Ouroboros Genesis is a highly anticipated upgrade to the consensus protocol of Cardano. This update to the current Ouroboros Praos protocol is designed to address the issues of costless simulation and the bootstrapping problem and mitigate the threat of long-range attacks in a decentralized, open environment. None of the current PoS blockchains has these capabilities.
So let’s start from the basics to understand this topic from a first principles perspective!
How does bitcoin work?
Bitcoin uses an immutable transaction ledger with strong security guarantees through proof-of-work (PoW). The use of proof-of-work (PoW), provides a high level of security through cryptographic hash functions and enables a decentralized network structure that allows for dynamic availability.
Despite its strong security guarantees, the widespread adoption of Bitcoin has highlighted some serious limitations, particularly in terms of energy efficiency and composability.
The Inefficiency of Proof-of-Work and the Limitations of Composability
PoW relies on a system of puzzle-solving that becomes increasingly difficult as more parties join the network. This means that the more people want to participate in Bitcoin, the more computing power is required to secure the network. This leads to an ever-increasing demand for energy, which has become a major concern for the future of the network.
Composability issues refer to the ability of different protocols or systems to work together seamlessly without introducing unintended consequences or breaking their intended functionality. In the context of proof-of-work (PoW) blockchain systems like Bitcoin, composability issues can arise when other protocols or systems rely on solving the same cryptographic puzzle-solving procedure as the Bitcoin mining process. This can lead to a miner potentially being able to double the value of their effort by using the same hash query for both the other protocol and for Bitcoin. This can lead to inefficiencies and potential security vulnerabilities in the overall system.
Proof of Stake (PoS) as an Alternative
Due to these limitations of PoW, the search was on for an alternative mechanism to secure the ledger and improve the efficiency of the network. This led to the introduction of proof-of-stake (PoS) systems, which use virtual resources (stake) instead of physical resources (hashing power) to secure the network.
PoS systems are based on the idea that, instead of requiring computing power to extend the blockchain, parties are given the opportunity to do so according to the number of coins they own. This has the potential to improve scalability and energy efficiency while preserving the basic security features of a robust transaction ledger.
Several PoS-based proposals have been developed over time with formal security proofs that demonstrate that they achieve a well-defined set of desirable properties. While PoS has the potential to improve the efficiency and scalability of the network, it does come with some trade-offs. In particular, these protocols can restrict the dynamic availability of participants compared to PoW-based systems.
So what is dynamic availability?
Dynamic availability refers to a system’s ability to remain accessible and usable even as conditions change, such as an increasing number of users or changes in network conditions. In a dynamic availability system, resources and capabilities can be adjusted or reconfigured in real-time to meet changing demands. This allows for a system to remain available and usable even as conditions change, as opposed to becoming unavailable or unreliable.
Dynamic availability in the context of Bitcoin refers to the ability of parties (nodes) to join or leave the network in a flexible, constantly changing manner without disrupting the overall functioning of the network.
This is made possible due to the ability of the network to dynamically adjust its computing power to maintain a consistent and stable level of security despite changes in the number of participating nodes and their computing power.
As more participants join the network and add computational power, the difficulty of these mathematical problems increases and vice versa, ensuring that the network remains secure and resilient against malicious actors. As a result, the Bitcoin network has dynamic availability, as it can adapt to changing conditions and maintain its security and stability over time.
At present, none of the PoS blockchain systems have the ability to provide dynamic availability. To comprehend this, we need to delve deeper into the functioning of PoW.
Understanding the Fundamentals of Proof-of-Work (PoW)
PoW uses computational resources, specifically the process of hashing, to produce new blocks.
Meaning adding a block to the Bitcoin blockchain requires using processing power, resulting in energy consumption for each block added to the chain.
The difficulty of producing a chain increases with its length, making it computationally expensive to produce blocks.
Meaning adding blocks to a blockchain requires processing power, so a longer blockchain uses more energy, and nodes will always choose it over a shorter one.
This expense, which is in the form of electricity costs, prevents dishonest nodes from producing multiple different blocks. As a result, nodes will always adopt the chain with the most energy consumed, commonly referred to as the “longest chain”.
This makes it easier for the new nodes joining the system to select the honest chain, which in turn allows the network (validators) to join and leave the network at any given time. In short, this enables the dynamic availability of the Bitcoin network.
The Fundamental drawbacks of PoS Protocols
Proof of Stake protocols, while seen as more energy efficient than Proof of Work, come with their own unique set of security concerns. Among these are the nothing-at-stake problem / costless simulation.
As no physical resources are needed to produce blocks in PoS, it is possible to build an alternative history of the blockchain and create multiple competing chains at no cost, unlike in PoW where energy costs must be incurred for each competing chain.
Nothing at Stake / Costless Simulation
The nothing-at-stake problem, also known as costless simulation, occurs when a block producer evaluates the likelihood of two branches A and B, of a blockchain and decides to work on both rather than just one.
This results in the block producer having a higher expected reward and no chain containing the highest stake, leading to the network not reaching a consensus on the canonical branch.
Long-Range Attacks are a type of attack in which a validator incurs no risk of loss from misbehavior. The attacker builds a long chain by forking from an earlier point in the primary blockchain and continues to add blocks to this chain. This makes it difficult for new participants to determine which chain to support.
To mitigate this, checkpoints are established along the blockchain. Trusted blocks are designated as checkpoints, and any fork starting before a checkpoint is considered invalid.
However, for new participants or validators who have been offline for a period of time, it can be difficult to determine the longest chain, making them vulnerable to joining a malicious chain. This gives rise to the “Bootstrapping Problem”.
