aggelos kiayias - blockchain foundations · 2017-05-01 · ouroboros : static stake b 0 u 1,s 1 u...
TRANSCRIPT
![Page 1: Aggelos Kiayias - Blockchain Foundations · 2017-05-01 · Ouroboros : Static Stake B 0 U 1,s 1 U n,s n R … E 1 E 2 E 3 E 4 E 5 … E 6 E k B 1 B 2 B 3 B 4 B m weighted by stake](https://reader033.vdocument.in/reader033/viewer/2022041905/5e631762ab06e55e5b0a389d/html5/thumbnails/1.jpg)
Ouroboros: A Provably Secure Proof-of-Stake Blockchain Protocol
AggelosKiayias
Based joint work with Alexander Russell Bernardo David
Roman Oliynykov INPUT | OUTPUT
ouroboros
![Page 2: Aggelos Kiayias - Blockchain Foundations · 2017-05-01 · Ouroboros : Static Stake B 0 U 1,s 1 U n,s n R … E 1 E 2 E 3 E 4 E 5 … E 6 E k B 1 B 2 B 3 B 4 B m weighted by stake](https://reader033.vdocument.in/reader033/viewer/2022041905/5e631762ab06e55e5b0a389d/html5/thumbnails/2.jpg)
Bitcoin
a remarkable solutionbut to what problem?
![Page 3: Aggelos Kiayias - Blockchain Foundations · 2017-05-01 · Ouroboros : Static Stake B 0 U 1,s 1 U n,s n R … E 1 E 2 E 3 E 4 E 5 … E 6 E k B 1 B 2 B 3 B 4 B m weighted by stake](https://reader033.vdocument.in/reader033/viewer/2022041905/5e631762ab06e55e5b0a389d/html5/thumbnails/3.jpg)
Towards a Science of Blockchain Systems
protocol solutions (like the bitcoin protocol)
objectives, (e.g., robust transaction ledger)
re-evaluate objectives & hypotheses
explore the protocol design
space
protocols
assumptions
distinguish
from
![Page 4: Aggelos Kiayias - Blockchain Foundations · 2017-05-01 · Ouroboros : Static Stake B 0 U 1,s 1 U n,s n R … E 1 E 2 E 3 E 4 E 5 … E 6 E k B 1 B 2 B 3 B 4 B m weighted by stake](https://reader033.vdocument.in/reader033/viewer/2022041905/5e631762ab06e55e5b0a389d/html5/thumbnails/4.jpg)
Analysing the Bitcoin Backbone [Garay, K, Leonardos, 2014, http://eprint.iacr.org/2014/765]
bitcoin backbone = abstraction of “core” bitcoin protocol
[GKL] provides proof of security in
static model
is this the best solution under the
same assumptions?backbone protocol
PoW/ Random Oracle
what are other assumptions &
hypotheses that may be used
robust transaction ledger = persistence / liveness
![Page 5: Aggelos Kiayias - Blockchain Foundations · 2017-05-01 · Ouroboros : Static Stake B 0 U 1,s 1 U n,s n R … E 1 E 2 E 3 E 4 E 5 … E 6 E k B 1 B 2 B 3 B 4 B m weighted by stake](https://reader033.vdocument.in/reader033/viewer/2022041905/5e631762ab06e55e5b0a389d/html5/thumbnails/5.jpg)
Protocol Design Challenges
is this the best solution under the
same assumptions?
what are other assumptions &
hypotheses that may be used
bitcoin is slow
bitcoin has high energy consumption
~2000 tps~100 tps
~7-8 tps350MW
![Page 6: Aggelos Kiayias - Blockchain Foundations · 2017-05-01 · Ouroboros : Static Stake B 0 U 1,s 1 U n,s n R … E 1 E 2 E 3 E 4 E 5 … E 6 E k B 1 B 2 B 3 B 4 B m weighted by stake](https://reader033.vdocument.in/reader033/viewer/2022041905/5e631762ab06e55e5b0a389d/html5/thumbnails/6.jpg)
Robust Transaction Ledger What are the alternative ways to meet the main objectives?
once a tx is confirmed by a node, any other node that reports it will agree with its placement in the ledger
broadcasting a tx to the network will result to it being confirmed by the nodes
Robust Transaction
Ledger
persistence
liveness
![Page 7: Aggelos Kiayias - Blockchain Foundations · 2017-05-01 · Ouroboros : Static Stake B 0 U 1,s 1 U n,s n R … E 1 E 2 E 3 E 4 E 5 … E 6 E k B 1 B 2 B 3 B 4 B m weighted by stake](https://reader033.vdocument.in/reader033/viewer/2022041905/5e631762ab06e55e5b0a389d/html5/thumbnails/7.jpg)
How to implement a Robust Transaction Ledger
centralized database
Byzantine Agreement Protocols
bitcoin
decentralisation
perfo
rman
ce /
ener
gy e
ffici
ency ?
