|
| 1 | +# Ouroboros Peras as an abstract protocol |
| 2 | + |
| 3 | +## Preliminaries |
| 4 | + |
| 5 | +### Adversary |
| 6 | + |
| 7 | +Conservatively, we assume a single coordinated adversary. |
| 8 | + |
| 9 | +### Time |
| 10 | + |
| 11 | +Time is divided into slots, and we assume that all parties have access to a perfectly synchronized clock indicating the current slot. |
| 12 | + |
| 13 | +### Network |
| 14 | + |
| 15 | +We assume that all parties can diffuse arbitrary messages via an abstract network functionality. |
| 16 | +The network is $\Delta$-semi-synchronous, which means: |
| 17 | + |
| 18 | + - If an honest party diffuses a messages in slot $s$, all other honest parties receive that message no later than in slot $s + \Delta$. |
| 19 | + - The adversary gets to decide the delay for each honest party individually, subject to the above constraint. |
| 20 | + |
| 21 | +### Stake |
| 22 | + |
| 23 | +Each party has some amount of stake $\sigma$. |
| 24 | +The adversary is assumed to control parties having less than 50% of all stake. |
| 25 | + |
| 26 | +### Leader schedule |
| 27 | + |
| 28 | +A party with stake $\sigma$ is elected in any given slot with probability $\phi(\sigma) = 1 - {(1-\mathrm{asc})}^\sigma$ (independent events for different slots). |
| 29 | + |
| 30 | +### Transactions |
| 31 | + |
| 32 | +We assume that all honest parties have access to some source of transactions. |
| 33 | + |
| 34 | +## Praos |
| 35 | + |
| 36 | +### Fundamental properties |
| 37 | + |
| 38 | +#### Common Prefix |
| 39 | + |
| 40 | +Let $C_1,C_2$ be the chains adopted by two parties at slot $s_1 \le s_2$. |
| 41 | +Let $C_1'$ be the the chain obtained by removing the last `kcp` blocks from $C_1$. |
| 42 | +Then $C_1'$ is a prefix of $C_2$. |
| 43 | + |
| 44 | +#### Chain Growth |
| 45 | + |
| 46 | +Consider a chain $C$ selected by an honest party. |
| 47 | +Then any window of slots of size $T_{cp}$ ending before the tip of $C$ contains at least `kcp` blocks. |
| 48 | + |
| 49 | +#### Chain Quality |
| 50 | + |
| 51 | +Consider a chain $C$ selected by an honest party. |
| 52 | +Then any window of slots of size $T_{cq}$ ending before the tip of $C$ contains at least one honest block. |
| 53 | + |
| 54 | +### Protocol description |
| 55 | + |
| 56 | +#### State |
| 57 | + |
| 58 | + - The currently selected (best) chain $C_{\mathrm{pref}}$, initialized at the empty chain rooted at Genesis. |
| 59 | + - The set of chains $\mathcal{C}$ received so far, initialized at the singleton set containing the empty chain rooted at Genesis. |
| 60 | + |
| 61 | +#### Logic |
| 62 | + |
| 63 | +At the beginning of every slot, every honest party does the following: |
| 64 | + |
| 65 | +##### Fetching chains |
| 66 | + |
| 67 | + 1. Add all new valid chains to $\mathcal{C}$. |
| 68 | + 2. Remove all chains from $\mathcal{C}$ that intersect with $C_{\mathrm{pref}}$ more than `kcp` blocks in the past. |
| 69 | + 3. Set $C_{\mathrm{pref}}$ to the longest chain in $\mathcal{C}$. |
| 70 | + |
| 71 | +##### Forging |
| 72 | + |
| 73 | + 1. Check if the party is elected in the current slot. |
| 74 | + 2. If so, extend $C_{\mathrm{pref}}$ with a new block with as many transactions as possible. |
| 75 | + 3. Diffuse $C_{\mathrm{pref}}$. |
| 76 | + |
| 77 | +## Peras |
| 78 | + |
| 79 | +### Committees, votes and certificates |
| 80 | + |
| 81 | +Time is divided into consecutive *rounds* for Peras, each of size `perasRoundSlots` in terms of slots. |
| 82 | + |
| 83 | +Every round has a *weighted committee*, ie a set of parties with associated weights (summing to one). |
| 84 | +The core requirement is that the adversary always has less than 50% of the weight. |
| 85 | + |
| 86 | +Every party that is part of the committee of a round can cast a vote for a particular block. |
| 87 | + |
| 88 | +A certificate for a round is a (representation of a) collection of votes with at least 75% weight, all voting for the same block. |
