* Aggelos Kiayias∗ Alexander Russell† Bernardo David‡ Roman Oliynykov§

Abstract

We present Ouroboros — the first blockchain protocol based on proof of stake (PoS) with strong security guarantees. We built in security attributes comparable to the Bitcoin protocol. Because the protocol provides a “proof of equity” blockchain rule, it has a qualitative efficiency advantage over blockchains based on proof of physical resources, such as proof of work. We also propose a novel reward mechanism for incentivizing PoS protocols, and we show that, given this mechanism, honest behavior is an approximate Nash equilibrium, thus invalidating selfish mining attacks. We also present experimental results of transaction confirmation and processing as prima facie evidence that the Ouroboros protocol can be implemented in a real world environment.

1 introduction

The initial consideration for the operation of proof-of-work (PoW) -based blockchain protocols such as Bitcoin [30] is the energy required to execute. At the time of this writing, over 260 hashes are required to produce a block on Bitcoin, and these hashes require a lot of energy. Indeed, early calculations showed that the PoW protocol required the same amount of energy as a small country [32].

This situation has prompted research into other blockchain protocols to avoid wasting the energy needed for proof-of-work by replacing them with other protocols that are more energy efficient but offer the same security guarantees. It is important to point out that Bitcoin’s proof-of-work mechanism facilitates a randomised “leader election” process, in which one of the miners is elected to produce a block. Moreover, if all miners abide by the agreement, the election is conducted randomly in a proportional manner to the calculated power of each miner. (Deviations from the protocol, such as “selfish mining,” can undermine this ratio.)

A depends on the concept of “rights certificate (PoS)” natural alternative mechanisms: leaders and workers to participate in the election and investment in the process of calculating force resources, on the other hand, they run a program, the program at the current block chain books recorded in the rights and interests of each of the miners have (gaining) is proportional to random election as a leader one of the miners.

In effect, this creates a self-referential blockchain rule: it is up to stakeholders to maintain the blockchain themselves, scheduling (and rewarding) their work according to the amount of equity they own in the ledger. Beyond that, the rule should impose no further “artificial” computational power on shareholders. In one sense, this sounds ideal; However, implementing such a proof-of-interest protocol involves many defining, technical, and analytical challenges.

Preparatory work

The concept of PoS has been widely discussed on the Bitcoin forums. Bentov et al. more formally studied blockchain design based on proof of interest, both in combination with PoW[5] and as the only mechanism of blockchain protocol [4]. Although Bentov et al. show that their protocol is secure against certain classes of attacks, they do not provide a formal model for analyzing security proofs based on PoS protocols or relying on precise definitions. Some cryptocurrencies 2 have proposed (and implemented) tentative proof-of-interest based blockchain protocols. Based on tentative security arguments, these cryptocurrencies are often found wanting from a security perspective. [4] discusses a variety of attacks.

It is also interesting to compare the PoS based blockchain protocol with the classical blockchain consensus, which relies on a fixed set of permissions (see [17]). The difference between PoS based blockchains and those that assume static permissions is that equity changes over time, so the trust assumption evolves over the system.

Another alternative to PoW is a concept of proof of space [2, 20], which has been specifically studied in the context of blockchain protocols [33]. In a spatial proof environment, a “prover” wants to show space (storage/memory) usage, just as physical resources are used in PoW, but the energy requirements decrease over time. A related concept is spatial time proof (PoST) [28]. However, these require a lot of expensive physical resources (storage or computing power).

Challenges of PoS design

One of the most basic problems of THE PoS based blockchain protocol is to simulate the leader election process. To achieve a truly random election among shareholders, entropy must be introduced into the system, but the mechanism for introducing entropy can be easily manipulated by adversaries. For example, a rival controlling a group of shareholders might try to simulate the execution of an agreement, experimenting with the order of different shareholder participants in order to find a strong successor to the rival shareholder. This leads to an Achilles’ heel called “Grinding”, where rival participants may use computing resources to tilt the leadership race.

Our results

Ouroboros is a proof-of-stake system that is demonstrable and secure. To our knowledge, it is the first PoS type of blockchain protocol to undergo rigorous security analysis. More details about our results will be available later.

