Ouroboros Praos: An Adaptively-Secure,

Semi-Synchronous Proof-of-Stake Blockchain

Bernardo David, Peter Gazi, Aggelos Kiayias, and
Alexander Russell
Eurocrypt 2018

Aayush Naik
Mahtab Sandhu

Distributing Trust and Blockchains

Table of contents

1. Introduction

2. Proof-of-Stake

3. Ouroboros

4. The Blockchain Goal

5. Ouroboros Praos

6. Security Analysis

1
Introduction
Overview

• What is proof-of-stake?
• A simple solution
• A simple solution - with a major problem
• Ouroboros
• The Blockchain Goal
• Ouroboros Praos

2
Why Proof-of-Stake?

• Proof-of-Work is wasteful
• Stake is a good indicator of commitment and interest in the
system

3
Proof-of-Stake
Proof-of-Stake

• It’s a protocol for leader selection.

• Basic idea is that the leader is chosen as a function of the stake
a user holds.
• Leader of every epoch/time instance should be independent of
previous leaders.

4
A Simple Solution

• Pick a random ”coin id”. Owner of the coin is the leader.

5
A Simple Solution - Randomness in Blockchain

• Pick a random ”coin id”. Owner of the coin is the leader.

• Hash the blockchain thus far. Use that to determine the next the
leader.

6
A Simple Solution - A Major Problem

• Pick a random ”coin id”. Owner of the coin is the leader.

• Hash the blockchain thus far. Use that to determine the next the
leader.
• Rejection Sampling: Once an adversary becomes the leader,
they can keep becoming the leader .

7
Ouroboros
Communication Model

• Ouroboros assumes a simple synchronous model where time is

quantized and divided into slots.
• Honest Members broadcast and receive their messages in the
same time slot.
• Adversarial parties may send arbitrary messages to arbitrary
subsets , arriving at arbitrary times.

8
Protocol Overview

• Epoch Sequence of R slots organised together as an epoch.

• Stake distribution: distribution of Stake(Value) among the
members in the previous epoch.
• Randomness: output of a multi-party computation run in the
previous epoch.
• Slot Leader: The member allowed to create a block in that slot
decided randomly
• Leader schedule: Slot leaders for the current epoch sampled
from (randomness, Stake distribution).

9
Static Analysis

• Analysing one Epoch with R slot starting t at the genesis block.

• Stake distribution is static is stored in the genesis block along
with the public keys
• Leaders are elected independently according to relative stake

Stake of U
Pr[Li = U] =
Total Stake
• Leader schedule is public at start of epoch

10
Static Analysis - Valid Blockchain

A Valid block chain in this setting:

• Starts with genesis block

• Each slot contains non-conflicting valid transactions signed by
the slot leader.
• A sequence of block(slots), associated with a increasing slot
numbers are appended to longest chain, even if a slot leader
misses it’s slot the next one take it’s place

11
Leader Selection

A leader selection process with respect to stakeholder distribution

S = (vk1 , s1 ) , ... , (vkn ,sn ), (D,F) is a pair consisting of a distribution
and a deterministic function and uses MPC protocol to generate the
random seed for the function such that, when
ρ ← D it holds for all slj ∈ {slq , ... slR }, FS,ρ,slj outputs Ui ∈ U1 , ... ,Un

12
What the Adversary can do

• Unlike Bitcoin adversary, Here a adversary knows entire of

Leaders ahead of time
• Adversary can also generate multiple block per slot and
broadcast it to different subsets of members.
• Adversary can take or control (1-ϵ)/2 part of the Epoch chain .
with ϵ being relative stake of the honest members.

13
The Blockchain Goal
Persistence

Persistence: Once a node of the system proclaims a certain

transaction tx as stable, the remaining nodes, if queried, will either
report tx in the same position in the ledger or will not report as
stable if any transaction in conflict to tx. Specifically, a transaction is
declared stable if and only if it is in a block that is more than k
blocks deep in the ledger.

