Ouroboros - LayerX Research

Ouroboros

Ouroboros: A Provably Secure Proof-of-Stake Blockchain Protocol

Aggelos Kiayias, Alexander Russell, Bernardo David, Roman Oliynykov

CRYPTO '17

Assumptions:

(1) the network is synchronous in the sense that an upper bound can be determined during which any honest stakeholder is able to communicate with any other stakeholder

(2) a number of stakeholders drawn from the honest majority is available as needed to participate in each epoch

(3) the stakeholders do not remain offline for long periods of time

(4) semi-adaptive security (corruptions with delay)

Input endorsers (Sec 7.1): Reward mechanism for incentivizing the participants to the system which we prove to be an (approximate) Nash equilibrium. In this way, attacks like block withholding and selfish-mining are mitigated by our design

Similar to fruitchain

Also works for nothing-at-stake attack(?)

Cardano PoS docs

slide by Richard Munson

HN “Forkable strings makes unrealistic assumptions.”

Praos

Ouroboros Praos: An Adaptively-Secure, Semi-synchronous Proof-of-Stake Blockchain

Bernardo David, Peter Gazi, Aggelos Kiayias, Alexander Russell

EUROCRYPTO '18 Slide

Reddit Vitalik and Aggelos's student

chain growth only holds if $ α(1-f)^Δ ≥ (1+ε)/2, for some f, ε between 0 and 1

f is the probability that a hypothetical party controlling all 100% of the stake would be elected leader for a particular slot

Honest majority of stake

Fully-adaptive security

we control the effective power of adaptive adversaries in this setting with a stochastic dominance argument that permits us to carry out the analysis of the underlying blockchain guarantees (e.g., common prefix) with a single distribution that provably dominates all distributions on characteristic strings generated by adaptive adversaries.

Adapt the mechanism of input endorsers from Ouroboros

Leaky resettable beacon implemented by RNG (hash of concat of VRF outputs)

Leakiness: predictability

It leaks to the adversary, up to$ τslots prior to the end of an epoch, the beacon value for the next epoch.

Resettability: biasibility (see 4.6)

The adversary can reset the value returned by the functionality as many as$ rtimes

BABE (Blind Assignment for Blockchain Extension)

Resources

Web3 Foundation WIki

Medium, Video @Web3 Summit 2019

Similar to Ouroboros Praos

Instead of VRF, moving towards VDF (Ref)

Relative time model

See Synchronized clock

Genesis

Ouroboros Genesis: Composable Proof-of-Stake Blockchains with Dynamic Availability

Christian Badertscher, Peter Gazi, Aggelos Kiayias, Alexander Russell, and Vassilis Zikas

ACM CCS '18

Improved Ouroboros Praos that:

provides bootstrapping from genesis block

UC-realizes the Ledger functionality from Bitcoin as a Transaction Ledger

achieves security with dynamic availability

Proof strategy for blockchain security properties is different from Praos (See Appendix E)

The adaptive nature of the above environment’s control makes it impossible to start with a static analysis of the slot-leader selection as done above in Praos.

Replaced the analysis of a sequence of binomially distributed random variables (representing the characteristic string) by considering inter-slot dependence right from the beginning.

This is done via a martingale framework.

Randomness

Assume perfect randomness for slot leader election in characteristic string for a single epoch(E.4)

For randomness updates (E.6),

The grinding effect can be crudely upper-bounded by limiting the number of queries to the random oracle that the adversary makes

Same way with Praos

No checkpointing (by the new chain selection algorithm maxvalid-bg, Fig.10, the proof in 4.4)

Even if the new chain forks before the checkpoint (the$ kth block in the current chain from the head), adopt the chain under this condition:

The new chain grows more quickly in the$ sslots from the last slot which both the new chain and the current chain shares

Vitalik's comment in Reddit

Ouroboros Chronos

Ouroboros Chronos: Permissionless Clock Synchronization via Proof-of-Stake

See Synchronized clock

Privacy-preserving

Proof-of-Stake Protocols for Privacy-Aware Blockchains

Chaya Ganesh, Claudio Orlandi, and Daniel Tschudi (Aarhus University)

EUROCRYP'19

SBC'19 Video Slide

Treats privacy of proof-of-stake consensus independently of the cryptocurrency layer

Assume anonymous channels

Ouroboros Crypsinous: Privacy-Preserving Proof-of-Stake

Thomas Kerber, Markulf Kohlweiss, Aggelos Kiayias, and Vassilis Zikas (The University of Edinburgh and IOHK)

S&P'19

An overall private transaction ledger system

UC treatment

Compared to the above,

No anonymous broadcast, at the cost of leakage on the stake distribution

Others

Introduction To Ouroboros (Medium)

Ouroboros, Snow white, Algorand

Reddit How does Casper compare to Ouroboros? - IOHK Blog

Vitalik allegations against Ouroboros...

Linear Consistency for Proof-of-Stake Blockchains

Erica Blum (University of Maryland, College Park), Aggelos Kiayias, et al.

Slide about Ouroboros, Praos, Forkable string by Kiayias

Ouroboros-BFT: A Simple Byzantine Fault Tolerant Consensus Protocol

See in Chain-based consensus

Economics

Nothing-at-stake

From Ouroboros paper,

However, in the incentive structure of Ouroboros, slot leaders and endorsers who could potentially join an attack would receive rewards in both the main and the adversarial chain, resulting in those stakeholders not achieving higher profits by joining the attack.

Stake-Bleeding Attacks on Proof-of-Stake Blockchains

Peter Gazi, et al.

Q. "Is key-evolving cryptography sufficient to prevent all possible long-range attacks?"

A. No, a new class of long-range attacks against eventual-consensus PoS protocols, called stake-bleeding attacks.

Comment by Nate on Reddit

Why use key-evolving signatures?

#PoS #Layer1