![Page 8: Aggelos Kiayias - Blockchain Foundations · 2017-05-01 · Ouroboros : Static Stake B 0 U 1,s 1 U n,s n R … E 1 E 2 E 3 E 4 E 5 … E 6 E k B 1 B 2 B 3 B 4 B m weighted by stake](https://reader033.vdocument.in/reader033/viewer/2022041905/5e631762ab06e55e5b0a389d/html5/thumbnails/8.jpg)
Proof of Stake Motivationgenerating the next block in bitcoin is like an election
A miner is elected with probability proportional to its hashing power. Collisions may occur but they can be resolved by the longest chain rule
![Page 9: Aggelos Kiayias - Blockchain Foundations · 2017-05-01 · Ouroboros : Static Stake B 0 U 1,s 1 U n,s n R … E 1 E 2 E 3 E 4 E 5 … E 6 E k B 1 B 2 B 3 B 4 B m weighted by stake](https://reader033.vdocument.in/reader033/viewer/2022041905/5e631762ab06e55e5b0a389d/html5/thumbnails/9.jpg)
Proof of Stake Use stake instead of hashing power.
Define the set of miners to be the set of all stakeholders, as reported in the ledger.
Use a randomised process that takes the current stake into account to elect the next miner eligible to produce a block.
![Page 10: Aggelos Kiayias - Blockchain Foundations · 2017-05-01 · Ouroboros : Static Stake B 0 U 1,s 1 U n,s n R … E 1 E 2 E 3 E 4 E 5 … E 6 E k B 1 B 2 B 3 B 4 B m weighted by stake](https://reader033.vdocument.in/reader033/viewer/2022041905/5e631762ab06e55e5b0a389d/html5/thumbnails/10.jpg)
How to implement a Robust Transaction Ledger
centralized database
Byzantine Agreement Protocols
bitcoin
decentralisation
perfo
rman
ce /
ener
gy e
ffici
ency
Proof of Stake
Initial stakeholder distribution should have honest majority, but this can shift over time
- no PoW barrier - you can run the blockchain at maximum synchronization speed
![Page 11: Aggelos Kiayias - Blockchain Foundations · 2017-05-01 · Ouroboros : Static Stake B 0 U 1,s 1 U n,s n R … E 1 E 2 E 3 E 4 E 5 … E 6 E k B 1 B 2 B 3 B 4 B m weighted by stake](https://reader033.vdocument.in/reader033/viewer/2022041905/5e631762ab06e55e5b0a389d/html5/thumbnails/11.jpg)
PoS Based Cryptocurrencies
• Nxt
• Blackcoin
• Peercoin (PPCoin)
• Neucoin
• Many others…
![Page 12: Aggelos Kiayias - Blockchain Foundations · 2017-05-01 · Ouroboros : Static Stake B 0 U 1,s 1 U n,s n R … E 1 E 2 E 3 E 4 E 5 … E 6 E k B 1 B 2 B 3 B 4 B m weighted by stake](https://reader033.vdocument.in/reader033/viewer/2022041905/5e631762ab06e55e5b0a389d/html5/thumbnails/12.jpg)
PoS Design Ideas (1)
• PeerCoin, NXT
• Eligibility to issue a block is based on a hash value that depends on current chain
• Level of stake of stakeholder calibrates eligibility so that, e.g., higher stake results in more frequent eligibility.
![Page 13: Aggelos Kiayias - Blockchain Foundations · 2017-05-01 · Ouroboros : Static Stake B 0 U 1,s 1 U n,s n R … E 1 E 2 E 3 E 4 E 5 … E 6 E k B 1 B 2 B 3 B 4 B m weighted by stake](https://reader033.vdocument.in/reader033/viewer/2022041905/5e631762ab06e55e5b0a389d/html5/thumbnails/13.jpg)
PoS Design Ideas (2)
• [BentovGabizonMizrahi16] attempt a more principled approach as follows:
• Stakeholders are elected based on their stake.
• Collective coin flipping is used to seed the stakeholder distribution.
