o uroboros p raos
play

O UROBOROS P RAOS : A N ADAPTIVELY - SECURE , SEMI - SYNCHRONOUS - PowerPoint PPT Presentation

Nov 10, 2023 •248 likes •864 views

O UROBOROS P RAOS : A N ADAPTIVELY - SECURE , SEMI - SYNCHRONOUS PROOF - OF - STAKE BLOCKCHAIN Bernardo David Peter Gai Aggelos Kiayias Alexander Russell Tokyo Tech IOHK U. Edinburgh U. Connecticut & IOHK & IOHK Eurocrypt 2018

  1. O UROBOROS P RAOS : A N ADAPTIVELY - SECURE , SEMI - SYNCHRONOUS PROOF - OF - STAKE BLOCKCHAIN Bernardo David Peter Gaži Aggelos Kiayias Alexander Russell Tokyo Tech IOHK U. Edinburgh U. Connecticut & IOHK & IOHK Eurocrypt 2018

  2. Roadmap ● Proof-of-work vs. Proof-of-stake blockchains ● Ouroboros Praos ● Protocol Description ● Security Analysis

  3. The problem Bitcoin solves ● Allows a collection of parties to agree on a dynamic, common sequence of transactions—a ledger . persistence: past transactions in ledger are immutable ● liveness: new transactions are eventually included ● parties may arise and disappear ● some parties may seek to disrupt the system ●

  4. Bitcoin as a leader election process, proof of work ● parties compete for the right to extend ● winning certificate: PoW solution ● Pr[success] proportional to computing power ? …………….

  5. Bitcoin: Laudatory remarks ● Simple ● neatly solves a challenge: consensus with a fluid population of participants ● Sidesteps previous impossibility results ● thanks to a new assumption (honest majority of comp. power) ● Amenable to formal analysis ● [GKL15,PSS17,BMTZ17]

  6. Bitcoin: Criticism ● relies on an ongoing computational race ● power consumption estimates: ● on the order of GWs ● almost tripled over the last 6 months ● Attack cost proportional to the energy spent in the attack period.

  7. Challenge: Replace “proof-of-work” with alternate resource lottery ● other physical resources, with different properties ● disk space ● useful computation/storage ● ... ● virtual resource: coin itself ⇒ Proof of Stake

  8. Proof of Stake: stake-based lottery ● blockchain tracks ownership of coins among parties ● Idea: participants elected proportionally to stake ⇒ no need for physical resources ● hard to implement securely

  9. Previous proof-of-stake solutions with rigorous guarantees Eventual (Nakamoto-style) Consensus: ● Ouroboros [KRDO16] ● Snow White [DPS16] Blockwise Byzantine Agreement: ● Algorand [CM16]

  10. Ouroboros Provably guarantees ● persistence: stable transactions are immutable ● liveness: new transactions included eventually

  11. Ouroboros Provably guarantees ● persistence: stable transactions are immutable ● liveness: new transactions included eventually if ● adversary has minority stake throughout ● adversary subject to corruption delay ● communication is synchronous

  12. Ouroboros Praos Provably guarantees ● persistence: stable transactions are immutable ● liveness: new transactions included eventually if ● adversary has minority stake throughout ● adversary subject to corruption delay ● communication is synchronous

  13. Ouroboros Praos in a Nutshell First eventual-consensus PoS secure ● in a semi-synchronous communication model ● despite fully adaptive corruptions via ● local, private leader selection ● forward-secure signatures ● blockchain hashing for randomness (scalability!)

  14. Ouroboros Praos: Protocol Description

  15. Communication Model ● assume synchronized clocks ● time divided into slots ● honest messages may be adversarially delayed by at most � slots ● � is unknown to the protocol ● adversary may send arbitrary messages to arbitrary subsets, arriving at arbitrary times

  16. Ouroboros Praos: Protocol overview ● time divided into consecutive, disjoint slots

  17. Ouroboros Praos: Protocol overview ● time divided into consecutive, disjoint slots at most 1 block per slot allowed ●