| 89 | +By a quorum intersection argument, there can be at most one certificate per round. |
| 90 | + |
| 91 | +### Fundamental properties |
| 92 | + |
| 93 | +Like for Praos, but now with weight instead of the number of blocks: |
| 94 | + |
| 95 | +#### Common Prefix |
| 96 | + |
| 97 | +Let $C_1,C_2$ be the chains adopted by two parties at slot $s_1 \le s_2$. |
| 98 | +Let $C_1'$ be the the chain obtained by removing blocks from $C_1$ until we reach a block that was buried under weight `kcp`. |
| 99 | +Then $C_1'$ is a prefix of $C_2$. |
| 100 | + |
| 101 | +#### Chain Growth |
| 102 | + |
| 103 | +Consider a chain $C$ selected by an honest party. |
| 104 | +Then any window of slots of size $T_{cp}$ ending before the tip of $C$ contains blocks having at least weight `kcp`. |
| 105 | + |
| 106 | +#### Chain Quality |
| 107 | + |
| 108 | +Consider a chain $C$ selected by an honest party. |
| 109 | +Then any window of slots of size $T_{cq}$ ending before the tip of $C$ contains at least one honest block. |
| 110 | + |
| 111 | +#### State |
| 112 | + |
| 113 | + - The currently selected (best) chain $C_{\mathrm{pref}}$, initialized at the empty chain rooted at Genesis. |
| 114 | + - The set of chains $\mathcal{C}$ received so far, initialized at the singleton set containing the empty chain rooted at Genesis. |
| 115 | + - The set of votes $\mathcal{V}$ received so far |
| 116 | + - The set of certificates $\mathrm{Certs}$ received so far, as well as the respective arrival/emergence slots. |
| 117 | + |
| 118 | +For convenience: |
| 119 | + |
| 120 | + - The most recent certificate $\mathrm{cert}'$. |
| 121 | + - The most recent certificate $\mathrm{cert}^*$ on $C_{\mathrm{pref}}$. |
| 122 | + |
| 123 | +#### Logic |
| 124 | + |
| 125 | +At the beginning of every slot $s$, every honest party does the following: |
| 126 | + |
| 127 | +##### Fetching |
| 128 | + |
| 129 | + 1. Add all new valid chains to $\mathcal{C}$, and all new valid votes to $\mathcal{V}$. |
| 130 | + 2. Add all certificates in $\mathcal{C}$ to $\mathrm{Certs}$. |
| 131 | + 3. Turn any quorum in $\mathcal{V}$ into a certificate, and add it to $\mathrm{Certs}$. |
| 132 | + 2. Remove all chains from $\mathcal{C}$ that intersect with $C_{\mathrm{pref}}$ more than `kcp` weight in the past. |
| 133 | + 3. Set $C_{\mathrm{pref}}$ to the weightiest chain in $\mathcal{C}$. |
| 134 | + |
| 135 | +##### Forging |
| 136 | + |
| 137 | + 1. Check if the party is elected in the current slot, otherwise, abort. |
| 138 | + 2. If so, extend $C_{\mathrm{pref}}$ with a new block |
| 139 | + - with as many transactions as possible, and |
| 140 | + - with $\mathrm{cert}'$ if |
| 141 | + 1. there is no round-$`(r-2)`$ certificate in $\mathrm{Certs}$, and |
| 142 | + 2. $r - \mathrm{round}(\mathrm{cert}') \le \mathrm{perasCertMaxRounds}$, and |
| 143 | + 3. $\mathrm{round}(\mathrm{cert}') > \mathrm{round}(\mathrm{cert}^*)$, |
| 144 | + where $r$ is the current round. |
| 145 | + 3. Diffuse $C_{\mathrm{pref}}$. |
| 146 | + |
| 147 | +##### Voting |
| 148 | + |
| 149 | + 1. Check if $s$ is the first slot of a round $r$, otherwise, abort. |
| 150 | + 2. Check if the party is part of the committee of round $r$, otherwise, abort. |
| 151 | + 2. Let $B$ be the block to potentially vote for, given by the most recent block on $C_{\mathrm{pref}}$ that is at least $\mathrm{perasBlockMinSlots}$ older than $s$. |
| 152 | + 3. Check if either (VR-1A) and (VR-1B), or (VR-2A) and (VR-2B) are satisfied, otherwise abort. |
| 153 | + - (VR-1A): $\mathrm{round}(\mathrm{cert}') = r - 1$, and $\mathrm{cert}'$ was received within the first $X$ slots of round $r-1$. |
| 154 | + - (VR-1B): $B$ extends the block boosted by $\mathrm{cert}'$. |
| 155 | + - (VR-2A): $r \ge \mathrm{round}(\mathrm{cert}') + \mathrm{perasIgnoranceRounds}$. |
| 156 | + - (VR-2B): $r = \mathrm{round}(\mathrm{cert}^*) + c \cdot \mathrm{perasCooldownRounds}$ for some $c>0$. |
| 157 | + 3. Diffuse a vote for $B$. |
0 commit comments