![Page 14: Aggelos Kiayias - Blockchain Foundations · 2017-05-01 · Ouroboros : Static Stake B 0 U 1,s 1 U n,s n R … E 1 E 2 E 3 E 4 E 5 … E 6 E k B 1 B 2 B 3 B 4 B m weighted by stake](https://reader033.vdocument.in/reader033/viewer/2022041905/5e631762ab06e55e5b0a389d/html5/thumbnails/14.jpg)
PoS woes• Grinding attacks. The adversary may try to bias the
random election process in its favor.
• Nothing-at-stake. the adversary may try multiple alternative histories (even from any point in the past), thus, simple “longest chain wins” is meaningless assuming stake shifts over time.
• Circularity. even if coin flipping is used to inject fresh randomness, it can be proven secure assuming there is agreement between the participants. Given that the blockchain is used for agreement, how we can avoid circularity in the security argument?
![Page 15: Aggelos Kiayias - Blockchain Foundations · 2017-05-01 · Ouroboros : Static Stake B 0 U 1,s 1 U n,s n R … E 1 E 2 E 3 E 4 E 5 … E 6 E k B 1 B 2 B 3 B 4 B m weighted by stake](https://reader033.vdocument.in/reader033/viewer/2022041905/5e631762ab06e55e5b0a389d/html5/thumbnails/15.jpg)
Our Contributions• Formalisation:
• Modeling the PoS design challenge.
• Construction:• Ouroboros: A PoS-based Robust Transaction Ledger.
• Proof strategy:• Show agreement works for a small interval via a
combinatorial argument for static stake. Then, exploit this short agreement opportunity to run an MPC protocol that will be used to bootstrap the process.
![Page 16: Aggelos Kiayias - Blockchain Foundations · 2017-05-01 · Ouroboros : Static Stake B 0 U 1,s 1 U n,s n R … E 1 E 2 E 3 E 4 E 5 … E 6 E k B 1 B 2 B 3 B 4 B m weighted by stake](https://reader033.vdocument.in/reader033/viewer/2022041905/5e631762ab06e55e5b0a389d/html5/thumbnails/16.jpg)
Ouroboros : Static Stake
B0
U1,s1
Un,sn R
…
E1 E2 E3 E4 E5
…
E6 Ek
B1 B2 B3 B4 Bm
weighted by stake sampling
F(R)
Blocks:
Slots:Elected
Leaders:
T1
Tn st1
SIG by E2
…Block Content:
T1
Tn st2
SIG by E3
… T1
Tn st3
SIG by E5
… T1
Tn st4
SIG by E6
…T1
Tn stn
SIG by Ek
…
![Page 17: Aggelos Kiayias - Blockchain Foundations · 2017-05-01 · Ouroboros : Static Stake B 0 U 1,s 1 U n,s n R … E 1 E 2 E 3 E 4 E 5 … E 6 E k B 1 B 2 B 3 B 4 B m weighted by stake](https://reader033.vdocument.in/reader033/viewer/2022041905/5e631762ab06e55e5b0a389d/html5/thumbnails/17.jpg)
Weighted-by-stake Sampling
S1S2
Sx,adr2
S3 Sy,adr3
Sk Si,adr2
Sn Sz,adr1
… …
F(seed) iStakeholder
Winner!
![Page 18: Aggelos Kiayias - Blockchain Foundations · 2017-05-01 · Ouroboros : Static Stake B 0 U 1,s 1 U n,s n R … E 1 E 2 E 3 E 4 E 5 … E 6 E k B 1 B 2 B 3 B 4 B m weighted by stake](https://reader033.vdocument.in/reader033/viewer/2022041905/5e631762ab06e55e5b0a389d/html5/thumbnails/18.jpg)
Security Properties• Common Prefix:
• Chain Quality:
• Chain Growth:
8r1, r2, (r1 r2), P1, P2, with C1, C2 : Cdk1 � C2
Parameters µ 2 (0, 1), k 2 N
produced by the adversary is less than µkThe proportion of blocks in any k-long subsequence
Parameters ⌧ 2 (0, 1), s 2 N
r2 � r1 � s =) |C2|� |C1| � ⌧s8r1, r2 honest player P with chains C1, C2
![Page 19: Aggelos Kiayias - Blockchain Foundations · 2017-05-01 · Ouroboros : Static Stake B 0 U 1,s 1 U n,s n R … E 1 E 2 E 3 E 4 E 5 … E 6 E k B 1 B 2 B 3 B 4 B m weighted by stake](https://reader033.vdocument.in/reader033/viewer/2022041905/5e631762ab06e55e5b0a389d/html5/thumbnails/19.jpg)
Common Prefix: will honest players converge?