14
Liveness

Liveness: If all honest nodes in the system attempt to include a

certain transaction then after the passing of transaction
confirmation time. All nodes, if queried and responding honestly,
will report it to be stable.

15
Three Equivalent Elementary Properties

1. k-Common Prefix (k − CP); with parameters k ∈ N. The chains C1,

C2 possessed by two honest parties at the onset of the slots
sl1 ⪯ sl2 are such that C1 ⪯ C2, where C1 denotes the chain
obtained by removing the last k blocks from C1, and ⪯ denotes
the prefix relation.
2. Chain Quality (CQ); with parameters µ ∈ (0, 1] and k ∈ N.
Consider any portion of length at least k of the chain possessed
by an honest party at the onset of a round; the ratio of blocks
originating from the adversary is at most 1 − µ. We call µ the
chain quality coefficient.

16
Three Equivalent Elementary Properties

3. Chain Growth (CG)l with parameters τ ∈ (0, 1], s ∈ N. Consider

the chains C1, C2 possessed by two honest parties at the onset
of two slots sl1 , sl2 with sl2 at least s slots ahead of sl1 . Then it
holds that len(C2) − len(C1) ≤ τ s. We call τ the speed
coefficient.

If a chain satisfies these three properties, then, it can be shown that

it is very difficult for an adversary to ”fork” a chain. We’ll show some
of this analysis later.

17
Ouroboros Praos
Stronger Assumptions

• Semi-Synchronous Communication; As opposed to Ouroboros,

where all honest parties communicate in the same slot; we
allow the adversary A to selectively delay any messages sent by
honest parties for up to ∆ ∈ N.
• Much Stronger Adversary; The adversary has the ability to
corrupt parties without delay.

These conditions, especially the second one, would completely

destroy the original Ouroboros protocol, since, the adversary knows
the leaders of the next epoch. The only restrictions that remain are
that the adversary has minority stake, and that the stake shifts at a
bounded rate.

18
Local, Private Leader Selection using VRFs

We use a cryptographic primitive called, Verifiable Random Functions

(VRFs) to enable local and private leader selection.
Verifiable Random Function:

Evaluatesk (input) = (output, proof)

Verifypk (input, output, proof) = 0 or1

19
Local, Private Leader Selection using VRFs

Leader selection lottery for stakeholder Ui :

Evaluatesk (rnd, slot) < ϕ(stakei )

where rnd is the randomness generated for that epoch, slot is the
slot number and ϕ is a sublinear function of the stake. The VRF is
designed such that the adversary can’t generate keys that give an
unfair advantage. The probability with which stakeholder Ui is
selected
pi = ϕ(αi ) = 1 − (1 − f)αi
where αi is the relative stake of Ui and f is parameter of the protocol.
Note that It’s possible that there may be no or more than one
leaders in a slot.

20
Key Evolving Signature

We use another cryptographic primitive called, Key Evolving

Signature (KES). It’s a signature scheme in which:

• A public-private key pair, pk, and sk are generated.

• After every time sk is used to sign, it is deleted, and a new secret
key sk′ is generated.
• The corresponding public key, pk remains the same.
• It is impossible to forge old signatures with new keys.

21
Hashing for Dirty Randomness - Solving Rejection Sampling

Recall the simple solution proposed in the beginning. Using the two
primitives above, we can use that solution without the adversary
being able to do rejection sampling. Every block contains an
additional VRF-value from the leader. The block or blockchain can
then be hashed to provide randomness for the next epoch. We don’t
need to do any multi-party computation for randomness anymore.

22
Security Analysis
Definitions

Genesis Block: The genesis block B0 contains the list of stakeholders

identified by a label Ui , their respective public keys and respective
stakes
( )
vrf kes dsig vrf kes dsig
S0 = (U1 , v1 , v1 , v1 , s1 ), ..., (Un , vn , vn , vn , sn )

23
Definitions

Block: A block B = (slj , st, d, B, σj ) generated at a slot

slj ∈ {sl1 , ..., slR } contains the current st ∈ {0, 1}λ (hash of previous
block), data d ∈ {0, 1}∗ , the slot number slj , a block proof B and σj , a
signature on (st, d, slj , B) under the signing key for the time period of
slot slj of the stakeholder Ui generating the block.

