (Crypto Public17) verifiability of leader schedule vs. OuroborosHide amount of stake possessed Praos (Eurocrypt 2018)
Ouroboros Ouroboros Genesis Crypsinous (CCS 2018) (S&P 2019) Genesis with Privacy Ouroboros Chronos (In submission, 2019)
164 Privacy in Ouroboros: Crypsinous
Ouroboros “Classic” Ouroboros BFT (Crypto 17)
Ouroboros Praos (Eurocrypt 2018)
Ouroboros Ouroboros Genesis Crypsinous (CCS 2018) (S&P 2019) Genesis with Privacy Ouroboros - Zero-knowledge proof systems Chronos - SNARKs (In submission, 2019)
165 Ouroboros: Real-World Implementations
Ouroboros “Classic” Ouroboros BFT (Crypto 17)
Ouroboros Praos (Eurocrypt 2018)
Ouroboros Cardano is running on Ouroboros PoS and Genesis other companies are implementing versions (CCS 2018) of it.
Ouroboros Chronos (In submission, 2019)
166 Ouroboros – Chronos
Ouroboros Semi-adaptive adversaries, synchrony “Classic” Strong mathematical framework (Crypto 17)
+ Adaptive Adversaries Ouroboros + Network Delay (“semi-synchronous”) Praos (Eurocrypt 2018)
+ Full dynamic availability Ouroboros + Bootstrapping from Genesis Genesis (CCS 2018)
+ Only based on same-speed assumption. Ouroboros + Bootstrapping state and time from genesis Chronos (In submission, 2019) = PoS blockchain in the DA setting without global clocks. 167 So far: Dependency on a Good Timing Service
Clock Functionality
Time axis:
168 So far: Dependency on a Good Timing Service
Slot Axis:
Time axis:
169 So far: Dependency on a Good Timing Service
Slot Axis:
s
s
s
Time axis:
NOW 170 So far: Dependency on a Good Timing Service
Slot Axis:
Recall Lottery (Nakamoto-Style Consensus): s - A party I is leader if and only if 푉푅퐹 TEST, 푠푒푒푑, 풔풍풐풕 < 푇(푠푡푎푘푒 ) 푠푘푖 푖 - All have the same idea of future and past - Example: “future chains are rejected - because bad anyway”. s
Time axis:
171 So far: Dependency on a Good Timing Service Strong Assumption: - Perfect time coordination for everyone, including newly joining parties. - Needs another protocol eventually, e.g. NTP.
Clock Functionality
Time axis:
172 Better: Same-Speed Assumption Slot Axis: …
s+2 …
s …
s-1 Time axis: …
173 Coping with Imperfect Coordination
Slot Axis:
s+2
s
s-1
Time axis:
NOW 174 Genesis: Situation not that bad…
If we manage to keep all honest parties somewhat close we’re kind of good.
175 Genesis: Situation not that bad…
If we manage to keep all honest parties somewhat close we’re kind of good.
• Close together: Honest parties’ timestamps are never more than Δ apart (order of network delay). • Small adjustments needed to Ouroboros Genesis to deal with future chains
176 Genesis: Situation not that bad…
If we manage to keep all honest parties somewhat close we’re kind of good.
• Close together: Honest parties’ timestamps are never more than Δ apart (order of network delay). • Small adjustments needed to Ouroboros Genesis to deal with future chains.
→ Same-speed: Initial parties do stay close.
→ Joining parties have a harder life…
177 Genesis: Situation not that bad…
178 Genesis: Situation not that bad… Joining party:
179 Genesis: Situation not that bad… Joining party:
Genesis chain selection rule: - Good prefix is the densest prefix - Genesis rule prefers densest prefix
180 Genesis: Situation not that bad… Joining party:
Genesis chain selection rule: No reliable local time: - Good prefix is the densest prefix - No cut-off possible - Genesis rule prefers densest prefix - No reliable ledger state
181 The Synchronization Problem
• Joining parties: Need to bootstrap a good timestamp • Only source of information: network traffic and genesis block. • Good: Within the Δ-interval of existing honest parties. • From before: Good timestamp → Good state.
• Bootstrapping under the same assumptions. • Same-speed, honest majority, diffusion network, RO • The dynamic availability setting (similar to the Bitcoin setting for fixed difficulty).
182 The Synchronization Problem
• Joining parties: Need to bootstrap a good timestamp • Only source of information: network traffic and genesis block. • Good: Within the Δ-interval of existing honest parties. • From before: Good timestamp → Good state.
• Bootstrapping under the same assumptions. • Same-speed, honest majority, diffusion network, RO • The dynamic availability setting (similar to the Bitcoin setting for fixed difficulty).
