1/30Hao Chung (鍾豪) Blockchain withProof-of-Stake
Hao Chung (鍾豪)July29.2019
BlockchainswithProof-of-Stake
2/30Hao Chung (鍾豪) Blockchain withProof-of-Stake
Outline
1. PoS-basedBlockchains
• overview to Bitcoin
• Ouroboros Praos
• Algorand
2. Two Crypto Notions
• security parameter and asymptotic behavior
• pairing
3. ExperienceinIndustry
3/30Hao Chung (鍾豪) Blockchain withProof-of-Stake
What is a blockchain?
What kind of functionality it wants to achieve?
What kind of data structure it uses?
What kind of method (algorithm) it uses to achieve the functionality?
4/30Hao Chung (鍾豪) Blockchain withProof-of-Stake
Structure of Blockchains
Inthisview, ablockchain isadistributedledger linkedbyhashvalue.
Block #99
Transaction 1Transaction 2Transaction 3Transaction 4
⋮
previous hash
block hash
nonce
Block #100
Transaction 1Transaction 2Transaction 3Transaction 4
⋮
previous hash
block hash
nonce
Block #101
Transaction 1Transaction 2Transaction 3Transaction 4
⋮
previous hash
block hash
nonce
5/30Hao Chung (鍾豪) Blockchain withProof-of-Stake
Let’srecallhowBitcoinworks
Howdotheminersdecide“whocanissueBlock#101?”
InBitcoin,theblockhashisrestrictedbelowathreshold.
Thefirstminercreateablockwithsmallblockhashcanissueablock.
Block #99
Transaction 1Transaction 2Transaction 3Transaction 4
⋮
previous hash
block hash
nonce
Block #100
Transaction 1Transaction 2Transaction 3Transaction 4
⋮
previous hash
block hash
nonce
Block #101
Transaction 1Transaction 2Transaction 3Transaction 4
⋮
previous hash
block hash
nonce
↑ try many possibilities of nonces Proof-of-Work (PoW)
6/30Hao Chung (鍾豪) Blockchain withProof-of-Stake
Let’srecallhowBitcoinworks
When does a block become “confirmed?”
In practice, a block with six successors is recognized as confirmed.
7/30Hao Chung (鍾豪) Blockchain withProof-of-Stake
Inshort,Nakamoto consensushastwomaincomponents.
Proof-of-Work LongestChainRule
limited resources that resistdummy accounts
the way that each miner reach aconsensus
8/30Hao Chung (鍾豪) Blockchain withProof-of-Stake
Energy Consumption of Bitcoin
at July 27. 2019
9/30Hao Chung (鍾豪) Blockchain withProof-of-Stake
Proof-of-Stake
• Stake is the currency that a participant lock up in the protocol asa guarantee.
• Therighttoissueablockisrelatedtothestakesthatparticipantsown.
3
consensusprotocol
4
5
2
1$$$
$$ $$$$
Ideally,Pr 𝑝%𝑖𝑠𝑠𝑢𝑒𝑠𝑎𝑏𝑙𝑜𝑐𝑘 ∝ Pr 𝑝%2𝑠𝑠𝑡𝑎𝑘𝑒
10/30Hao Chung (鍾豪) Blockchain withProof-of-Stake
Ouroboros Praos
Proposed by BernardoDavid,PeterGazi,Aggelos Kiayias, andAlexanderRussell in 2017.
Accepted by EuroCrypt 2018.
Compare to Bitcoin, Ouroboros Praos consists of
Proof-of-Stake LongestChainRule
11/30Hao Chung (鍾豪) Blockchain withProof-of-Stake
Canweverifytheauthentication ofthegenerationoftherandomnumber?
12/30Hao Chung (鍾豪) Blockchain withProof-of-Stake
VerifiableRandomFunction(VRF)
VRFisafunctionthatgeneratesarandomnumber,wherethecomputationcanbeverified.
