Dynamic Proof of Stake

Overview

Darkfi is based off Ouroboros Crypsinous, a privacy focused proof-of-stake algorithm. Below you may find the technical specifications of DarkFi's blockchain implementation.

Blockchain

Blockchain ${\mathbb{C}}_{loc}$ is a series of epochs: it's a tree of chains, $C^1$, $C^2$, $\dots$, $C^n$, the chain of the max length in ${\mathbb{C}}_{loc}$ is the driving chain $C_{loc}$.

Crypsinous Blockchain is built on top of Zerocash sapling scheme, and Ouroboros Genesis blockchain. Each part $U_p$ stores it's own local view of the Blockchain $C_{loc}^{U_p}$. $C_{loc}$ is a sequence of blocks $B_i$ (i>0), where each $B\in C_{loc}$ $$B=(t{x}_{lead},st)$$ $$t{x}_{lead}=(LEAD,st{\overrightarrow{x}}_{ref},st{x}_{proof})$$ $st{\overrightarrow{x}}_{ref}$ it's a vector of $t{x}_{lead}$ that aren't yet in $C_{loc}$. $st{x}_{proof}=(c{m}_{\prime c},s{n}_c,ep,sl,\rho ,h,ptr,\pi )$ the Blocks' \emph{st} is the block data, and \emph{h} is the hash of that data. the commitment of the newly created coin is: $(c{m}_{c_2},r_{c_2})=COMM(p{k}^{COIN}||\tau ||v_c||{\rho }_{c_2})$, $\tau$ is the clock current time. \emph{$s{n}_c$} is the coin's serial number revealed to spend the coin. $$s{n}_c=PR{F}_{roo{t}_{sk}^{COIN}}^{sn}({\rho }_c)$$ $$\rho ={\eta }^{s{k}_{sl}^{COIN}}$$ $\eta$ is is from random oracle evaluated at $(Nonce||{\eta }_{ep}||sl)$, $\rho$ is the following epoch's seed. \emph{ptr} is the hash of the previous block, $\pi$ is the NIZK proof of the LEAD statement.

st transactions

the blockchain view is a chain of blocks, each block $B_j=(t{x}_{lead},st)$, while st being the merkle tree structure of the validated transactions received through the network, that include transfer, and public transactions.

LEAD statement

for $x=(c{m}_{c_2},s{n}_{c_1},\eta ,sl,\rho ,h,ptr,{\mu }_{\rho },{\mu }_y,root)$, and $w=(path,roo{t}_{s{k}^{COIN}},pat{h}_{s{k}^{COIN}},{\tau }_c,{\rho }_c,r_{c_1},v,r_{c_2})$ for tuple $(x,w)\in L_{lead}$ iff:

• $p{k}^{COIN}=PR{F}_{roo{t}_{sk}^{COIN}}^{pk}({\tau }_c)$.
• ${\rho }_{c_2}=PR{F}_{roo{t}_{s{k}_{c_1}}^{COIN}}^{evl}({\rho }_{c_1})$. note here the nonce of the new coin is deterministically driven from the nonce of the old coin, this works as resistance mechanism to allow the same coin to be eligible for leadership more than once in the same epoch.
• $\forall i\in \{1,2\}:DeComm(c{m}_{c_i},p{k}^{COIN}||v||{\rho }_{c_i},r_{c_i})=T$.
• \emph{path} is a valid Merkle tree path to $c{m}_{c_1}$ in the tree with the root \emph{root}.
• \emph{$pat{h}_{s{k}^{COIN}}$} is a valid path to a leaf at position $sl-{\tau }_c$ in a tree with a root $roo{t}_{sk}^{COIN}$.
• $s{n}_{c_1}=PR{F}_{roo{t}_{sk}^{COIN}}^{sn}({\rho }_{c_1})$
• $y={\mu }_y^{roo{t}_{s{k}_{c_1}}^{COIN}||{\rho }_c}$
• $\rho ={\mu }_{\rho }^{roo{t}_{s{k}_{c_1}}^{COIN}||{\rho }_c}$
• $y<ord(G){\varphi }_f(v)$ note that this process involves renewing the old coin $c_1$ who's serial number gets revealed(proof of spending), becoming an input, to $c_2$ of the same value,

