ouroboros praos - eurocrypt · follow-up: ouroboros genesis improved ouroboros praos that: provides...
TRANSCRIPT
![Page 1: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/1.jpg)
Peter Gaži IOHK
OUROBOROS PRAOS: AN ADAPTIVELY-SECURE, SEMI-SYNCHRONOUS
PROOF-OF-STAKE BLOCKCHAIN
Eurocrypt 2018
Aggelos Kiayias U. Edinburgh
& IOHK
Bernardo David Tokyo Tech
& IOHK
Alexander RussellU. Connecticut
![Page 2: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/2.jpg)
Roadmap
● Proof-of-work vs. Proof-of-stake blockchains
● Ouroboros Praos
● Protocol Description
● Security Analysis
![Page 3: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/3.jpg)
The problem Bitcoin solves
● Allows a collection of parties to agree on a dynamic, common sequence of transactions—a ledger.
● persistence: past transactions in ledger are immutable
● liveness: new transactions are eventually included
● parties may arise and disappear
● some parties may seek to disrupt the system
![Page 4: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/4.jpg)
Bitcoin as a leader election process, proof of work
● parties compete for the right to extend● winning certificate: PoW solution● Pr[success] proportional to computing power
?…………….
![Page 5: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/5.jpg)
Bitcoin: Laudatory remarks
● Simple● neatly solves a challenge: consensus with a fluid
population of participants● Sidesteps previous impossibility results
● thanks to a new assumption (honest majority of comp. power)
● Amenable to formal analysis● [GKL15,PSS17,BMTZ17]
![Page 6: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/6.jpg)
Bitcoin: Criticism
● relies on an ongoing computational race ● power consumption estimates:
● on the order of GWs● almost tripled over the last 6 months
● Attack cost proportional to the energy spent in the attack period.
![Page 7: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/7.jpg)
Challenge: Replace “proof-of-work” with alternate resource lottery
● other physical resources, with different properties● disk space ● useful computation/storage● ...
● virtual resource: coin itself⇒ Proof of Stake
![Page 8: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/8.jpg)
Proof of Stake: stake-based lottery
● blockchain tracks ownership of coins among parties
● Idea: participants elected proportionally to stake
⇒ no need for physical resources
● hard to implement securely
![Page 9: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/9.jpg)
Previous proof-of-stake solutions with rigorous guarantees
Eventual (Nakamoto-style) Consensus:● Ouroboros [KRDO16]● Snow White [DPS16]
Blockwise Byzantine Agreement:● Algorand [CM16]
![Page 10: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/10.jpg)
Ouroboros
Provably guarantees ● persistence: stable transactions are immutable
● liveness: new transactions included eventually
![Page 11: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/11.jpg)
Ouroboros
Provably guarantees ● persistence: stable transactions are immutable
● liveness: new transactions included eventually
if● adversary has minority stake throughout● adversary subject to corruption delay● communication is synchronous
![Page 12: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/12.jpg)
Ouroboros Praos
Provably guarantees ● persistence: stable transactions are immutable
● liveness: new transactions included eventually
if● adversary has minority stake throughout● adversary subject to corruption delay● communication is synchronous
![Page 13: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/13.jpg)
Ouroboros Praos in a Nutshell
First eventual-consensus PoS secure
● in a semi-synchronous communication model
● despite fully adaptive corruptions
via
● local, private leader selection
● forward-secure signatures
● blockchain hashing for randomness (scalability!)