![Page 20: Aggelos Kiayias - Blockchain Foundations · 2017-05-01 · Ouroboros : Static Stake B 0 U 1,s 1 U n,s n R … E 1 E 2 E 3 E 4 E 5 … E 6 E k B 1 B 2 B 3 B 4 B m weighted by stake](https://reader033.vdocument.in/reader033/viewer/2022041905/5e631762ab06e55e5b0a389d/html5/thumbnails/20.jpg)
“Forkable” Stringsw 2 {0, 1}⇤ wi =
(0
1
i-th slot belongs to an honest party
i-th slot belongs to a malicious coalition
![Page 21: Aggelos Kiayias - Blockchain Foundations · 2017-05-01 · Ouroboros : Static Stake B 0 U 1,s 1 U n,s n R … E 1 E 2 E 3 E 4 E 5 … E 6 E k B 1 B 2 B 3 B 4 B m weighted by stake](https://reader033.vdocument.in/reader033/viewer/2022041905/5e631762ab06e55e5b0a389d/html5/thumbnails/21.jpg)
Forkable Density
Theorem. (1) There are no forkable strings of length n of Hamming weight ratio less than 1/3
(2) The density of forkable strings drops exponentially in n, assuming (1-ε)/2 Hamming Weight ratio.
2�⇥(pn)
![Page 22: Aggelos Kiayias - Blockchain Foundations · 2017-05-01 · Ouroboros : Static Stake B 0 U 1,s 1 U n,s n R … E 1 E 2 E 3 E 4 E 5 … E 6 E k B 1 B 2 B 3 B 4 B m weighted by stake](https://reader033.vdocument.in/reader033/viewer/2022041905/5e631762ab06e55e5b0a389d/html5/thumbnails/22.jpg)
Covert Adversaries
The forking attacks include strategies that sign on the same slot twice.
This is not “deniable”
What is the potential to do forking in a covert / deniable way?
![Page 23: Aggelos Kiayias - Blockchain Foundations · 2017-05-01 · Ouroboros : Static Stake B 0 U 1,s 1 U n,s n R … E 1 E 2 E 3 E 4 E 5 … E 6 E k B 1 B 2 B 3 B 4 B m weighted by stake](https://reader033.vdocument.in/reader033/viewer/2022041905/5e631762ab06e55e5b0a389d/html5/thumbnails/23.jpg)
Covert Forkable Density
Theorem. (1) The density of forkable strings drops exponentially in n, assuming (1-ε)/2 Hamming Weight ratio.
2�⇥(n)
![Page 24: Aggelos Kiayias - Blockchain Foundations · 2017-05-01 · Ouroboros : Static Stake B 0 U 1,s 1 U n,s n R … E 1 E 2 E 3 E 4 E 5 … E 6 E k B 1 B 2 B 3 B 4 B m weighted by stake](https://reader033.vdocument.in/reader033/viewer/2022041905/5e631762ab06e55e5b0a389d/html5/thumbnails/24.jpg)
Chain Growth: does the chain grow?
![Page 25: Aggelos Kiayias - Blockchain Foundations · 2017-05-01 · Ouroboros : Static Stake B 0 U 1,s 1 U n,s n R … E 1 E 2 E 3 E 4 E 5 … E 6 E k B 1 B 2 B 3 B 4 B m weighted by stake](https://reader033.vdocument.in/reader033/viewer/2022041905/5e631762ab06e55e5b0a389d/html5/thumbnails/25.jpg)
CG proof
As in Bitcoin, the “longest” chain wins rule, guarantees the honest parties’ chain
cannot be hindered by adversarial actions.
it will grow with a speed proportional to at least the honest stakeholders ratio.
![Page 26: Aggelos Kiayias - Blockchain Foundations · 2017-05-01 · Ouroboros : Static Stake B 0 U 1,s 1 U n,s n R … E 1 E 2 E 3 E 4 E 5 … E 6 E k B 1 B 2 B 3 B 4 B m weighted by stake](https://reader033.vdocument.in/reader033/viewer/2022041905/5e631762ab06e55e5b0a389d/html5/thumbnails/26.jpg)
Chain Quality: are honest blocks going to be adopted by the parties?