transfer transaction $t{x}_{xfer}$

transfer transaction of the pouring mechanism of input: old coin, and public coin, with output: new return change coin, and further recipient coin. such that input total value $v_1^{old}+v_{pub}=v_3^{new}+v_4^{new}$ $$t{x}_{xfer}=(TRANSFER,st{x}_{proof},c_r)$$ $$st{x}_{proof}=(\{c{m}_{c_3}),c{m}_{c_4}\}),(\{s{n}_{c_2},s{n}_{c_1}\}),\tau ,root,\pi )$$ $c_r$ is forward secure encryption of $st{x}_{rcpt}=({\rho }_{c_3},r_{c_3},v_{c_3})$ to $p{k}_r$. the commitment of the new coins $c_3$, $c_4$ is: $$(c{m}_{c_3},r_{c_3})=Comm(p{k}_{p{k}_s}^{COIN}||\tau ||v_{c_3}||{\rho }_{c_3})$$ $$(c{m}_{c_4},r_{c_4})=Comm(p{k}_{p{k}_r}^{COIN}||\tau ||v_{c_4}||{\rho }_{c_4})$$

spend proof

the spend proofs of the old coins $s{n}_{c_1},s{n}_{c_2}$ are revealed.

NIZK proof $\pi$

for the circuit inputs, and witnesses

$$x=(\{c{m}_{c_3},c{m}_{c_4}\},\{s{n}_{c_1},s{n}_{c_2}\},\tau ,root)$$ $$w=(roo{t}_{s{k}_{c_1}^{COIN}},pat{h}_{s{k}_{c_1}^{COIN}},roo{t}_{s{k}_{c_2}^{COIN}},pat{h}_{s{k}_{c_2}^{COIN}},p{k}_{c_3}^{COIN},p{k}_{c_4}^{COIN},({\rho }_{c_1},r_{c_1},v_1,pat{h}_1),({\rho }_{c_2},r_{c_2},v_2,pat{h}_2),({\rho }_{c_1},r_{c_1},v_1,pat{h}_1))$$

$\pi$ is a proof for the following transfer statement using zerocash pouring mechanism.

$${\forall }_i\in \{1,2\}:p{k}_{c_i}^{COIN}=PR{F}_{roo{t}_{s{k}_{c_i}}^{COIN}}^{pk}(1)$$ $${\forall }_i\in \{1,\dots ,4\}:DeComm(c{m}_{c_i},p{k}_{c_i}^{COIN}||v_i||{\rho }_{c_i},r_{c_i})=T$$ $$v_1+v_2=v_3+v_4$$

path_1\text{ is a valid path to } cm_{c_1} \text{ in a tree with the root} \emph{ root}

path_2\text{ is a valid path to } cm_{c_2} \text{ in a tree with the root} \emph{ root}, sn_{c_2}=PRF_{root_{sk_{c_1}^{COIN}}}^{zdrv}(\rho_{c_1})

$$pat{h}_{s{k}_{c_i}^{COIN}}\text{ is a valid path to a leaf at position }\tau \text{ in },roo{t}_{s{k}_{c_i}^{COIN}}i\in \{1,2\}$$

$$s{n}_{c_i}=PR{F}_{roo{t}_{s{k}_{c_i}^{COIN}}}^{sn}({\rho }_{c_i}),{\forall }_i\in \{1,2\}$$

toward better decentralization in ouroboros

the randomization of the leader selection at each slot is hinged on the random $y$, ${\mu }_y$, ${\rho }_c$, those three values are dervied from $\eta$, and root of the secret keys, the root of the secret keys for each stakeholder can be sampled, and derived beforehand, but $\eta$ is a response to global random oracle, so the whole security of the leader selection is hinged on $\text{centralized global random node}$.

solution

to break this centeralization, a decentralized emulation of $G_{ro}$ functionality for calculation of: ${\eta }_i=PR{F}_{{\eta }_{i-1}}^{G_{ro}}(\psi )$ $$\psi =hash(t{x}_0^{ep})$$ $${\eta }_0=hash("lettherebedark!")$$ note that first transaction in the block, is the proof transaction.