![Page 14: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/14.jpg)
Ouroboros Praos: Protocol Description
![Page 15: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/15.jpg)
Communication Model
● assume synchronized clocks ● time divided into slots● honest messages may be adversarially delayed by at
most slots● is unknown to the protocol
● adversary may send arbitrary messages to arbitrary subsets, arriving at arbitrary times
![Page 16: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/16.jpg)
Ouroboros Praos: Protocol overview
● time divided into consecutive, disjoint slots
![Page 17: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/17.jpg)
Ouroboros Praos: Protocol overview
● time divided into consecutive, disjoint slots● at most 1 block per slot allowed
![Page 18: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/18.jpg)
● time divided into consecutive, disjoint slots● epoch: sequence of R slots
Ouroboros Praos: Protocol overview
![Page 19: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/19.jpg)
● time divided into consecutive, disjoint slots● epoch: sequence of R slots
● slot leader: a player allowed to create block in that slot● selected proportionally to his/her stake
Ouroboros Praos: Protocol overview
![Page 20: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/20.jpg)
● time divided into consecutive, disjoint slots● epoch: sequence of R slots
● slot leader: a player allowed to create block in that slot● selected proportionally to his/her stake● independent for each slot and each player
● => empty slots, multi-leader slots
Ouroboros Praos: Protocol overview
![Page 21: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/21.jpg)
● time divided into consecutive, disjoint slots● epoch: sequence of R slots
● slot leader: a player allowed to create block in that slot● selected proportionally to his/her stake● independent for each slot and each player
● => empty slots, multi-leader slots
Ouroboros Praos: Protocol overview
![Page 22: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/22.jpg)
● time divided into consecutive, disjoint slots● epoch: sequence of R slots
● slot leader: a player allowed to create block in that slot
● stake distribution: snapshot from last block 2 epochs ago
Ouroboros Praos: Protocol overview
![Page 23: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/23.jpg)
● time divided into consecutive, disjoint slots● epoch: sequence of R slots
● slot leader: a player allowed to create block in that slot
● stake distribution: snapshot from last block 2 epochs ago
● randomness: hash of values in prefix of previous epoch
H(.)
Ouroboros Praos: Protocol overview
![Page 24: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/24.jpg)
Hashing for epoch randomness
Verifiable Random Functions:● Evaluatesk(input) = (output, proof)● Verifypk(input, output, proof) = 0/1
H(.)
unique, pseudorandom
![Page 25: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/25.jpg)
Hashing for epoch randomness
Verifiable Random Functions:● Evaluatesk(input) = (output, proof)● Verifypk(input, output, proof) = 0/1
● every leader inserts a separate VRF (value,proof) into block
TxsH(prev)
Slot #
sigLi( )
VRF proof
VRF output
H(.)
![Page 26: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/26.jpg)
Hashing for epoch randomness
Verifiable Random Functions:● Evaluatesk(input) = (output, proof)● Verifypk(input, output, proof) = 0/1
● every leader inserts a separate VRF (value,proof) into block
● hash of VRF values from initial ⅔ of epoch give randomness for the whole next epoch
TxsH(prev)
Slot #
sigLi( )
VRF output
VRF proof
H( || ||...)
![Page 27: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/27.jpg)
Single-epoch setting
Focus on one epoch of length R● static stake distribution● ideal randomness
![Page 28: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/28.jpg)
Leader selection: local, private
Verifiable Random Functions:● Evaluatesk(input) = (output, proof)● Verifypk(input, output, proof) = 0/1
Leader selection lottery for stakeholder Ui:
Evaluatesk(rnd,slot) < (stakei)
(output,proof)included in the block
![Page 29: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/29.jpg)
Verifiable Random Functions:● Evaluatesk(input) = (output, proof)● Verifypk(input, output, proof) = 0/1
Leader selection lottery for stakeholder Ui:
Evaluatesk(rnd,slot) < (stakei)
● similar idea previously in NXT, Algorand● needs unpredictability under malicious key generation● UC-functionality + efficient realization from CDH+RO
Leader selection: local, private
![Page 30: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/30.jpg)
Leader selection: local, private
Verifiable Random Functions:● Evaluatesk(input) = (output, proof)● Verifypk(input, output, proof) = 0/1
Leader selection lottery for stakeholder Ui:
Evaluatesk(rnd,slot) < (stakei)
● similar idea previously in NXT, Algorand● needs unpredictability under malicious key generation● UC-functionality + efficient realization from CDH+RO
![Page 31: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/31.jpg)
Leader selection: choice of (.)