![Page 27: Aggelos Kiayias - Blockchain Foundations · 2017-05-01 · Ouroboros : Static Stake B 0 U 1,s 1 U n,s n R … E 1 E 2 E 3 E 4 E 5 … E 6 E k B 1 B 2 B 3 B 4 B m weighted by stake](https://reader033.vdocument.in/reader033/viewer/2022041905/5e631762ab06e55e5b0a389d/html5/thumbnails/27.jpg)
CQ Proof
By CG, observe that the rate of the honest parties chains will grow proportionally to at least the ratio of
honest stakeholders.
In any sufficiently long sequence of slots, the number of blocks that legally can be contributed the
adversary is below the bound.
![Page 28: Aggelos Kiayias - Blockchain Foundations · 2017-05-01 · Ouroboros : Static Stake B 0 U 1,s 1 U n,s n R … E 1 E 2 E 3 E 4 E 5 … E 6 E k B 1 B 2 B 3 B 4 B m weighted by stake](https://reader033.vdocument.in/reader033/viewer/2022041905/5e631762ab06e55e5b0a389d/html5/thumbnails/28.jpg)
Ouroboros: Dynamic Stake
B0
U1,s1
Un,sn R
Bn+1
U’1,s’1
U’n,s’n R’
… …Beacon
Bn+1 …
U’’1,s’’1
U’’n,s’’n R’’
…
Beacon
R R’ R’’randomness beacon
![Page 29: Aggelos Kiayias - Blockchain Foundations · 2017-05-01 · Ouroboros : Static Stake B 0 U 1,s 1 U n,s n R … E 1 E 2 E 3 E 4 E 5 … E 6 E k B 1 B 2 B 3 B 4 B m weighted by stake](https://reader033.vdocument.in/reader033/viewer/2022041905/5e631762ab06e55e5b0a389d/html5/thumbnails/29.jpg)
Beacon via G.O.D. coin tossing
…B2k+1 B3k
…Bk+1 B2k
Open(ri)
…B1 Bk
Commit(ri)
Deal(ri)
2kBlocks(forcommonprefixandchainquality)
2kBlocks(forcommonprefixandchainquality)
2kBlocks(forcommonprefixandchainquality)
Shareji
• For every stakeholder when each epoch starts:
Use publicly verifiable secret-sharing (PVSS) for distributing commitment openings
![Page 30: Aggelos Kiayias - Blockchain Foundations · 2017-05-01 · Ouroboros : Static Stake B 0 U 1,s 1 U n,s n R … E 1 E 2 E 3 E 4 E 5 … E 6 E k B 1 B 2 B 3 B 4 B m weighted by stake](https://reader033.vdocument.in/reader033/viewer/2022041905/5e631762ab06e55e5b0a389d/html5/thumbnails/30.jpg)
Building Blocks• Publicly Verifiable Secret Sharing:
• [Schoenmakers99]; can be based on ECC. • Commitments, many possibilities, e.g.,
• DDH (Pedersen) Commitments: gmhr where h=gt and both r and t are random.
• Classical coin tossing ideas (Blum) paired with VSS provide a simple secure multiparty computation protocol that emulates a randomness beacon.
![Page 31: Aggelos Kiayias - Blockchain Foundations · 2017-05-01 · Ouroboros : Static Stake B 0 U 1,s 1 U n,s n R … E 1 E 2 E 3 E 4 E 5 … E 6 E k B 1 B 2 B 3 B 4 B m weighted by stake](https://reader033.vdocument.in/reader033/viewer/2022041905/5e631762ab06e55e5b0a389d/html5/thumbnails/31.jpg)
Incentive Structure
How to incentivise parties to execute the protocol?
Introduce concept of “Input-Endorsers”
A sequence of transactions need to be endorsed in order to be included in a block.
Endorsed sequence can be included in any upcoming block up to 2k slots in the future
(inclusive).
![Page 32: Aggelos Kiayias - Blockchain Foundations · 2017-05-01 · Ouroboros : Static Stake B 0 U 1,s 1 U n,s n R … E 1 E 2 E 3 E 4 E 5 … E 6 E k B 1 B 2 B 3 B 4 B m weighted by stake](https://reader033.vdocument.in/reader033/viewer/2022041905/5e631762ab06e55e5b0a389d/html5/thumbnails/32.jpg)
Assumptions about protocol costs
• Our Assumptions :
• Issuing blocks is easy (blocks contain only endorsed sequences of transactions, hence effort to verify transactions is passed to the endorsers).