Inconstruction,aVRFisa3-tupleofalgorithms(𝐺𝑒𝑛, 𝐸𝑣𝑎𝑙, 𝑉𝑒𝑟𝑖)suchthat
• 𝐺𝑒𝑛 1> → 𝑝𝑘, 𝑠𝑘
• 𝐸𝑣𝑎𝑙 𝑠𝑘, 𝑥 → (𝑦, 𝑝𝑟𝑜𝑜𝑓)
• 𝑉𝑒𝑟𝑖 𝑝𝑘, 𝑥, 𝑦, 𝑝𝑟𝑜𝑜𝑓 → 𝑦𝑒𝑠, 𝑛𝑜
𝐸𝑣𝑎𝑙 𝑠𝑘, 𝑥 𝑉𝑒𝑟𝑖 𝑝𝑘, 𝑥, 𝑦, 𝑝𝑟𝑜𝑜𝑓(𝑦, 𝑝𝑟𝑜𝑜𝑓) 𝑦𝑒𝑠/𝑛𝑜
13/30Hao Chung (鍾豪) Blockchain withProof-of-Stake
VerifiableRandomFunction(VRF)
Asecure VRFmustsatisfy
• CompleteProvabilitySuppose 𝑦, 𝑝𝑟𝑜𝑜𝑓 = 𝐸𝑣𝑎𝑙(𝑠𝑘, 𝑥).Then
Pr 𝑉𝑒𝑟𝑖 𝑝𝑘, 𝑥, 𝑦, 𝑝𝑟𝑜𝑜𝑓 = 𝑦𝑒𝑠 = 1.• UniqueProvability
No(𝑝𝑘, 𝑥, 𝑝𝑟𝑜𝑜𝑓F, 𝑝𝑟𝑜𝑜𝑓G, 𝑦F, 𝑦G) suchthat𝑦F ≠ 𝑦G cansatisfy𝑉𝑒𝑟𝑖 𝑝𝑘, 𝑥, 𝑦F, 𝑝𝑟𝑜𝑜𝑓F = 𝑉𝑒𝑟𝑖 𝑝𝑘, 𝑥, 𝑦G, 𝑝𝑟𝑜𝑜𝑓G = 𝑦𝑒𝑠.
• PseudorandomnessThegenerated𝑦 shouldbeindistinguishablefromauniformlydistributedstring.
𝐸𝑣𝑎𝑙 𝑠𝑘, 𝑥 𝑉𝑒𝑟𝑖 𝑝𝑘, 𝑥, 𝑦, 𝑝𝑟𝑜𝑜𝑓(𝑦, 𝑝𝑟𝑜𝑜𝑓) 𝑦𝑒𝑠/𝑛𝑜
14/30Hao Chung (鍾豪) Blockchain withProof-of-Stake
VerifiableRandomFunction(VRF)
Remindthatthesignaturehastheproperties:
1. onlytheuserwiththesecretkeycangenerateavalidsignature
2. everyonewiththepublickeycanverifythesignature
3. withoutthesecretkey,thesignatureshouldbeunpredictable
Inpractice,aVRFcanbeconstructedbyauniquesignatureandarandomoracle.
Thatis𝐸𝑣𝑎𝑙 𝑠𝑘, 𝑥 = 𝐻𝑎𝑠ℎ 𝑆𝑖𝑔MN 𝑥 .
𝐸𝑣𝑎𝑙 𝑠𝑘, 𝑥 𝑉𝑒𝑟𝑖 𝑝𝑘, 𝑥, 𝑦, 𝑝𝑟𝑜𝑜𝑓(𝑦, 𝑝𝑟𝑜𝑜𝑓) 𝑦𝑒𝑠/𝑛𝑜
15/30Hao Chung (鍾豪) Blockchain withProof-of-Stake
Ouroboros Praos
In Ouroboros Praos, protocol is executed in “slots.”