α∊[0,1]
f ∊[0,1]
● ratio of non-empty slots f is a protocol parameter
● slightly sublinear growth
● maintains “independent aggregation”
![Page 32: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/32.jpg)
Block signing: Key-evolving signaturesKES are signature schemes, where:
● pk remains the same● sk updated in every step, old sk erased● impossible to forge old signatures with
new keys
![Page 33: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/33.jpg)
Block signing: Key-evolving signaturesKES are signature schemes, where:
● pk remains the same● sk updated in every step, old sk erased● impossible to forge old signatures with
new keys
● used for signing blocks● helps achieve adaptive security● UC-functionality + realization
Txs
H(prev)
Slot #
sigLi( )
...
![Page 34: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/34.jpg)
Validity of a chain
A valid blockchain in single-epoch setting:
● increasing slot numbers● each block contains:
● correct VRF-pair proving eligibility● correct VRF-pair for randomness derivation● KES-signature by eligible leader
1 2 3 4 5 6 7
![Page 35: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/35.jpg)
The Protocol (single epoch)
● For each slot:
● Collect all transactions.
● Collect all broadcast blockchains. Cull according to validity; maintain the longest one C.
● If leader, add a new block in this slot with all transactions (consistent with C) to the end of C. Sign it and broadcast.
![Page 36: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/36.jpg)
Ouroboros Praos: Security Analysis
![Page 37: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/37.jpg)
Proven Guarantees
✓ Common Prefix (k): Any 2 chains possessed by 2 honest parties: one is a prefix of the other except for at most k last blocks.
✓ Chain Growth (s, ): Any chain possessed by an honest party has at least s blocks over any sequence of s slots.
✓ Chain Quality (k): Any chain possessed by an honest party contains an honest block among last k blocks.
![Page 38: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/38.jpg)
Proven Guarantees
✓ Common Prefix (k): Any 2 chains possessed by 2 honest parties: one is a prefix of the other except for at most k last blocks.
✓ Chain Growth (s, ): Any chain possessed by an honest party has at least s blocks over any sequence of s slots.
✓ Chain Quality (k): Any chain possessed by an honest party contains an honest block among last k blocks.
These are known to imply what we want:✓ Persistence✓ Liveness
![Page 39: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/39.jpg)
Proof Outline
1. CP, CG, CQ ● single-epoch setting, static corruption
![Page 40: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/40.jpg)
Proof Outline
1. CP, CG, CQ ● single-epoch setting, static corruption
2. Adaptive adversaries● dominated by a “greedy” static adversary
![Page 41: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/41.jpg)
Proof Outline
1. CP, CG, CQ ● single-epoch setting, static corruption
2. Adaptive adversaries● dominated by a “greedy” static adversary
3. Lifting to multiple epochs● security of the (stake dist., randomness)-update
mechanism
![Page 42: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/42.jpg)
1. Single-epoch, static CP, CG, CQ
Unlike a bitcoin adversary, our adversary:
● knows which slots he controls ahead of time● can generate multiple blocks per slot for free
This additional power can be contained.
● extension of a blockchain calculus from [KRDO17]● here: only CP
![Page 43: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/43.jpg)
Characteristic strings and forks
In a fixed execution...● characteristic string: describes the leader assignment● fork: tree that captures all constructed chains ● one char. string admits many forks● some forks are bad (create large CP-violation)
![Page 44: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/44.jpg)
Characteristic strings and forks
In the random experiment...● symbols of char. string are i.i.d. ● Goal: w.h.p. we get a char. string that admits no bad
forks
![Page 45: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/45.jpg)
Reduction to synchronous case
Synchronous case [KRDO17]
● synchronous forks (special case)● no empty slots (no ⊥)
![Page 46: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/46.jpg)
Reduction to synchronous case
Synchronous case [KRDO17]
● synchronous forks (special case)● no empty slots (no ⊥)
Reduction mapping ⍴ (w): {0,1,⊥}* →{0,1}*
● results in an “almost” binomial distribution● preserves CP-violations!
