The inaugural Cardano meetup in the Netherlands was held last week in Rotterdam. From the beautiful event space, the amazing speaker line up and the overwhelming attendance from the Dutch community, it’s an understatement to say this meetup was a success. Special thanks to Blocklab for providing the venue and to our community members @ilhan, @bullish and @Andy_Hendrikx for organizing the meetup!

(Note that this recap is 1 of 2 parts. This summary will include Bernardo David’s talk, and Part 2 will follow with Edsko de Vries’ presentation.)

Tom and Jon from Cardano Foundation kicked off the meetup with a quick introduction of the project, the Foundation’s role and the Cardano community.

Bernardo David took to the podium next. He is a research fellow at IOHK and assistant professor at Tokyo Institute of Technology. His presentation was on Ouroboros, the main consensus protocol used in Cardano and how it differs from Bitcoin and other blockchains.

Introduction & Background

Bernardo started by laying out the current issues observed with Proof-of-Work (PoW) systems:

in a PoW based system, the people who are generating blocks are not necessary the same people who have invested their money

meaning there is a distinction between coin holders (those who have invested in the system by buying tokens) and professional miners (those who run mining farms to generate new blocks and obtain profits from this)

the people who control how the system works are the miners

and those in control can destroy the blockchain, make policy changes, make it grow, allow hard forks to happen, and so on

there are also diminishing rewards for mining

in Bitcoin, block mining rewards halves every 210,000 blocks

this means the incentive to invest in mining is also decreasing, which is problematic when the system relies on mining to work

and what happens to those systems when the rewards equal zero?

and thirdly, the control of the network in a PoW system is very centralized

it is known that the whole Bitcoin network is handled by a handful of Chinese mining farms

this can be the downfall to Bitcoin if there are regulatory changes in China and in general, is not good for the system to be controlled by a few large parties

additionally, if one were to have energy to mine more than 50% of the users, then they can take it over in theory

PoW systems are also very energy intensive and generates a huge energy waste

a whole Bitcoin mining pool spends more than the country of the Netherlands per day

to create a sustainable system, we don’t want to spend natural resources nor do we want to create more pollution

So what can be done to solve these issues?

an option is to shift to other mechanisms away from PoW

such as: Proof-of-Stake and Proof-of-Space

Proof-of-Space is very similar to proofs of work, except that instead of computation, storage is used

for Cardano, the researchers and IOHK wanted to move to a model without energy waste and employ those chosen resources to do something useful for the system and the community

Proof-of-Stake is based on the concept that more investment in the system means more control

and you as a user, can be sure that you can steer the way the project is going (with your voting power)

PoS is also energy efficient

all you need to generate a block is a signature and a few cryptographic operations that spend no energy or data

there is no waste of resources and users are in control of the system to make sure the blockchain grows

Basic Structure: How does PoS work?

To explain how PoS works, Bernardo uses a slide with Ghibli characters: Totoro, Porco Rosso and Chihiro (from left to right in the image)

as you can see from the slide, Totoro has 9 coins, Porco Rosso has 6 and Chihiro has 15 coins

whoever has more coins in the system (and therefore has invested more) should be able to generate more blocks in a PoS-based system

to figure out who can create the next block, a lottery is run

people who have more coins will have a higher probability of winning this lottery and in this example, that would be Chihiro

this lottery is run every time you want the blockchain to grow and a block needs to be generated, compared to the Bitcoin network where a PoW puzzle must be solved

the first assumption and basic mechanism of PoS is that Chihiro will win the lottery more often because of her higher investment

for Cardano, the person who generates the block is called the slot leader

for every block, there is a time slot. During that time, someone can generate a block

a block is 20 seconds long and there is a lottery that corresponds to each 20-second block

this lottery in the protocol used in Cardano is called the slot leader selection process

What has their research contributed in this field

before the papers produced by IOHK research, no one had a proof that this system was mathematically secure

it is a very complicated proof to write and over the course of 3 years, the researchers came up with a system that claimed to be secure and that could be proven mathematically and verified by others in the space

first came the formal model for PoS based consensus protocols

then came Ouroboros, the first provably secure PoS-based blockchain protocol

the term Ouroboros comes Greek mythology of the serpent eating its own tail and used in this context basically because it entails that the blockchain creates randomness from its own state

but this protocol had a few caveats, and these were solved this year with Ouroboros Praos which improved the security and efficiency of the previous proposal

the term Praos in ancient Greek means relax

the original protocol must assume that users are online at all times and posting their messages all the time and must act fast, while the new proposal with Praos allows users to be in a more real-world setting and can go online and offline and hence, can be more relaxed

Praos was an achievement as it found a way to keep security while achieving real-world scenario

Ouroboros

this first proposal made assumptions on synchronicity, meaning everybody (no matter where in the world they are) have a synchronized clock to each other and this is necessary to know when to send messages (such as making the lottery and generating blocks)

given this assumption, they prove that as long as an adversary does not control more than 50% of stake in the system, it will be as secure as Bitcoin

another assumption was that an adversary cannot automatically control people, meaning if an adversary hacks or impersonates you, they will be requires to wait some time before hacking into the next computation or a corruption delay

they knew these assumptions were not likely but needed it to make a simple system first

Before diving into how Praos solved these assumptions, Bernardo described how the lottery works and the general mechanisms of the protocol.

