“Ouroboros” is the name of Cardano’s Proof of Stake consensus algorithm. So far it comes in two flavours, Ouroboros and Ouroboros Praos. This post gives my high level interpretation of how they both work along with some commentary. If you want a low level view check out the papers here and here. This presentation by Dr. Peter Gaži is a great companion to this post (luckily it came out just as I was writing it).

As Dr. Gaži points out, there are two properties you want with any type of distributed ledger: “persistence” and “liveness”. Where 𝐤 is the security parameter, they’re defined as:

Persistence: once a transaction goes more than 𝐤 blocks deep into the blockchain of one honest player, then it will be included in every honest player’s blockchain with overwhelming probability. Or more simply, Once your transaction is in the blockchain it will stay there.

once a transaction goes more than 𝐤 blocks deep into the blockchain of one honest player, then it will be included in every honest player’s blockchain with overwhelming probability. Or more simply, Once your transaction is in the blockchain it will stay there. Liveness: all transactions originating from honest account holders will eventually end up at a depth more than 𝐤 blocks in an honest player’s blockchain, and hence the adversary cannot perform a selective denial of service attack against honest account holders. Or more simply, if you make a valid transaction it will end up in the blockchain.

Bitcoin’s Proof of Work (PoW) protocol provably achieves both of the above according to the GKL15 paper (where I took both of the definitions from). Getting a Proof of Stake (PoS) protocol to achieve the same is a challenge. PoW selects block creators by a computationally intensive competition outside of the blockchain. With PoS, the input to the block creator selection process is the blockchain itself — the blockchain chooses who will extend the blockchain! This presents some problems for persistence and liveness:

Grinding : Attackers might be able to bias the block creator selection process in their favour by contriving the state of the blockchain. If they can, they could repeatedly re-elect themselves as block creators. If they dominate block creation they can censor transactions, violating liveness .

: Attackers might be able to bias the block creator selection process in their favour by contriving the state of the blockchain. If they can, they could repeatedly re-elect themselves as block creators. If they dominate block creation they can censor transactions, violating . Nothing-at-stake: Since it costs you nothing to create a block you may as well create blocks wherever you can. If an attacker can wield this power effectively, they may be able violate persistence by creating blocks on a competing chain, or bribing/encouraging others to do so. If the chain becomes long enough it will overtake the main chain and so rewrite history.

Both Ouroboros protocols produce unbiased random numbers to address the grinding problem. This randomness allows for an unbiased “slot leader” (block creator) selection process that chooses leaders with a probability proportional to their stake. During an “epoch” (time period partitioned into many slots) participants write random numbers to the blockchain which end up selecting the slot leaders for the next epoch. The main difference between the two in this respect is:

Ouroboros : Slot leaders are known publicly ahead of time and there is always one slot leader per slot.

: Slot leaders are known publicly ahead of time and there is always one slot leader per slot. Praos: Each stakeholder knows which slots they lead ahead of time. Others only find out once they publish a block. There can be multiple slot leaders for a slot or none at all.

The papers address the nothing-at-stake problem by proving that persistence and liveness are achieved even with an attacker’s ability to create forks easily (the video demonstrates the approach to the proof). There’s also a yet to be implemented idea of “input endorsers” in the papers that would create invectives to behave honestly.

The original Ouroboros was conceived to prove that a PoS protocol could be secure. It can also be used in practice and is being used right now on the Cardano network. However, only a handful of authorised stakeholders are currently eligible slot leaders. All stake is essentially assigned to them. At some point in 2018 these training wheels come off, and stake delegation will stakeholders will be able to re-assign their stake. Eventually, Cardano will transition over to Praos which is a “substantial leap forward compared to Ouroboros” according to one of it’s authors, Prof. Aggelos Kiayas.

The rest of this post goes into more detail about the leader election process for both protocols.