Cardano's Ouroboros: Proving Proof of Stake can work in the wild
Aggelos Kiayias, the Chief Scientist at IOHK, aims to provide the first theoretical analysis of PoS.
Ouroboros is a Proof of Stake (PoS) consensus system, which is the backbone of the Cardano blockchain.
Bitcoiners sometimes say the technical challenge of making PoS work securely and at scale is a bit like building a time machine – a technical problem, yes, but one that will never be solved.
In return, PoS proponents say mining Bitcoin transactions using proof of work is a gargantuan waste of energy and not in any way sustainable, or desirable.
The core idea of Proof of Stake is that instead of cracking computationally heavy problems, a node is selected to generate (or "mint") a new block with a probability proportional to the amount of coins this node has. If a node has positive (> 0) stake, it is called a "stakeholder". If a node eventually becomes chosen to mint a new block, it is called a "slot leader".
At the heart of Ouroboros is a way of ensuring randomness when it comes to electing slot leaders. There's a kind of lottery whereby any stakeholder can become a slot leader, but an important idea of PoS is that the more stake a stakeholder has, the more chances they have to be elected as a slot leader.
Ouroboros uses a multiparty computation (MPC) approach to achieve this randomness, where each elector independently performs a "coin tossing" action and after that shares results with other electors. The idea is that results are randomly generated by each elector, but eventually they agree on the same final value.
IOHK, the creator of Cardano, is known for leveraging academics (notably quite a lot from Scottish universities) to tackle tough blockchain problems. Aggelos Kiayias, the Chief Scientist at blockchain technology company IOHK, is also director of the Blockchain Technology Laboratory at the University of Edinburgh. He is the man behind Ouroboros, which he says aims to provide the first theoretical analysis of PoS.
Kiayias said: "In all these PoS protocols it's critical that participation is not completely determined. And it's very important that this randomness cannot come from a specific trusted source. An important characteristic of this process is that there should be no participant or set of participants if you want, that is capable of biasing this randomness selection to their favour."
In other words, there cannot be one particular server which is going to emit a random string to determine the schedule. That would introduce a single point of failure in the protocol; basically whoever hacks that server can completely determine the schedule.
All PoS protocols have to produce randomness in one way or another. Kiayias warns that it's very easy to have a process that produces something that might seem unpredictable, but one must be able to demonstrate there are no biasing capabilities. "One of the main objectives we had in Ouroboros was to prove that the protocol actually produces unbiased randomness," he said.
On the subject of proof of work (PoW), one of its singular virtues is its completely permissionless design where, in principle, there is no barrier to participating except having a computer system that is capable of doing computational work.
Kiayias believes the best use case for PoW, going forward, will be to remain somehow as a set-up type of process, or something that may be done if you really have no other better way to bootstrap a blockchain.
Critics of PoS say it cannot be as secure as burning a ton of energy, like PoW does. Kiayias believes PoS is very secure from the point of view of considerations like double spending or achieving any of the properties that the Bitcoin network does.
"PoS just uses a different set up configuration, and the set up configuration is one consistent with the public key infrastructure, or with the directory of public keys," he said. "If you have a way to bootstrap, like you have a directory of keys, PoS will give you everything that Bitcoin can give you. So it's only a question about how you bootstrap the protocol; what's the initial setup of the protocol.
"Then as a matter of fact you could use anything you want, anything you believe is trusted infrastructure. I include Bitcoin itself; it's possible to just have a PoS blockchain spring out of Bitcoin and then just let Bitcoin rest as it is."
When most people think about PoS, they think about Ethereum's Casper algorithm. Kiayias said in regard to this: "The white paper points to some general directions about how the protocol might work; some general philosophy about how it should be done. But it doesn't actually commit to a final protocol that could be used for comparison.
"What is central in the logic of the protocol is a way to penalise people that divert from the protocol. This goes back to the question of what is the right incentive structure of these systems."
Kiayias said the Ouroboros incentives are still under active development. "We gave a thorough analysis of the capabilities of a covert adversary (one that is afraid to be caught cheating because of a penalty) compared to an adversary that is not afraid getting caught.
"In general, incorporating penalties is a possibility, but it will only be used if it is completely justifiable within a thorough game theoretic model that includes Nash equilibrium and incentive compatibility analysis. We are actively developing this research now and soon we will have a white paper that explains how incentives will be implemented," he said.