This is what Chronos achieves
183 Chronos Overview
184 Chronos Overview
- Alert parties: broadcast time-beacons and leave evidence of beacons in the blockchain.
185 Chronos Overview
- Alert parties: broadcast time-beacons and leave evidence of beacons in the blockchain.
- They perform local-clock adjustments based on the evidence in the chain. - Small adjustments to local clocks at the end of an epoch - Based on the evidence left in the chain.
186 Chronos Overview
- Alert parties: broadcast time-beacons and leave evidence of beacons in the blockchain.
- They perform local-clock adjustments based on the evidence in the chain. - Small adjustments to local clocks at the end of an epoch - Based on the evidence left in the chain.
- Joining parties: Once hooked up on a prefix of the densest chain, record beacons and retrace the evidence. - Perform the very same clock adjustments to compute a good timestamp
187 Chronos Overview
- Alert parties: broadcast time-beacons and leave evidence of beacons in the blockchain.
- They perform local-clock adjustments based on the evidence in the chain. - Small adjustments to local clocks at the end of an epoch - Based on the evidence left in the chain.
- Joining parties: Once hooked up on a prefix of the densest chain, record beacons and retrace the evidence. - Perform the very same clock adjustments to compute a good timestamp
188 Chronos – Sync-Beacons
Epoch E Additional “Timing Lottery” in the first part of the epoch:
- IF 푽푹푭 "SYNC", 풔풆풆풅, 풔풍풐풕 < 푻(풔풕풂풌풆 ) THEN 풔풌풊 풊 Beacon VRF - Broadcast Sync-Beacon: slot Proof
- Normal slot leaders pack transactions + beacons.
189 Chronos Overview
- Alert parties: broadcast time-beacons and leave evidence of beacons in the blockchain.
- They perform local-clock adjustments based on the evidence in the chain. - Small adjustments to local clocks at the end of an epoch - Based on the evidence left in the chain.
- Joining parties: Once hooked up on a prefix of the densest chain, record beacons and retrace the evidence. - Perform the very same clock adjustments to compute a good timestamp
192 Chronos: Synchronization Procedure
- Throughout the epochs: Alice records the arrival times of valid beacons (filter out duplicates, invalid ones etc.) - At the end of each epoch: Compute local clock-adjustment.
B B B B
193 Chronos: Synchronization Procedure
- Throughout the epochs: Alice records the arrival times of valid beacons (filter out duplicates, invalid ones etc.) - At the end of each epoch: Compute local clock-adjustment.
B B B B
- At the end of epoch: for each recorded beacon, do:
Beacon Beacon VRF VRF - RECOM Proof := slot – ARRIVALTIME Proof slot slot
194 Chronos: Synchronization Procedure
B B B B
Adjustment rule:
- At the end of epoch: add the median of recommendations to local time:
B: B: B: B: B: RECOM RECOM RECOM RECOM RECOM sl sl sl sl sl
195 Example
slbob=T-y
Beacon sl
sl := T-x
slalice=T-z
T
196 Example
slbob=T-y
Beacon sl
sl := T-x
slalice=T-z
T T + δ T + δ’
197 Example
slbob=T-y
Beacon sl
sl := T-x
slalice=T-z (T-z + r) + (T-x) - (T-z + δ) = r + (T-x) - δ
T T + δ T + δ’ T + r
198 Example
slbob=T-y r’ + (T-x) – δ’ Beacon sl
sl := T-x
slalice=T-z r’ + (T-x) - δ
T T + δ T + δ’ T + r T + r’
199 Properties of the Synchronization Procedure
T-y T-y Beacon r’ + (T-x) – δ’
Sl
sl := T-x Local Clocks are Δ-close! (because |δ’- δ| ≤ Δ)
T-z r’ + (T-x) - δ
T T + δ T + δ’ T + r T + r’
200 Properties of the Synchronization Procedure
B: B: B: B: B: RECOM RECOM RECOM RECOM RECOM sl sl sl sl sl
Furthermore, by honest-majority assumption: → Median, i.e., adjustment is bounded.
201 Chronos Overview
- Alert parties: broadcast time-beacons and leave evidence of beacons in the blockchain.
- They perform local-clock adjustments based on the evidence in the chain. - Small adjustments to local clocks at the end of an epoch - Based on the evidence left in the chain.
- Joining parties: Once hooked up on a prefix of the densest chain, record beacons and retrace the evidence. - Perform the very same clock adjustments to compute a good timestamp
202 Chronos: Joining Procedure
203 Chronos: Joining Procedure
204 Chronos: Joining Procedure
205 Chronos: Joining Procedure
- Densest chain wins, good prefix.