  18. Ouroboros Praos: Protocol overview ● time divided into consecutive, disjoint slots ● epoch : sequence of R slots

  19. Ouroboros Praos: Protocol overview ● time divided into consecutive, disjoint slots ● epoch : sequence of R slots ● slot leader : a player allowed to create block in that slot selected proportionally to his/her stake ●

  20. Ouroboros Praos: Protocol overview ● time divided into consecutive, disjoint slots ● epoch : sequence of R slots ● slot leader : a player allowed to create block in that slot selected proportionally to his/her stake ● independent for each slot and each player ● => empty slots, multi-leader slots ●

  21. Ouroboros Praos: Protocol overview ● time divided into consecutive, disjoint slots ● epoch : sequence of R slots ● slot leader : a player allowed to create block in that slot selected proportionally to his/her stake ● independent for each slot and each player ● => empty slots, multi-leader slots ●

  22. Ouroboros Praos: Protocol overview ● time divided into consecutive, disjoint slots ● epoch : sequence of R slots ● slot leader : a player allowed to create block in that slot ● stake distribution : snapshot from last block 2 epochs ago

  23. Ouroboros Praos: Protocol overview ● time divided into consecutive, disjoint slots ● epoch : sequence of R slots ● slot leader : a player allowed to create block in that slot ● stake distribution : snapshot from last block 2 epochs ago ● randomness : hash of values in prefix of previous epoch H(.)

  24. Hashing for epoch randomness unique, pseudorandom Verifiable Random Functions: ● Evaluate sk ( input ) = ( output , proof ) ● Verify pk ( input , output , proof ) = 0/1 H(.)

  25. Hashing for epoch randomness Verifiable Random Functions: Txs ● Evaluate sk ( input ) = ( output , proof ) H(prev) ● Verify pk ( input , output , proof ) = 0/1 Slot # VRF output ● every leader inserts a separate VRF (value,proof) VRF proof into block sig Li ( ) H(.)

  26. Hashing for epoch randomness Verifiable Random Functions: Txs ● Evaluate sk ( input ) = ( output , proof ) H(prev) ● Verify pk ( input , output , proof ) = 0/1 Slot # VRF output ● every leader inserts a separate VRF (value,proof) VRF proof into block ● hash of VRF values from initial ⅔ of epoch give sig Li ( ) randomness for the whole next epoch H( || ||...)

  27. Single-epoch setting Focus on one epoch of length R ● static stake distribution ● ideal randomness

  28. Leader selection: local, private Verifiable Random Functions: ● Evaluate sk ( input ) = ( output , proof ) ● Verify pk ( input , output , proof ) = 0/1 Leader selection lottery for stakeholder U i : Evaluate sk ( rnd , slot ) < � ( stake i ) ( output , proof ) included in the block

  29. Leader selection: local, private Verifiable Random Functions: ● Evaluate sk ( input ) = ( output , proof ) ● Verify pk ( input , output , proof ) = 0/1 Leader selection lottery for stakeholder U i : Evaluate sk ( rnd , slot ) < � ( stake i ) ● similar idea previously in NXT, Algorand ● needs unpredictability under malicious key generation ● UC-functionality + efficient realization from CDH+RO

  30. Leader selection: local, private Verifiable Random Functions: ● Evaluate sk ( input ) = ( output , proof ) ● Verify pk ( input , output , proof ) = 0/1 Leader selection lottery for stakeholder U i : Evaluate sk ( rnd , slot ) < � ( stake i ) ● similar idea previously in NXT, Algorand ● needs unpredictability under malicious key generation ● UC-functionality + efficient realization from CDH+RO

  31. Leader selection: choice of � (.) α ∊ [0,1] f ∊ [0,1] ● ratio of non-empty slots f is a protocol parameter ● slightly sublinear growth ● maintains “independent aggregation”

  32. Block signing: Key-evolving signatures KES are signature schemes, where: ● pk remains the same ● sk updated in every step, old sk erased ● impossible to forge old signatures with new keys

  33. Block signing: Key-evolving signatures KES are signature schemes, where: ● pk remains the same Txs ● sk updated in every step, old sk erased ● impossible to forge old signatures with H(prev) new keys Slot # ● used for signing blocks ... ● helps achieve adaptive security ● UC-functionality + realization sig Li ( )

  34. Validity of a chain A valid blockchain in single-epoch setting: 1 2 3 4 5 6 7 ● increasing slot numbers ● each block contains: correct VRF-pair proving eligibility ● correct VRF-pair for randomness derivation ● KES-signature by eligible leader ●

  35. The Protocol (single epoch) ● For each slot: ● Collect all transactions. ● Collect all broadcast blockchains. Cull according to validity; maintain the longest one C . ● If leader , add a new block in this slot with all transactions (consistent with C ) to the end of C . Sign it and broadcast.