Epoch

An epoch is a vector of blocks. Some of the blocks might be empty if there is no winnig leader.

Leader selection

At the onset of each slot each stakeholder needs to verify if it's the weighted random leader for this slot.

$$y<T_i$$

This statement might hold true for zero or more stakeholders, thus we might end up with multiple leaders for a slot, and other times no leader. Also note that no node would know the leader identity or how many leaders are there for the slot, until it receives a signed block with a proof claiming to be a leader.

$${\varphi }_f=1-(1-f{)}^{{\alpha }_i}$$ $$T_i=L{\varphi }_f({\alpha }_i^j)$$

Note that ${\varphi }_f(1)=f$, $\text{f}$: the active slot coefficient is the probability that a party holding all the stake will be selected to be a leader. Stakeholder is selected as leader for slot j with probability ${\varphi }_f({\alpha }_i)$, ${\alpha }_i$ is $U_i$ relative stake.

The following are absolute stake aggregation dependent leader selection family of functions.

Linear family functions

In the previous leader selection function, it has the unique property of independent aggregation of the stakes, meaning the property of a leader winning leadership with stakes $\sigma$ is independent of whether the stakeholder would act as a pool of stakes, or distributed stakes on competing coins. "one minus the probability" of winning leadership with aggregated stakes is $1-\varphi ({\sum }_i{\sigma }_i)=1-(1+(1-f{)}^{{\sigma }_i})=-(1-f{)}^{{\sum }_i{\sigma }_i}$, the joint "one minus probability" of all the stakes (each with probability $\varphi ({\sigma }_i))$ winning aggregated winning the leadership ${\prod }_i^n(1-\varphi ({\sigma }_i))=-(1-f{)}^{{\sum }_i({\sigma }_i)}$ thus: $$1-\varphi (\sum _i{\sigma }_i)=\prod _i^n(1-\varphi ({\sigma }_i))$$

A non-exponential linear leader selection can be:

$$y<T$$ $$y=2^{l}k\mid 0\le k\le 1$$ $$T=2^l\varphi (v)$$ $$\varphi (v)=\frac{1}{v_{max+}+c}v\mid c\in \mathbb{Z}$$

Dependent aggregation

Linear leader selection has the dependent aggregation property, meaning it's favorable to compete in pools with sum of the stakes over aggregated stakes of distributed stakes:

$$\varphi (\sum _i{\sigma }_i)>\prod _i^n{\sigma }_i$$ $$\sum _i{\sigma }_i>(\frac{1}{v_{max}+c}{)}^{n-1}{v}_1{v}_2\dots v_n$$ let's assume the stakes are divided to stakes of value ${\sigma }_i=1$ for $\Sigma >1\in \mathbb{Z}$, ${\sum }_i{\sigma }_i=V$ $$V>(\frac{1}{v_{max}+c}{)}^{n-1}$$ note that $(\frac{1}{v_{max}+c}{)}^{n-1}<1,V>1$, thus competing with single coin of the sum of stakes held by the stakeholder is favorable.

Scalar linear aggregation dependent leader selection

A target function T with scalar coefficients can be formalized as $$T=2^{l}k\varphi (\Sigma )=2^l(\frac{1}{v_{max}+c})\Sigma$$ let's assume $v_{max}=2^v$, and $c=0$ then: $$T=2^{l}k\varphi (\Sigma )=2^{l-v}\Sigma$$ then the lead statement is $$y<2^{l-v}\Sigma$$ for example for a group order or l= 24 bits, and maximum value of $v_{max}=2^{10}$, then lead statement: $$y<2^{14}\Sigma$$

Competing max value coins

For a stakeholder with $n{v}_{max}$ absolute stake, $\mid n\in \mathbb{Z}$ it's advantageous for the stakeholder to distribute stakes on $n$ competing coins.

Inverse functions

Inverse lead selection functions doesn't require maximum stake, most suitable for absolute stake, it has the disadvantage that it's inflating with increasing rate as time goes on, but it can be function of the inverse of the slot to control the increasing frequency of winning leadership.

Leader selection without maximum stake upper limit

The inverse leader selection without maximum stake value can be $\varphi (v)=\frac{v}{v+c}\mid c>1$ and inversely proportional with probability of winning leadership, let it be called leadership coefficient.

Decaying linear leader selection

As the time goes one, and stakes increase, this means the combined stakes of all stakeholders increases the probability of winning leadership in next slots leading to more leaders at a single slot, to maintain, or to be more general to control this frequency of leaders per slot, c (the leadership coefficient) need to be function of the slot $sl$, i.e $c(sl)=\frac{sl}{R}$ where $R$ is epoch size (number of slots in epoch).

Pairing leader selection independent aggregation function

The only family of functions $\varphi (\alpha )$ that are isomorphic to summation on multiplication $\varphi ({\alpha }_1+{\alpha }_2)=\varphi ({\alpha }_1)\varphi ({\alpha }_2)$(having the independent aggregation property) is the exponential function, and since it's impossible to implement in plonk, a re-formalization of the lead statement using pairing that is isomorphic to summation on multiplication is an option.

Let's assume $\varphi$ is isomorphic function between multiplication and addition, $\varphi (\alpha )=\varphi (\frac{\alpha }{2})\varphi (\frac{\alpha }{2})=\varphi (\frac{\alpha }{2}{)}^2$, thus: $$\varphi (\alpha )=\underset{\text{α}}{\underbrace{\varphi (1)\dots \varphi (1)}}=\varphi (1{)}^{\alpha }$$ then the only family of functions $\varphi :\mathbb{R}\to \mathbb{R}$ satisfying this is the exponential function $$\varphi (\alpha )=c^{\alpha }\mid c\in \mathbb{R}$$

no solution for the lead statement parameters, and constants $S,f,\alpha$ defined over group of integers.

assume there is a solution for the lead statement parameters and constants $S,f,\alpha$ defined over group of integers. for the statement $y<T$, $$T=L{\varphi }_{max}\varphi (\alpha )=S\varphi (\alpha )$$ $$S=ord(G){\varphi }_{max}\varphi (\alpha )$$ such that S $inZ$ ${\varphi }_{max}=\varphi ({\alpha }_{max})$ where ${\alpha }_{max}$ is the maximum stake value being $2^{64}$, following from the previous proof that the family of function haveing independent aggregation property is the exponential function $f^{\alpha }$, and $f\in Z|f>1$, the smallest value satisfying f is $f=2$, then $${\varphi }_{max}=2^{2^{64}}$$ note that since $ord(G)<<{\varphi }_{max}$ thus $S<<1$, contradiction.

target T n term approximation

• s is stake, and $\Sigma$ is total stake.
• $$\sigma =\frac{s}{\Sigma }$$
• $$T=-[\frac{k}{\Sigma }s+\frac{k^{{}^{\prime \prime }}}{{\Sigma }^{2}2!}{s}^2+\cdots +\frac{k^{{}^{\prime }n}}{{\Sigma }^{n}n!}{s}^n]$$

Leaky non-resettable beacon

Built on top of globally synchronized clock, that leaks the nonce $\eta$ of the next epoch a head of time (thus called leaky), non-resettable in the sense that the random nonce is deterministic at slot s, while assuring security against adversary controlling some stakeholders.

For an epoch j, the nonce ${\eta }_j$ is calculated by hash function H, as:

$${\eta }_j=H({\eta }_{j-1}||j||v)$$

v is the concatenation of the value $\rho$ in all blocks from the beginning of epoch $e_{i-1}$ to the slot with timestamp up to $(j-2)R+\frac{16k}{1+ϵ}$, note that k is a persistence security parameter, R is the epoch length in terms of slots.

Appendix

This section gives further details about the structures that will be used by the protocol.

Blockchain

Header

Block

LeadInfo