206 Chronos: Joining Procedure
207 Chronos: Joining Procedure
B: RECOM sl
B: RECOM sl B: RECOM sl
B: RECOM sl
208 Chronos: Joining Procedure
B B
B: RECOM sl
B: RECOM sl B: RECOM sl
B: RECOM sl
209 Chronos: Joining Procedure
Required Beacon Properties: - Fresh information: Only generated after becoming online. - Validated and filtered w.r.t. fresh lottery. - Contained in common prefix.
B B
B: RECOM sl
B: RECOM sl B: RECOM sl
B: RECOM sl
210 Chronos - Summary
B B B B B B B B
- Bootstrapping the local clock is possible thanks to - Agreement on evidence - Freshness of beacons: reasoning as before to get Δ-close
- Clock adjustments of alert parties can be retraced - Stop when computed timestamp is before the next sync-slot.
- Good time-stamp → Good blockchain - Cut-off future blocks and the genesis rule guarantees the rest.
211 Chronos - Summary
B B B B B B B B
- Bootstrapping the local clock is possible thanks to - Agreement on evidence - Freshness of beacons: reasoning as before to get Δ-close
- Clock adjustments of alert parties can be retraced - Stop when computed timestamp is before the next sync-slot.
- Good time-stamp → Good blockchain - Cut-off future blocks and the genesis rule guarantees the rest.
212 Chronos - Summary
B B B B B B B B
- Bootstrapping the local clock is possible thanks to: - Agreement on evidence - Freshness of beacons: reasoning as before to get Δ-close
- Clock adjustments of alert parties can be retraced - Stop when computed timestamp is before the next sync-slot.
- Good time-stamp → Good blockchain - Cut-off future blocks and the genesis rule guarantees the rest.
213 Playing With Ouroboros
Check out the interactive Ouroboros animation:
ouroboros.iohk.io
214 End of the Tutorial – Thank you!
Ouroboros Semi-adaptive adversaries, synchrony “Classic” Strong mathematical framework (Crypto 17)
+ Adaptive Adversaries Ouroboros + Network Delay (“semi-synchronous”) Praos (Eurocrypt 2018)
+ Full dynamic availability Ouroboros + Bootstrapping from Genesis Genesis (CCS 2018)
+ Only based on same-speed assumption. Ouroboros + Bootstrapping state and time from genesis Chronos (In submission, 2019) = PoS blockchain in the DA setting without global clocks. 215 Contact information and credits
Email: [email protected] References: Classic: A. Kiayias, A. Russell, B. David, R. Oliynikov: Ouroboros: A Provably Secure Proof-of- Stake Blockchain Protocol. Crypto 2017 Praos: B. David, P. Gaži, A. Kiayias, A. Russell. Ouroboros Praos: An adaptively-secure, semi-synchronous proof-of-stake protocol. Eurocrypt 2018. Genesis: C. Badertscher, P. Gaži, A. Kiayias, A. Russell, V. Zikas. Ouroboros Genesis: Composable Proof-of-Stake Blockchains with Dynamic Availability. CCS 18. Chronos: C. Badertscher, P. Gaži, A. Kiayias, A. Russell, V. Zikas. Ouroboros Chronos: Permissionless Clock-Synchronization via Proof-of-Stake. ia.cr/2019/838 Crypsinous: T. Kerber, A. Kiayias, M. Kohlweiss, V. Zikas: Ouroboros Crypsinous: Privacy-Preserving Proof-of-Stake. IEEE S&P 2019. O-BFT: A. Kiayias, A. Russell: Ouroboros-BFT: A Simple Byzantine Fault Tolerant Consensus Protocol. ia.cr/2018/1049 ------[BMTZ17]: C. Badertscher, U. Maurer, D. Tschudi, V. Zikas. Bitcoin as a Transaction Ledger: A Composable Treatment. Crypto 17. [GKR18]: P. Gaži, A. Kiayias, A. Russell. Stake-Bleeding Attacks on Proof-of-Stake Blockchains. Crypto Valley Conference 2018. GKL Analysis: J. Garay, A. Kiayias, N. Leonardos: The Bitcoin Backbone Protocol: Analysis and Applications. Eurocrypt 2015. PSs Analysis: R. Pass, L. Seeman, A. Shelat: Analysis of the Blockchain Protocol in Asynchronous Networks. Eurocrypt 2016. Fruitchain: R. Pass, E. Shi: Fruitchains: A Fair Blockchain. PODC 2017
Images: https://openclipart.org/ 216