  36. Ouroboros Praos: Security Analysis

  37. Proven Guarantees ✓ Common Prefix ( k ): Any 2 chains possessed by 2 honest parties: one is a prefix of the other except for at most k last blocks. ✓ Chain Growth ( s , � ): Any chain possessed by an honest party has at least � s blocks over any sequence of s slots. ✓ Chain Quality ( k ): Any chain possessed by an honest party contains an honest block among last k blocks.

  38. Proven Guarantees ✓ Common Prefix ( k ): Any 2 chains possessed by 2 honest parties: one is a prefix of the other except for at most k last blocks. ✓ Chain Growth ( s , � ): Any chain possessed by an honest party has at least � s blocks over any sequence of s slots. ✓ Chain Quality ( k ): Any chain possessed by an honest party contains an honest block among last k blocks. These are known to imply what we want: ✓ Persistence ✓ Liveness

  39. Proof Outline 1. CP, CG, CQ ● single-epoch setting, static corruption

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cosmic Uroboros Illustration from The View from the Center of the Universe Superstrings?

Cosmic Uroboros Illustration from The View from the Center of the Universe Superstrings?

Cosmic Horizon 10 29 cm Planck Length 10 -33 cm The Cosmic Uroboros Illustration from The View from the Center of the Universe Superstrings? Gravitation Dark Matter? Different Forces Are Important on Weak &amp; Strong Different Size

269 views • 4 slides
A comparison of Raos score test and likelihood ratio tests for three separable covariance

A comparison of Raos score test and likelihood ratio tests for three separable covariance

A comparison of Raos score test and likelihood ratio tests for three separable covariance matrix structures Katarzyna Filipiak 1 , Daniel Klein 2 , Anuradha Roy 3 1 Institute of Mathematics, Pozna n University of Technology, Poland 2

356 views • 20 slides
Today Review for Final.. Raos Cheat Sheet. A million slides. Notes: Logic/Proofs.

Today Review for Final.. Raos Cheat Sheet. A million slides. Notes: Logic/Proofs.

Today Review for Final.. Raos Cheat Sheet. A million slides. Notes: Logic/Proofs. Statement? 3 = 4+1? Yes. 3? No Logic. P = Q Q = P False. Quantifiers. x , Q ( x ) x , Q ( x ) . Proofs. Direct. Square of

918 views • 67 slides
Three Myths and One Question Myth II Myth III on Optimal Planning Research Question Summary

Three Myths and One Question Myth II Myth III on Optimal Planning Research Question Summary

Why me? Myth I Three Myths and One Question Myth II Myth III on Optimal Planning Research Question Summary Carmel Domshlak Festivus 2008 Raos call to invite yourself to the panel of plaintiffs Rao Since the last two editions have

2.34k views • 21 slides
Slides for Lecture 1 ENCM 501: Principles of Computer Architecture Winter 2014 Term Steve

Slides for Lecture 1 ENCM 501: Principles of Computer Architecture Winter 2014 Term Steve

Slides for Lecture 1 ENCM 501: Principles of Computer Architecture Winter 2014 Term Steve Norman, PhD, PEng Electrical &amp; Computer Engineering Schulich School of Engineering University of Calgary 9 January, 2014 slide 2/25 ENCM 501 W14

748 views • 25 slides
WE EAT BUGS FOR BREAKFAST UIUX CONF 2016 - October 16, 2016 Junchao Joyce Design &amp;

WE EAT BUGS FOR BREAKFAST UIUX CONF 2016 - October 16, 2016 Junchao Joyce Design &amp;