First, we provide a model to formalize the problem of implementing a POS-based blockchain protocol. In the spirit of [24], the model we introduced focuses on persistence and liveness, two important attributes of a robust documented transaction ledger. Persistence means that once one node of the system claims that a transaction is “stable,” the rest of the nodes must also report that the transaction is stable if they are queried and respond honestly. Here, stability is understood as an assertion that will be parameterized by some security parameter K that will affect the determinism that the property has (for example, more than K blocks deep). Storage ensures that a honestly generated transaction is stable once it has been provided to the network node for, say, u time. The combination of survivability and persistence provides a robust trading ledger, where honestly generated transactions are accepted and become immutable. Our model was modified to facilitate PoS based change. Persistence refers to the confirmation time of a transaction, and persistence refers to the number of blocks after which the transaction cannot be changed. Persistence refers to the confirmation time of a transaction, and how long it is determined from the time the transaction is sent to the network. Beyond this time, it is either determined or discarded.

Second, we describe a novel blockchain protocol based on PoS. Our agreement assumes that participants are free to create accounts and receive and make payments, with benefits changing over time. We use a (very simple) secure multi-party implementation of coin-flipping protocol to make the leader election happen randomly. This is also what differentiates our approach (preventing so-called “grinding” attacks) from other previous solutions that either define such a value deterministically based on the current state of the blockchain, or use a collective coin toss to introduce entropy [4]. Also, the uniqueness of our approach includes the round of equity changes that the above system would ignore. Instead, a snapshot of current shareholders is taken at the same time interval called the epoch, and within each such interval a secure multi-party computation uses the blockchain itself as a broadcast channel. Specifically, a group of shareholders randomly elected at each period forms a committee that is then responsible for implementing the coin-toss agreement. The outcome of the agreement determines the outcome of the next group of shareholders responsible for executing the coin toss for the next period and all leadership elections for the current period. That is, multi-party computation produces true randomness, unlike the previous POS protocol, which has no strict randomness.

Third, we provide a formal set of arguments to determine that no adversary can break persistence and survivability. Our agreement is secure under the following reasonable assumptions: (1) network is synchronized, that is, in any honest shareholders can communicate with other shareholders can be determined during the ceiling, (2) in the most honest person in a group of shareholders may, according to need and to participate in every period, (3) the shareholders will not stay offline for a long time, (4) corruption adaptability under the control of the time delay of a small, This delay is measured on each turn and is linear to the security parameters (or, the player has access to the anonymous sender’s broadcast channel). The core of our security argument is the probabilistic argument for the combination concept of “forked strings”, which is conceived, proved, and experimentally verified. In our analysis, we also distinguish covert attacks, which are a special type of common forking attack. “Covert” here refers to an adversary’s concealment of a secure multi-party computing protocol, see [3], in the hope that the adversary can break the protocol without being detected. We show that covert fordable string is a subclass of fordable string, covert fordable string has smaller density; This allows us to present two distinct security arguments that can achieve different trade-offs in efficiency and security assurance. Our forked string analysis is a natural and fairly common tool that can be part of a PoS environment security argument.

Fourth, we shift our focus to the incentive structure of the agreement. We propose a novel reward mechanism for participants in an incentive system that we have shown to be (approximately) Nash equilibrium. In this way, our design can mitigate attacks like block withholding and selfish-mining [21, 38]. The core idea behind the incentive system is to provide positive rewards for these agreements, which cannot be stifled by alliances that run counter to the agreements. Thus, it may be possible to show that, under reasonable assumptions, faithful adherence to a given agreement is a trade-off when all the participants are rational, given that the cost of enforcement is minimal.

Fifth, we introduced an equity delegation mechanism that can be seamlessly incorporated into our blockchain protocol. Mandates are very useful in our context because we want to allow our agreements to scale even when a group of shareholders is highly fragmented. In this case, the proxy mechanism allows shareholders to delegate their “voting rights”, i.e. the right to participate in the committee that runs the leadership election agreement each time. Like liquid democracy (aka mandate democracy [23]), shareholders have the ability to withdraw their appointments when they wish to be independent of other shareholders.