24
Definitions

Characteristic String: Let S = {sl1 , ..., slR } be a sequence of slots of

length R. For a slot slj , let P(j) denote the set of parties assigned to
be slot leaders for slot j. We define the characterstic string
w ∈ {0, 1, ⊥}R of S to be the random variable so that


⊥ if P = ∅

wj = 0 if |P(j)| = 1 and the assigned party is honest


1 if |P(j)| > 1 or a party in P(i) is adversarial

f
We denote by DZ,A the distribution of the random variable
w = w1 ...wR with the active slots coefficient f, adversary A and
environment Z.

25
Definitions

∆-fork: Let w ∈ {0, 1, ⊥}k and ∆ be a non-negative integer. Let

A = {i|wi ̸= ⊥} denote the set of uniquely honest indices. A ∆-fork
for the string w is a directed rooted tree F = (V, E) with a labelling
l : V −→ {0} ∪ A so that (i) the root r ∈ V is given the label l(r) = 0;
(ii) each edge of F is directed away from the root; (iii) the labels
along any directed path are strictly increasing; (iv) each uniquely
honest index i ∈ H is the label of exactly one vertex of F; (v) the
function d : H −→ {1, ..., k} defined so that d(i) is the depth in F of
the unique vertex v for which k(v) = i, satisfies the following
∆-monotonicity property: if i, j ∈ H and i + ∆ < j, then d(i) < d(j)

26
Delta Fork

Figure 1: A 3-fork. source - research paper

27
Definitions

∆-fork: Let w ∈ {0, 1, ⊥}k and ∆ be a non-negative integer. Let

A = {i|wi ̸= ⊥} denote the set of uniquely honest indices. A ∆-fork
for the string w is a directed rooted tree F = (V, E) with a labelling
l : V −→ {0} ∪ A so that (i) the root r ∈ V is given the label l(r) = 0;
(ii) each edge of F is directed away from the root; (iii) the labels
along any directed path are strictly increasing; (iv) each uniquely
honest index i ∈ H is the label of exactly one vertex of F; (v) the
function d : H −→ {1, ..., k} defined so that d(i) is the depth in F of
the unique vertex v for which k(v) = i, satisfies the following
∆-monotonicity property: if i, j ∈ H and i + ∆ < j, then d(i) < d(j)

28
Semisynchronous to Synchronous Reduction

A semisynchronous characteristic string, corresponding to a ∆-fork

can be mapped to a synchronous characteristic which corresponds
to a simple fork. This mapped fork can be shown to be an upper
bound over the semisynchronous fork for various properties. The
mapping is defined using, the function ρ∆ : {0, 1, ⊥}∗ −→ {0, 1}∗
inductively as follows: ρ∆ (ϵ) = ϵ, ρ∆ (⊥ || w′ ) = ρ∆ (w′ ),

ρ∆ (1 || w′ ) = 1 || ρ∆ (w′ ),
{
0 || ρ∆ (w′ ) if w′ ∈ ⊥∆−1 || {0, 1, ⊥}∗ ,
ρ∆ (0 || w′ ) =
0 || ρ∆ (w′ ) otherwise.

29
A Simple Fork

Figure 2: A simple fork. source - research paper

30
Conclusion

Rigorous analysis can be done on the simple fork construct in an

environment Z with Fvrf , Fkes and other cryptographic primitives to
show that k-Common Prefix, Chain Quality, Chain Growth properties
are satisfied. Thus, persistence and liveness is satisfied.

31
Experiment Results - Ouroboros

Figure 3: Transaction confirmation times in minutes that achieve assurance

99.9% against a hypothetical double spending attack with different levels of
adversarial power. source - https://eprint.iacr.org/2016/889.pdf

32
Thank You!

32