How is the lottery done?

it uses the ‘Follow the Satoshi protocol’

this procedure allows us to select a user among all users with a probability that is proportional to the number of coins that user has

you basically start with a cryptographic hash function (H) that takes in a random value (otherwise known as a seed)

and you get an output of a number ‘i’

this i is between 0 and the total number of satoshi’s in the blockchain

a satoshi is the smallest monetary unit in the cryptocurrency (like cents)

in the case of Cardano, the output of the hash function will be between 1 and total number of Ada coins in the blockchain

H(seed) gives you an output of Ada coin number i

there will be a transaction on the blockchain that shows this ‘user’ owns coin i

the number selected is random and therefore, each coin has equal probability

but if you have more coins, you will be selected more often

and how do we generate this random seed?

and how can we do this in a decentralized way?

The Protocol: one epoch

each epoch has a number of slots and at each slot, a block is produced

start from genesis block B0 (which is the blog that is there before the beginning of time)

here you will see a description of users and the number of coins they own s, and randomness

from the image, you can see that in the first slot, no one was online and therefore no block was generated

in the next 2 slots, blocks were generated and the blockchain progresses

one problem here is that we are using this list of people who own coins and a fixed randomness to select people who generate blocks

but in reality, people will be transacting and changing coins, and the list will therefore become out of date

so for example, after block 1, user 1 might have sold his coins and doesn’t own any stake

but at the end of an epoch, he can still be selected as if he still owns these coins

it should be noted, that we need to do this to achieve security

but we don’t want an out-of-date list to persist throughout whole protocol

so that’s why its divided into epoch

by the end of the epoch, a new random value is generated and the list is updated (this is easy as all the transactions are tracked in each block)

in the first proposal of Ouroboros, there was a restriction that all messages are delivered by end of slot, but in Praos, they resolve this

there are also no restrictions on how many blocks can be empty

the main restriction is that honest people must be online (in this first version of Ouroboros)

The Protocol: multiple epochs

the full protocol then of course includes multiple epochs

by using a tool called Guaranteed Output Delivery (G.O.D.) Coin Tossing, you get a randomness source

this tool that operates as a black box runs in parallel with the blockchain protocol to give a value that is guaranteed to be random (as long as 50% of the users are honest)

this block box uses an interactive protocol that requires users to talk to each other through the blockchain and has been proven through research to provide perfect randomness

this is repeated for each epoch

it is necessary to create new randomness because if the same randomness is used, a bad user can predict which coins will be selected and will buy those specific coins

Ouroboros Praos

after the first proposal came Ouroboros Praos

it no longer needed the synchronicity assumption

and it also improved the security of Ouroboros despite fully adaptive corruptions, such as bad players who won’t “wait” between adverse activity

this was achieved via oblivious leader selection, forward secure signatures, local randomness generation

Ouroboros Genesis

this protocol improved upon Praos to achieve universal composability via their sophisticated chain selection rule

in Praos, you had to assume that users that join the system that had not been running the blockchain before, would need someone that they trust to give them intermediates states of the systems (blocks of the system) to check that the chains they are receiving is correct

this is not ideal and you would instead want to be able to bootstrap the whole blockchain from the genesis block

usually you would use the ‘longest chain rule’ which is to pick the longest chain of blocks) but this does not give you the best guarantees

with their sophisticated rule, it allowed you to bootstrap directly from the genesis block without a trusted intermediary checkpoint

Genesis then achieved security without checkpoints

and they have also been working on performance

their latest benchmarks were run a few years ago on a non-optimized version of Ouroboros and they were getting to 100 transactions per second

As a conclusion, Bernardo notes that the research and Ouroboros protocol they have created can achieve the same security of Bitcoin, while expending less energy and providing better performance. All which was created by using well-understood cryptographic techniques that have been mathematically proven to be correct.

If you are interested in learning more and reading the papers on Ouroboros, you can find them here:

Ouroboros

Ouroboros Praos

Ouroboros Genesis

To read Part 2 of the Rotterdam meetup with Edsko de Vries’ talk on the Cardano wallet, click here!

Watch Bernardo’s presentation here: