The DarkFi blockchain is based off proof of stake privacy focused Ouroboros Crypsinous, tunned with a discrete controller to achieve a stable supply.
Blockchain is a series of epochs: it's a tree of chains, , , , , the chain ending in a single leader per slot single finalization.
Crypsinous Blockchain is built on top of Zerocash sapling scheme, and Ouroboros Genesis blockchain. Each participant stores its own local view of the Blockchain . is a sequence of blocks (i>0), where each LEAD is a magic word, header is a metadata, and txs is a vector of transaction hash (see appendix). the Block's st is the block data, and h is the hash of that data. the commitment of the newly created coin is: , is slot timestamp, or index. is the coin's serial number revealed to spend the coin. is randomness from random oracle implemented as hash of previous epoch, id derived randomness from . is the NIZK proof of the LEAD statement.
the blockchain view is a chain of blocks, each block , while being the merkle tree structure of the validated transactions received through the network, that include transfer, and public transactions.
for , and for tuple iff:
- . note here the nonce of the new coin is deterministically driven from the nonce of the old coin, this works as resistance mechanism to allow the same coin to be eligible for leadership more than once in the same epoch.
- path is a valid Merkle tree path to in the tree with the root root.
- is a valid path to a leaf at position in a tree with a root .
- note that this process involves burning old coin , minting new of the same value + reward.
validation of proposed lead proof as follows:
- slot index is less than current slot index
- proposal extend from valid fork chain
- transactions doesn't exceed max limit
- signature is valid based off producer public key
- verify block hash
- verify block header hash
- public inputs , are hash of current consensus , and current slot
- public inputs of target 2-term approximations , are valid given total network stake and controller parameters
- the competing coin nullifier isn't published before to protect against double spending, before burning the coin.
- verify block transactions
An epoch is a vector of blocks. Some of the blocks might be empty if there is no winning leader. tokens in stake are constant during the epoch.
At the onset of each slot each stakeholder needs to verify if it's the weighted random leader for this slot.
This statement might hold true for zero or more stakeholders, thus we might end up with multiple leaders for a slot, and other times no leader. Also note that no node would know the leader identity or how many leaders are there for the slot, until it receives a signed block with a proof claiming to be a leader.
Note that , : the active slot coefficient is the probability that a party holding all the stake will be selected to be a leader. Stakeholder is selected as leader for slot j with probability , is relative stake.
see the appendix for absolute stake aggregation dependent leader selection family of functions.
the stable consensus token supply is maintained by the help of discrete PID controller, that maintain stabilized occurrence of single leader per slot.
with , , , and e is the error function.
target function is approximated to avoid use of power, and division in zk, since no function in the family of functions that have independent aggregation property achieve avoid it (see appendix).
target fuction T: is relative stake. f is tuning parameter, or the probability of winning have all the stake L is field length
s is stake, and is total stake.
This section gives further details about the structures that will be used by the protocol.
|Series of blocks consisting the Blockchain|
|Previous block hash|
|Block creation timestamp|
|Root of the transaction hashes merkle tree|
|Block leader information|
|Block owner signature|
|Nizk proof public inputs|
|competing coin's nullifier|
|randomness from the previous epoch|
|Nizk Proof the stakeholder is the block owner|
|Slot offset block producer used|
|Block producer leaders count|
|burnt coin public key|
|burnt coin commitment x coordinate|
|burnt coin commitment y coordinate|
|minted coin commitment x coordinate|
|minted coin commitment y coordinate|
|root of burnt coin commitment in burnt merkle tree|
|burn coin secret key|
|burnt coin spending nullifier|
|random seed base from blockchain|
|hash of random seed, and |
|random seed base from blockchain|
|hash of random seed and |
|first term in 2-terms target approximation.|
|second term in 2-terms target approximation.|
In the previous leader selection function, it has the unique property of independent aggregation of the stakes, meaning the property of a leader winning leadership with stakes is independent of whether the stakeholder would act as a pool of stakes, or distributed stakes on competing coins. "one minus the probability" of winning leadership with aggregated stakes is , the joint "one minus probability" of all the stakes (each with probability winning aggregated winning the leadership thus:
A non-exponential linear leader selection can be:
Linear leader selection has the dependent aggregation property, meaning it's favorable to compete in pools with sum of the stakes over aggregated stakes of distributed stakes:
let's assume the stakes are divided to stakes of value for , note that , thus competing with single coin of the sum of stakes held by the stakeholder is favorable.
A target function T with scalar coefficients can be formalized as let's assume , and then: then the lead statement is for example for a group order or l= 24 bits, and maximum value of , then lead statement:
For a stakeholder with absolute stake, it's advantageous for the stakeholder to distribute stakes on competing coins.
Inverse lead selection functions doesn't require maximum stake, most suitable for absolute stake, it has the disadvantage that it's inflating with increasing rate as time goes on, but it can be function of the inverse of the slot to control the increasing frequency of winning leadership.
The inverse leader selection without maximum stake value can be and inversely proportional with probability of winning leadership, let it be called leadership coefficient.
As the time goes one, and stakes increase, this means the combined stakes of all stakeholders increases the probability of winning leadership in next slots leading to more leaders at a single slot, to maintain, or to be more general to control this frequency of leaders per slot, c (the leadership coefficient) need to be function of the slot , i.e where is epoch size (number of slots in epoch).
The only family of functions that are isomorphic to summation on multiplication (having the independent aggregation property) is the exponential function, and since it's impossible to implement in plonk, a re-formalization of the lead statement using pairing that is isomorphic to summation on multiplication is an option.
Let's assume is isomorphic function between multiplication and addition, , thus: then the only family of functions satisfying this is the exponential function
assume there is a solution for the lead statement parameters and constants defined over group of integers. for the statement , such that S where is the maximum stake value being , following from the previous proof that the family of function having independent aggregation property is the exponential function , and , the smallest value satisfying f is , then note that since thus , contradiction.
Built on top of globally synchronized clock, that leaks the nonce of the next epoch a head of time (thus called leaky), non-resettable in the sense that the random nonce is deterministic at slot s, while assuring security against adversary controlling some stakeholders.
For an epoch j, the nonce is calculated by hash function H, as:
v is the concatenation of the value in all blocks from the beginning of epoch to the slot with timestamp up to , note that k is a persistence security parameter, R is the epoch length in terms of slots.
the randomization of the leader selection at each slot is hinged on the random , , , those three values are derived from , and root of the secret keys, the root of the secret keys for each stakeholder can be sampled, and derived beforehand, but is a response to global random oracle query, so it's security is hinged on .
to break this centralization, a decentralized emulation of functionality for calculation of: note that first transaction in the block, is the proof transaction.