WE EAT BUGS FOR BREAKFAST UIUX CONF 2016 - October 16, 2016 Junchao Joyce Design &amp; Production Interaction Design Cheese Videos - Video link Home Subway Offices Neighborhood Restaurant

1.02k views • 68 slides
Verification by translation to UML-B Dr. Colin Snook January 2010 Outline Overview of UML-B

Verification by translation to UML-B Dr. Colin Snook January 2010 Outline Overview of UML-B

Verification by translation to UML-B Dr. Colin Snook January 2010 Outline Overview of UML-B (and Event-B) Features of the UML model Translation to UML-B Verifying a Safety Requirement Conclusion FMCO Graz 29 th Nov 2010

518 views • 32 slides
Fronteers 2009 , 2009

Fronteers 2009 , 2009

Fronteers 2009 , 2009 Molly Holzschlag Peter-Paul Koch Whats New With The The Mobile Web, Or The Mobile Web Masochist's Guide To Gleeful Self-flagellation Chris

1.28k views • 86 slides
Office Hours: COVID-19 Planning and Response October 16, 2020 Housekeeping A recording of

Office Hours: COVID-19 Planning and Response October 16, 2020 Housekeeping A recording of

Office Hours: COVID-19 Planning and Response October 16, 2020 Housekeeping A recording of todays session, along with the slide deck and a copy of the Chat and Q&amp;A content will be posted to the HUD Exchange within 2-3 business days

462 views • 24 slides
Bloody Footprints in the Snow: The Testers Rant Neil Kirby Member of Technical Staff

Bloody Footprints in the Snow: The Testers Rant Neil Kirby Member of Technical Staff

Bloody Footprints in the Snow: The Testers Rant Neil Kirby Member of Technical Staff Alcatel-Lucent The path they took was well-defined by the bloody footprints in the snow. It Takes Good People to Test Im from QA and Im Here to

510 views • 10 slides
Learning Theory Part 2: Mistake Bound Model CS 760@UW-Madison Goals for the lecture you should

Learning Theory Part 2: Mistake Bound Model CS 760@UW-Madison Goals for the lecture you should

Learning Theory Part 2: Mistake Bound Model CS 760@UW-Madison Goals for the lecture you should understand the following concepts the on-line learning setting the mistake bound model of learnability the Halving algorithm

422 views • 16 slides
Objectives Avalanche Warning Center websites www.avalanches.org Geo-Communicating

Objectives Avalanche Warning Center websites www.avalanches.org Geo-Communicating

ICA CMC Workshop Banff 2014 Objectives Avalanche Warning Center websites www.avalanches.org Geo-Communicating Avalanche Relevant www.avalanche.org Information EAWS SnoProfiler www.avalanche.ca www.avalanche.net.nz

845 views • 5 slides
A cabin in the snow Wall temperature is 0, except for a radiator at 100 What is the

A cabin in the snow Wall temperature is 0, except for a radiator at 100 What is the

Example: The Temperature Problem A cabin in the snow Wall temperature is 0, except for a radiator at 100 What is the temperature in the interior? Example: The Temperature Problem A cabin in the snow (the unit square J )

639 views • 7 slides
Melting the Snow Using Active DNS Measurements to Detect Snowshoe Spam Domains Olivier van der

Melting the Snow Using Active DNS Measurements to Detect Snowshoe Spam Domains Olivier van der

Melting the Snow Using Active DNS Measurements to Detect Snowshoe Spam Domains Olivier van der Toorn February 1, 2018 University of Twente, Design and Analysis of Communication Systems Introduction Olivier

1.46k views • 90 slides
Scientific Computing I Module 7: Solving the 1D Heat Equation Miriam Mehl based on Slides by

Scientific Computing I Module 7: Solving the 1D Heat Equation Miriam Mehl based on Slides by

Lehrstuhl Informatik V Scientific Computing I Module 7: Solving the 1D Heat Equation Miriam Mehl based on Slides by Michael Bader (Winter 09/10) Winter 2011/2012 Miriam Mehl based on Slides by Michael Bader (Winter 09/10): Scientific Computing

450 views • 19 slides
Scripting with R in high-performance computing: An Example using littler UseR! 2008 conference

Scripting with R in high-performance computing: An Example using littler UseR! 2008 conference

Introduction Scripting MPI Scripting with R in high-performance computing: An Example using littler UseR! 2008 conference Dirk Eddelbuettel TU Dortmund August 13, 2008 Dirk Eddelbuettel R and high-performancs computing scripting / UseR!