![Page 47: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/47.jpg)
Bounding synchronous CP
Theorem from [KRDO17,RMKQ17]:Draw w=w1…wn from the binomial distribution with parameter (1- )/2. Then
Pr[k-CP violation] ≤ ne -Ω(k).
Proof: ● martingale argument
![Page 48: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/48.jpg)
2. Adaptive adversaries
![Page 49: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/49.jpg)
2. Adaptive adversaries
● consider leadership elections for individual coins● equivalent thanks to “independent aggregation”
![Page 50: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/50.jpg)
2. Adaptive adversaries
● consider leadership elections for individual coins● equivalent thanks to “independent aggregation”
● let the adversary corrupt individual coins● more powerful than before
![Page 51: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/51.jpg)
2. Adaptive adversaries
● consider leadership elections for individual coins● equivalent thanks to “independent aggregation”
● let the adversary corrupt individual coins● more powerful than before
● yet-uncorrupted coins are indistinguishable● thanks to key-evolving signatures
![Page 52: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/52.jpg)
2. Adaptive adversaries
● consider leadership elections for individual coins● equivalent thanks to “independent aggregation”
● let the adversary corrupt individual coins● more powerful than before
● yet-uncorrupted coins are indistinguishable● thanks to key-evolving signatures
● “greedy” static adversary dominates any adaptive one
![Page 53: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/53.jpg)
3. Lifting to multiple epochs
![Page 54: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/54.jpg)
3. Lifting to multiple epochs
● stake distribution: snapshot from the last block 2 epochs ago
● randomness: hash of VRF-values in first ⅔ of previous epochH( || ||...)
![Page 55: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/55.jpg)
3. Lifting to multiple epochs
● stake distribution: snapshot from the last block 2 epochs ago
● randomness: hash of VRF-values in first ⅔ of previous epochH( || ||...)
CG+CP: stake distribution stabilizes
![Page 56: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/56.jpg)
3. Lifting to multiple epochs
● stake distribution: snapshot from the last block 2 epochs ago
● randomness: hash of VRF-values in first ⅔ of previous epochH( || ||...)
CG+CQ: honest block affects randomness
CG+CP: stake distribution stabilizes
![Page 57: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/57.jpg)
3. Lifting to multiple epochs
● stake distribution: snapshot from the last block 2 epochs ago
● randomness: hash of VRF-values in first ⅔ of previous epochH( || ||...)
CG+CQ: honest block affects randomness
CG+CP: stake distribution stabilizes
CG+CP: randomness stabilizes
![Page 58: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/58.jpg)
3. Lifting to multiple epochs
● stake distribution: snapshot from the last block 2 epochs ago
● randomness: hash of VRF-values in first ⅔ of previous epochH( || ||...)
● some “grinding” still possible
● small number of “resamplings”
● insufficient to boost exponentially small error probabilities
![Page 59: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/59.jpg)
Follow-up: Ouroboros Genesis
Improved Ouroboros Praos that:
● provides bootstrapping from genesis block
● UC-realizes the Ledger functionality from [BMTZ17]
● achieves security with dynamic availability
[Badertscher, Gaži, Kiayias, Russell, Zikas’18]
![Page 60: OUROBOROS PRAOS - Eurocrypt · Follow-up: Ouroboros Genesis Improved Ouroboros Praos that: provides bootstrapping from genesis block UC-realizes the Ledger functionality from [BMTZ17]](https://reader031.vdocuments.us/reader031/viewer/2022013021/5f155a10fdabdb63057afc9b/html5/thumbnails/60.jpg)
Thank you for your attention!
● Ouroboros: [Crypto’17]
https://eprint.iacr.org/2016/889
● Ouroboros Praos: [Eurocrypt’18]
https://eprint.iacr.org/2017/573
● Ouroboros Genesis:
https://eprint.iacr.org/2018/378