Basically, the Bootstrapping Problem refers to the issue of new validators joining the network and potentially joining the malicious chain, increasing the network’s vulnerability to long-range attacks.
How PoS-BFT (Ethereum, Algorand, etc) protocols try to solve the problem of costless simulation
In PoS BFT protocols, the consensus is reached among the nodes running the protocol on all blocks, eliminating the occurrence of forks, as each block produced receives sufficient agreement. This eliminates the need for resolving disagreements.
However, in order to effectively operate the protocol must be aware of the level of participation of nodes in the network at any given time. This means with PBFT; you throw away dynamic availability. Because it’s impossible to make the network dynamically available and also know the level of participation at the same time.
On top of that, Ethereum attempts to tackle malicious behavior within its network by implementing measures such as freezing staked coins and imposing penalties through coin slashing. While this approach may deter malicious activity, it also restricts the ability of honest participants to use their coins and exposes them to the risk of penalties, disincentivizing the involvement of honest parties with smaller stakes in the network and thereby decreasing the decentralization of the network.
Costless Simulation: How Cardano is Tackling It
Ouroboros Praos is the current consensus mechanism used in Cardano, and it takes a different approach to ensure the security and integrity of the network compared to traditional consensus mechanisms like Proof of Work (PoW) or PoS-BFT protocols.
The Key to Security: Verifiable Random Function (VRF)
Ouroboros Praos uses a Verifiable Random Function (VRF) to elect a node as the slot leader for each block.
Before each epoch, a stake distribution snapshot is taken, which is used throughout the election. The previous epoch’s randomness seed is used as input for the VRF of each node to generate a pseudo-random number. The node with the highest number becomes the slot leader and creates the block, encrypting the number into the block header.
All other nodes use their own VRF to validate the election outcome. The outcome of the slot leader election is not revealed until the block is signed or the node wins itself.
Preventing Malicious Behavior
If a node is due to create a block but is offline, the opportunity simply passes, and other nodes are unaware. Attempts by another node (e.g. attacker) to create the block will be recognized as invalid by the network. This helps in ensuring honest behavior from the short-range perspective.
At the end of each epoch, all the numbers encrypted into the block headers are combined and used to calculate the randomness seed for the next epoch. This creates an endless cycle of stake distribution snapshot, VRF, and randomness seed calculation that repeats throughout each epoch.
The current chain selection rule
The blockchain is maintained through the longest chain rule, meaning that leaders add a block to the end of the longest chain they have observed and then broadcast it to the network.
In Ouroboros praos, nodes only update their local chain if the new chain, besides being longer, does not fork by more than “k” blocks from the local chain [bounded-depth rule].
Drawbacks of the simple longest chain rule in PoS setting
The method in which the longest chain rule operates in proof-of-stake (PoS) protocols like Ouroboros Praos is not the same as it does in proof-of-work (PoW) blockchains. Despite the fact that PoS protocols help to maintain honest behavior and provide information from a trusted node to offline nodes, they are still susceptible to long-range attacks.
In the event of unforeseen circumstances like a system crash or network outage where the number of online nodes decreases, PoS blockchains are unable to adjust their security and continue producing blocks, resulting in a halt.
This requires an extra layer of trust for the secure operation of the system, which is not ideal for a decentralized and permissionless network. As a result, the protocol cannot function in an environment that allows for the arbitrary invocation of parties for execution.
Solving the Bootstrapping Problem with Ouroboros Genesis: Introducing the Plenitude Rule
The Plenitude Rule is a new chain selection rule introduced with Ouroboros Genesis. It solves the bootstrapping problem by selecting the version of the chain with the most dense block distribution after the point where the chains diverge from each other.
How the Plenitude Rule Works
Plenitude Rule : Researchers have observed that, if the majority of parties follow the protocol, then at any sufficiently long time segment, the corresponding chain will be more dense, especially after a fork. They were able to prove that adversarial blockchains shortly after the divergence point will exhibit a less dense block distribution. Use this rule to determine what is the right blockchain to connect to.
The Plenitude Rule makes it impossible for a single node to create a fake chain and helps prevent long-range attacks. When multiple chains of similar length are available, the Plenitude Rule looks for the point at which the chains diverge regarding their block distribution.
It then divides the most recent past from the history of the chain into periods and determines for which version the block distribution after the divergence point is the most dense — which is the chain that will be selected.
Benefits of the Plenitude Rule
Due to the Plenitude Rule, nodes that are new to the network or have been offline for a while can (re)join and be guaranteed to download the correct version of the chain, as long as there are enough honest parties.
This solves the bootstrapping problem and helps prevent long-range attacks. Furthermore, the Plenitude Rule makes it possible to guarantee that no one can counterfeit their way into creating a block during someone else’s slot, making it impossible for a single node to create a fake chain.
Why Ouroboros Genesis will make Cardano More Secure than Other PoS Protocols
The upcoming update of the Ouroborus protocol, “the Genesis version”, is the first PoS protocol that is mathematically proven to guarantee persistence and liveness in both synchronous and semi-synchronous settings, under the assumption of an honest majority participating, just like Bitcoin.
As a result, Ouroboros Genesis will make Cardano more secure than other PoS protocols that require at least 2/3 honest participants (e.g. Ethereum Casper, Algorand) and is equally secure as Bitcoin, but with much lower energy expenditure and better performance.
Very nice article about the main changes with Ouroboros Genesis Changes. Thanks, Sooraj!