We define
• 𝑑𝑎𝑡𝑎 to be slot id and some block information (public)
• 𝛼% to be the relative stake of participant 𝑝%For each slot, participant 𝑝% is allowed to propose a block if
𝐸𝑣𝑎𝑙 𝑠𝑘%, 𝑑𝑎𝑡𝑎 < 𝑇 𝛼% .
Other participants can easily verify the qualification by𝑉𝑒𝑟𝑖 𝑝𝑘%, 𝑑𝑎𝑡𝑎, 𝑦, 𝑝𝑟𝑜𝑜𝑓 .
16/30Hao Chung (鍾豪) Blockchain withProof-of-Stake
Ouroboros Praos
For each slot, there may be zero, one, or many proposed blocks.
In this case, the honests follow the longest chain.
David et al. showed that it is secure if the honests own > FGstakes.
double circles are the honest blocks
17/30Hao Chung (鍾豪) Blockchain withProof-of-Stake
Algorand
Proposed by YossiGilad,Rotem Hemo,SilvioMicali,GeorgiosVlachos,Nickolai Zeldovich in 2017.
Accepted by SOSP 2017.
Compare to Bitcoin, Algorand consists of
Proof-of-Stake Byzantine Agreement
18/30Hao Chung (鍾豪) Blockchain withProof-of-Stake
ByzantineAgreement
Supposetherearethreegenerals.
Theywanttohaveaconsensusthatwhethertheyshouldattackornot.
retreat!
attack!
attack!R
R
A AA
A
19/30Hao Chung (鍾豪) Blockchain withProof-of-Stake
ByzantineAgreement
Supposetherearethreegenerals.
Theywanttohaveaconsensusthatwhethertheyshouldattackornot.
retreat!
attack!
@#$%^!R
R
A RA
A
Someofthemmaybemalicious.Inthiscase,wecallthem“Byzantine.”
20/30Hao Chung (鍾豪) Blockchain withProof-of-Stake
Algorand
Like Ouroboros Praos, the qualification of proposing blocks aredecided by VRF.
For each block height, participant 𝑝% is allowed to propose a block if𝑣% = 𝐸𝑣𝑎𝑙 𝑠𝑘%, 𝑑𝑎𝑡𝑎, 𝑐𝑜𝑖𝑛𝑖𝑑 < 𝑇.
Ideally, the winner of the block is the one with smallest VRF value 𝑣.
However, how to make sure every participant have a consensus?
=> Byzantine agreement
So that the more stake 𝑝%, the more chances 𝑝% can try
21/30Hao Chung (鍾豪) Blockchain withProof-of-Stake
Algorand
Byzantine Agreement
red is the winner
22/30Hao Chung (鍾豪) Blockchain withProof-of-Stake
Outline
1. PoS-basedBlockchains
• overview to Bitcoin
• Ouroboros Praos
• Algorand
2. Two Crypto Notions
• security parameter and asymptotic behavior
• pairing
3. ExperienceinIndustry
23/30Hao Chung (鍾豪) Blockchain withProof-of-Stake
Is primality test in P?
In 2002, Manindra Agrawal,Neeraj Kayal andNitinSaxena finallyshowed that Primes problem is in P.
If we can try the division up to 𝑁� , why Primes problem ∈ Pdoesn’t hold trivially?
Given an integer 𝑁, decide whether 𝑁 is a prime or not.
Definition (Primes problem)
Key: the running time is counted in input size.
24/30Hao Chung (鍾豪) Blockchain withProof-of-Stake
What is the time complexity of breaking AES-256?
Let‘s define problem of breaking-encryption as follow.
Given an encryption oracle 𝐸MN(⋅), try to find the underling secretkey 𝑠𝑘.
Now, suppose our target is AES-256.
Then, what is the time complexity of breaking AES-256?
25/30Hao Chung (鍾豪) Blockchain withProof-of-Stake
Permutation
How many permutations are there that maps𝑛-bit-longstringsto𝑛-bit-longstrings?