• Expensive actions are:
• Running the GOD protocol to simulate the randomness beacon. (need to issue commitments and open them)
• Endorsing sets of transactions (need to verify them)
![Page 33: Aggelos Kiayias - Blockchain Foundations · 2017-05-01 · Ouroboros : Static Stake B 0 U 1,s 1 U n,s n R … E 1 E 2 E 3 E 4 E 5 … E 6 E k B 1 B 2 B 3 B 4 B m weighted by stake](https://reader033.vdocument.in/reader033/viewer/2022041905/5e631762ab06e55e5b0a389d/html5/thumbnails/33.jpg)
Reward Mechanism
• Epoch based.
• After each epoch stabilizes, provide rewards for the following acts: 1) being a committee member.2) endorsing a set of inputs. 3) sending messages for the MPC protocol.
![Page 34: Aggelos Kiayias - Blockchain Foundations · 2017-05-01 · Ouroboros : Static Stake B 0 U 1,s 1 U n,s n R … E 1 E 2 E 3 E 4 E 5 … E 6 E k B 1 B 2 B 3 B 4 B m weighted by stake](https://reader033.vdocument.in/reader033/viewer/2022041905/5e631762ab06e55e5b0a389d/html5/thumbnails/34.jpg)
Approximate Nash Equilibrium Proof
• Theorem. Ouroboros is approximate Nash-equilibrium
• Proof: Consider a coalition of rational players that deviate from the protocol specification (while everyone else, follows the protocol). => no matter the strategy, chain quality ensures that endorsed inputs, and protocol messages always make it to the chain.
• Requirement: coalition should hold less than 1/2 of stake.
![Page 35: Aggelos Kiayias - Blockchain Foundations · 2017-05-01 · Ouroboros : Static Stake B 0 U 1,s 1 U n,s n R … E 1 E 2 E 3 E 4 E 5 … E 6 E k B 1 B 2 B 3 B 4 B m weighted by stake](https://reader033.vdocument.in/reader033/viewer/2022041905/5e631762ab06e55e5b0a389d/html5/thumbnails/35.jpg)
Dealing with online costs• The protocol requires from a a set of stakeholders
representing honest majority to be online frequently.
• We can relax this requirement, by using delegation. similar to delegative (or liquid) democracy, stakeholders can empower delegates to represent them in terms of protocol duties.
• Allows the natural formation of “stake pools” (akin to mining pools in bitcoin).
![Page 36: Aggelos Kiayias - Blockchain Foundations · 2017-05-01 · Ouroboros : Static Stake B 0 U 1,s 1 U n,s n R … E 1 E 2 E 3 E 4 E 5 … E 6 E k B 1 B 2 B 3 B 4 B m weighted by stake](https://reader033.vdocument.in/reader033/viewer/2022041905/5e631762ab06e55e5b0a389d/html5/thumbnails/36.jpg)
Delegation Mechanism• Stakeholders can use the blockchain itself to
assign/revoke delegation rights.
• Simple approach: use proxy signatures.
• Committee selection works at the delegate level.
• A bound of, say, 1%, may be applied for committee participation. This ensures protocol costs can be kept low.
![Page 37: Aggelos Kiayias - Blockchain Foundations · 2017-05-01 · Ouroboros : Static Stake B 0 U 1,s 1 U n,s n R … E 1 E 2 E 3 E 4 E 5 … E 6 E k B 1 B 2 B 3 B 4 B m weighted by stake](https://reader033.vdocument.in/reader033/viewer/2022041905/5e631762ab06e55e5b0a389d/html5/thumbnails/37.jpg)
Prototype Implementation• Prototype implementation in Haskell.
• PVSS using elliptic curve crypto.
• Digital signature is DSA.
• Curve secp256r1 / NIST p-256 is used.
• (the above choices are modularized and can be easily substituted).
• Geographically diverse deployment over Amazon cloud.
![Page 38: Aggelos Kiayias - Blockchain Foundations · 2017-05-01 · Ouroboros : Static Stake B 0 U 1,s 1 U n,s n R … E 1 E 2 E 3 E 4 E 5 … E 6 E k B 1 B 2 B 3 B 4 B m weighted by stake](https://reader033.vdocument.in/reader033/viewer/2022041905/5e631762ab06e55e5b0a389d/html5/thumbnails/38.jpg)
Ouroboros: A Provably Secure Proof-of-Stake Blockchain Protocol
AggelosKiayias
Based joint work with Alexander Russell Bernardo David Roman Oliynykov
for a pre-print check: http://eprint.iacr.org/2016/889 INPUT | OUTPUT
ouroboros