Ouroboros
Ouroboros
Aggelos Kiayias, Alexander Russell, Bernardo David, Roman Oliynykov
CRYPTO '17
Assumptions:
(1) the network is synchronous in the sense that an upper bound can be determined during which any honest stakeholder is able to communicate with any other stakeholder
(2) a number of stakeholders drawn from the honest majority is available as needed to participate in each epoch
(3) the stakeholders do not remain offline for long periods of time
(4) semi-adaptive security (corruptions with delay)
Input endorsers (Sec 7.1): Reward mechanism for incentivizing the participants to the system which we prove to be an (approximate) Nash equilibrium. In this way, attacks like block withholding and selfish-mining are mitigated by our design
Similar to fruitchain
Also works for nothing-at-stake attack(?)
Praos
Bernardo David, Peter Gazi, Aggelos Kiayias, Alexander Russell
chain growth only holds if $ α(1-f)^Δ ≥ (1+ε)/2, for some f, ε between 0 and 1
f is the probability that a hypothetical party controlling all 100% of the stake would be elected leader for a particular slot
Honest majority of stake
Fully-adaptive security
we control the effective power of adaptive adversaries in this setting with a stochastic dominance argument that permits us to carry out the analysis of the underlying blockchain guarantees (e.g., common prefix) with a single distribution that provably dominates all distributions on characteristic strings generated by adaptive adversaries.
Adapt the mechanism of input endorsers from Ouroboros
Leaky resettable beacon implemented by RNG (hash of concat of VRF outputs)
Leakiness: predictability
It leaks to the adversary, up to$ τslots prior to the end of an epoch, the beacon value for the next epoch.
Resettability: biasibility (see 4.6)
The adversary can reset the value returned by the functionality as many as$ rtimes
BABE (Blind Assignment for Blockchain Extension)
Resources
Similar to Ouroboros Praos
Instead of VRF, moving towards VDF (Ref) Relative time model
Genesis
Christian Badertscher, Peter Gazi, Aggelos Kiayias, Alexander Russell, and Vassilis Zikas
ACM CCS '18
Improved Ouroboros Praos that:
provides bootstrapping from genesis block
achieves security with dynamic availability
Proof strategy for blockchain security properties is different from Praos (See Appendix E)
The adaptive nature of the above environment’s control makes it impossible to start with a static analysis of the slot-leader selection as done above in Praos.
Replaced the analysis of a sequence of binomially distributed random variables (representing the characteristic string) by considering inter-slot dependence right from the beginning.
This is done via a martingale framework.
Randomness
Assume perfect randomness for slot leader election in characteristic string for a single epoch(E.4)
For randomness updates (E.6),
The grinding effect can be crudely upper-bounded by limiting the number of queries to the random oracle that the adversary makes
Same way with Praos
No checkpointing (by the new chain selection algorithm maxvalid-bg, Fig.10, the proof in 4.4)
Even if the new chain forks before the checkpoint (the$ kth block in the current chain from the head), adopt the chain under this condition:
The new chain grows more quickly in the$ sslots from the last slot which both the new chain and the current chain shares
Ouroboros Chronos
Privacy-preserving
Chaya Ganesh, Claudio Orlandi, and Daniel Tschudi (Aarhus University)
EUROCRYP'19
Treats privacy of proof-of-stake consensus independently of the cryptocurrency layer
Assume anonymous channels
Thomas Kerber, Markulf Kohlweiss, Aggelos Kiayias, and Vassilis Zikas (The University of Edinburgh and IOHK)
S&P'19
An overall private transaction ledger system
UC treatment
Compared to the above,
No anonymous broadcast, at the cost of leakage on the stake distribution
Others
Erica Blum (University of Maryland, College Park), Aggelos Kiayias, et al.
Economics
Nothing-at-stake
From Ouroboros paper,
However, in the incentive structure of Ouroboros, slot leaders and endorsers who could potentially join an attack would receive rewards in both the main and the adversarial chain, resulting in those stakeholders not achieving higher profits by joining the attack.
Peter Gazi, et al.
Q. "Is key-evolving cryptography sufficient to prevent all possible long-range attacks?"
A. No, a new class of long-range attacks against eventual-consensus PoS protocols, called stake-bleeding attacks.