Given our model and protocol description, we can also explore how various attacks considered in practice can be resolved within our framework. Specifically, we discussed double-spending attacks, transaction denial attacks, 51% attacks, disinterested attacks, de-syncing attacks, and others. Finally, we give evidence of the efficiency of our design. First, we considered the two-flower attack. For illustrative purposes, we compared Satoshi Nakamoto’s analysis that bitcoin transactions have a 99.9% certainty of confirmation time. For an adversary, a transaction takes 10 to 16 times longer to confirm than a Bitcoin, depending on the adversary’s computing power; It’s five to ten times faster for the average enemy. In addition, our analysis of double flower attacks relies on our combined analysis of bifurcable and covert bifurcable strings, and applies to a wider range of enemy behavior than Satoshi’s simpler analysis 3. We then investigated our prototype implementation and reported on benchmarks running in the Amazon cloud that demonstrated the performance benefits of our proof-of-stake blockchain protocol.

Related work

At the same time as Ouroboros was being developed, several other protocols were developed for multiple locations in the PoS based distributed ledger design space. The Sleep consensus [6] considers a fixed shareholder distribution (i.e., equity does not change over time) and targets a “hybrid” corruption environment in which, except for Byzantine errors, attackers are allowed to adapt and execute failures to stop and fix corruption. In this mixed corrupt environment, our analysis is actually straightforward, see Note 2; However, the resulting security can only be argued in a “delayed corruption” environment, so it is not entirely adaptive. Snow White [7] describes an evolution of shareholder distribution and the use of a corruption deferral mechanism similar to ours for security. Contrary to our agreement, however, Snow designs are vulnerable to “grinding” type attacks, which deviate from high-probability events to the enemy’s will. Not only does this not progressively compromise security, but it also prevents specific parameterization regardless of enemy computing power.

Algorand [27] provides a distributed ledger that follows Byzantine protocols, with each block resistant to adaptive corruption. Since each block needs to agree, such protocols produce blocks at a substantially slower rate than POS-based blockchains (where the deceleration matches the Byzantine protocol’s expected execution time), but they can fork freely. In this regard, despite the forking, the blockchain protocol demonstrates the flexibility that allows customers to set the level of risk they are willing to take, allowing lower-level customers to optimistically enjoy faster processing times. Finally, Fruitchain [36] provides a reward mechanism and approximate Nash equilibrium proof for PoW based blockchain. We use a similar reward mechanism at the blockchain level, but our underlying mechanism is different because we need to operate in the PoS environment. The core of the idea is to provide a PoS “endorsement” simulation for the honest majority (see [24]), using the same logic as the POW-based Byzantine agreement to input a suitable proportion.

Summary of white paper

We explained the model in Part 2, and to simplify the analysis of our protocols, we presented it in four stages in Part 3. In conclusion, in Part 4 we describe and analyze protocols in static environments; Then we’ll cover dynamic environments in Part 5. Our incentives and equilibrium agreements will be covered in Part 7. We then covered improving protocols with anonymous channels in Part 6 and delegation in Part 8. Next, in Part 9 we discuss the resilience of protocols to multiple attacks. In Part 10 we discuss transaction confirmation times and general performance results for prototype implementations running on the Amazon cloud.

Translator said: the part of consensus introduction has been translated, more wonderful, next time to continue! (Thank you very much for your attention to the Cardano community)

Original address:

https://eprint.iacr.org/2016/889.pdf?nsukey=QRILh1BmjE5k%2BvQjynm%2F8CQnpycVkRtlhQSCk3m9mGPIMbtcRp5Akse%2FVt9b6v24XVK27v aSczZjH%2BtBcuUsAihW4l0RO%2Bjea4aSj%2BhS4ktWhidEePrI2uG3GEECQ2PoBe8vMZMhR93MVWyaHdT9P29f4vpunEIPWUNbnfXx4zvXTi%2B1FWAMlq qRAnyYnQhu8jUgX%2FEqrqKbyl%2B6HsE2Fw%3D%3D