Let 𝑆X denote the set of all the permutation mapping 0,1 X to0,1 X.
Let 𝐾X denote the random variable that uniformlydistributesover𝑆X.
The uniform permutation ensemble, denoted𝒦 = 𝐾X X∈ℕ, has𝐾Xuniformlydistributedoverthesetofallpermutationsmapping𝑛-bit-longstringsto𝑛-bit-longstrings.
Definition (uniform permutation ensemble)
26/30Hao Chung (鍾豪) Blockchain withProof-of-Stake
Pseudorandom Permutation
Apermutationensemble isasequence𝒫 = 𝑃X X∈ℕ ofrandomvariablessuchthattherandomvariable𝑃X assumesvaluesinthesetofpermutationsmapping𝑛-bit-longstringsto𝑛-bit-longstrings.
Definition (permutation ensemble)
Apermutationensemble𝒫 = 𝑃X X∈ℕ iscalledpseudorandom ifforeveryprobabilisticpolynomial-timeoraclemachine𝑀,everypolynomial𝑝 · ,andallsufficientlylarge𝑛’s,
Pr 𝑀ab 1X − Pr 𝑀db 1X <1
𝑝 𝑛,
where𝒦 = 𝐾X X∈ℕ istheuniformpermutationensemble.
Definition (Pseudorandom permutation ensemble)
27/30Hao Chung (鍾豪) Blockchain withProof-of-Stake
Computational Indistinguishability
When we talk about the asymptotic behavior of an algorithm, weneed that algorithm accepts any length of the input.
Many cryptographic definitions rely on the computationalindistinguishability.
Theformaldefinitionofcomputationalindistinguishabilityreferstoprobabilityensembles,whichareinfinitesequencesofprobabilitydistributions.
28/30Hao Chung (鍾豪) Blockchain withProof-of-Stake
Pairing
A pairing is a map𝑒: 𝐺F×𝐺G → 𝐺g
satisfies the following two conditions:
• Bilinearity𝑒 𝑃 + 𝑃2, 𝑄 = 𝑒 𝑃, 𝑄 𝑒 𝑃2, 𝑄 , ∀𝑃, 𝑃2 ∈ 𝐺F, 𝑄 ∈ 𝐺G𝑒 𝑃, 𝑄 + 𝑄′ = 𝑒 𝑃, 𝑄 𝑒 𝑃, 𝑄′ , ∀𝑃 ∈ 𝐺F, 𝑄, 𝑄′ ∈ 𝐺G
• Non-degeneracy
For all non-zero 𝑃 ∈ 𝐺F, ∃𝑄 ∈ 𝐺G such that 𝑒 𝑃, 𝑄 ≠ 1
For all non-zero 𝑄 ∈ 𝐺G, ∃𝑃 ∈ 𝐺F such that 𝑒 𝑃, 𝑄 ≠ 1
Definition (Pairing)
29/30Hao Chung (鍾豪) Blockchain withProof-of-Stake
Decisional Diffie-Hellman (DDH) problem
PairingsmaketheDDHproblemeasy.
Because𝑒 𝑎𝑃, 𝑏𝑃 = 𝑒 𝑃, 𝑃 mn = 𝑒 𝑃, 𝑎𝑏𝑃 .
It is easily to decide DDH by checking𝑒 𝑎𝑃, 𝑏𝑃 ?= 𝑒 𝑃, 𝑄 .
Let 𝐺 be a cyclic group. Given the generator 𝑃 and 𝑎𝑃, 𝑏𝑃, 𝑄 , try todecide whether 𝑄 = 𝑎𝑏𝑃.
Decisional Diffie-Hellman problem
30/30Hao Chung (鍾豪) Blockchain withProof-of-Stake
Outline
1. PoS-basedBlockchains
• overview to Bitcoin
• Ouroboros Praos
• Algorand
2. Two Crypto Notions
• security parameter and asymptotic behavior
• pairing
3. ExperienceinIndustry