Académique Documents
Professionnel Documents
Culture Documents
Aayush Naik
Mahtab Sandhu
1. Introduction
2. Proof-of-Stake
3. Ouroboros
5. Ouroboros Praos
6. Security Analysis
1
Introduction
Overview
• What is proof-of-stake?
• A simple solution
• A simple solution - with a major problem
• Ouroboros
• The Blockchain Goal
• Ouroboros Praos
2
Why Proof-of-Stake?
• Proof-of-Work is wasteful
• Stake is a good indicator of commitment and interest in the
system
3
Proof-of-Stake
Proof-of-Stake
4
A Simple Solution
5
A Simple Solution - Randomness in Blockchain
6
A Simple Solution - A Major Problem
7
Ouroboros
Communication Model
8
Protocol Overview
9
Static Analysis
Stake of U
Pr[Li = U] =
Total Stake
• Leader schedule is public at start of epoch
10
Static Analysis - Valid Blockchain
11
Leader Selection
12
What the Adversary can do
13
The Blockchain Goal
Persistence
14
Liveness
15
Three Equivalent Elementary Properties
16
Three Equivalent Elementary Properties
17
Ouroboros Praos
Stronger Assumptions
18
Local, Private Leader Selection using VRFs
19
Local, Private Leader Selection using VRFs
where rnd is the randomness generated for that epoch, slot is the
slot number and ϕ is a sublinear function of the stake. The VRF is
designed such that the adversary can’t generate keys that give an
unfair advantage. The probability with which stakeholder Ui is
selected
pi = ϕ(αi ) = 1 − (1 − f)αi
where αi is the relative stake of Ui and f is parameter of the protocol.
Note that It’s possible that there may be no or more than one
leaders in a slot.
20
Key Evolving Signature
21
Hashing for Dirty Randomness - Solving Rejection Sampling
Recall the simple solution proposed in the beginning. Using the two
primitives above, we can use that solution without the adversary
being able to do rejection sampling. Every block contains an
additional VRF-value from the leader. The block or blockchain can
then be hashed to provide randomness for the next epoch. We don’t
need to do any multi-party computation for randomness anymore.
22
Security Analysis
Definitions
23
Definitions
24
Definitions
f
We denote by DZ,A the distribution of the random variable
w = w1 ...wR with the active slots coefficient f, adversary A and
environment Z.
25
Definitions
26
Delta Fork
27
Definitions
28
Semisynchronous to Synchronous Reduction
ρ∆ (1 || w′ ) = 1 || ρ∆ (w′ ),
{
0 || ρ∆ (w′ ) if w′ ∈ ⊥∆−1 || {0, 1, ⊥}∗ ,
ρ∆ (0 || w′ ) =
0 || ρ∆ (w′ ) otherwise.
29
A Simple Fork
30
Conclusion
31
Experiment Results - Ouroboros
32
Thank You!
32