602 views • 16 slides
Joint FERC NRC Meeting Robert Snow , PE Office of Energy Policy and Innovation Federal

Joint FERC NRC Meeting Robert Snow , PE Office of Energy Policy and Innovation Federal

Joint FERC NRC Meeting Robert Snow , PE Office of Energy Policy and Innovation Federal Energy Regulatory Commission June 15, 2012 Slide 1 Generator Bids Slide 2 Nuclear Resources and Significant Contingencies Slide 3 Wind Resources

314 views • 10 slides
Filtering EECS 442 Prof. David Fouhey Winter 2019, University of Michigan

Filtering EECS 442 Prof. David Fouhey Winter 2019, University of Michigan

Filtering EECS 442 Prof. David Fouhey Winter 2019, University of Michigan http://web.eecs.umich.edu/~fouhey/teaching/EECS442_W19/ Note: Ill ask the front row on the right to participate in a demo. All you have to do is say a number that

1.06k views • 72 slides
Pumps, Maps and Pea Soup: Spatio-temporal methods in environmental epidemiology Gavin Shaddick

Pumps, Maps and Pea Soup: Spatio-temporal methods in environmental epidemiology Gavin Shaddick

Pumps, Maps and Pea Soup: Spatio-temporal methods in environmental epidemiology Gavin Shaddick Department of Mathematical Sciences University of Bath 2012-13 van Eeden lecture Thanks Constance van Eeden Fund Department of Statistics,

940 views • 39 slides
The password thicket: technical and market failures in human authentication on the web Joseph

The password thicket: technical and market failures in human authentication on the web Joseph

The password thicket: technical and market failures in human authentication on the web Joseph Bonneau S oren Preibusch {jcb82,sdp36}@cl.cam.ac.uk Computer Laboratory WEIS 2010 The Ninth Workshop on the Economics of Information Security

1.23k views • 71 slides
Uncertainty AIMA Chapter 13 Outline Uncertainty Uncertainty Probability Syntax and

Uncertainty AIMA Chapter 13 Outline Uncertainty Uncertainty Probability Syntax and

Uncertainty Uncertainty AIMA Chapter 13 Outline Uncertainty Uncertainty Probability Syntax and Semantics Inference Independence and Bayes Rule Uncertainty Uncertainty Let action A t = leave for airport t minutes before

999 views • 46 slides
HyADS : A tool for estimating nationwide exposures to emissions from large numbers of sources

HyADS : A tool for estimating nationwide exposures to emissions from large numbers of sources

HyAD HyADS : A tool for estimating nationwide exposures to emissions from large numbers of sources Lucas Henneman (and many others) Department of Environmental Health, Harvard School of Public Health CMAS 21 October, 2019 The Team Project 4

423 views • 20 slides
Pennsylvania House of Representatives Environmental Resources &amp; Energy Committee Public

Pennsylvania House of Representatives Environmental Resources &amp; Energy Committee Public

Pennsylvania House of Representatives Environmental Resources &amp; Energy Committee Public Hearing August 24, 2020 Testimony of Roger Caiazza Retired Air Pollution Meteorologist Roger Caiazza Background Air pollution meteorologist in

433 views • 11 slides
Looking at the farmers market data IMP R OVIN G YOU R DATA VISU AL IZATION S IN P YTH ON Nick

Looking at the farmers market data IMP R OVIN G YOU R DATA VISU AL IZATION S IN P YTH ON Nick

Looking at the farmers market data IMP R OVIN G YOU R DATA VISU AL IZATION S IN P YTH ON Nick Stra y er Instr u ctor First e x plorations of a dataset Take a broad v ie w Sho w as m u ch info as possible Don ' t f u ss o v er appearances

880 views • 45 slides

More recommend