Ouroboros Praos: An Adaptively-Secure, Semi-synchronous Proof-of-Stake Blockchain

  • Bernardo David
  • Peter Gaži
  • Aggelos Kiayias
  • Alexander Russell
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10821)


We present “Ouroboros Praos”, a proof-of-stake blockchain protocol that, for the first time, provides security against fully-adaptive corruption in the semi-synchronous setting: Specifically, the adversary can corrupt any participant of a dynamically evolving population of stakeholders at any moment as long the stakeholder distribution maintains an honest majority of stake; furthermore, the protocol tolerates an adversarially-controlled message delivery delay unknown to protocol participants.

To achieve these guarantees we formalize and realize in the universal composition setting a suitable form of forward secure digital signatures and a new type of verifiable random function that maintains unpredictability under malicious key generation. Our security proof develops a general combinatorial framework for the analysis of semi-synchronous blockchains that may be of independent interest. We prove our protocol secure under standard cryptographic assumptions in the random oracle model.



We thank Christian Badertscher and the anonymous reviewers for several useful suggestions improving the presentation of the paper.

Peter Gaži partly worked on this project while being a postdoc at IST Austria, supported by the ERC consolidator grant 682815-TOCNeT. Aggelos Kiayias was partly supported by H2020 Project #653497, PANORAMIX.


  1. 1.
    Bellare, M., Miner, S.K.: A forward-secure digital signature scheme. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 431–448. Springer, Heidelberg (1999).  https://doi.org/10.1007/3-540-48405-1_28Google Scholar
  2. 2.
    Bentov, I., Gabizon, A., Mizrahi, A.: Cryptocurrencies without proof of work. CoRR, abs/1406.5694 (2014)Google Scholar
  3. 3.
    Bentov, I., Gabizon, A., Mizrahi, A.: Cryptocurrencies without proof of work. In: Clark, J., Meiklejohn, S., Ryan, P.Y.A., Wallach, D., Brenner, M., Rohloff, K. (eds.) FC 2016. LNCS, vol. 9604, pp. 142–157. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53357-4_10CrossRefGoogle Scholar
  4. 4.
    Bentov, I., Lee, C., Mizrahi, A., Rosenfeld, M.: Proof of activity: extending bitcoin’s proof of work via proof of stake. SIGMETRICS Perform. Eval. Rev. 42(3), 34–37 (2014)CrossRefGoogle Scholar
  5. 5.
    Canetti, R.: Universally composable signature, certification, and authentication. In: 17th IEEE Computer Security Foundations Workshop, (CSFW-17 2004), p. 219. IEEE Computer Society (2004)Google Scholar
  6. 6.
    Chase, M., Lysyanskaya, A.: Simulatable VRFs with applications to multi-theorem NIZK. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 303–322. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-74143-5_17CrossRefGoogle Scholar
  7. 7.
  8. 8.
    Daian, P., Pass, R., Shi, E.: Snow white: provably secure proofs of stake. Cryptology ePrint Archive, Report 2016/919 (2016). http://eprint.iacr.org/2016/919
  9. 9.
    Dodis, Y., Puniya, P.: Feistel networks made public, and applications. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 534–554. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-72540-4_31CrossRefGoogle Scholar
  10. 10.
    Dodis, Y., Yampolskiy, A.: A verifiable random function with short proofs and keys. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 416–431. Springer, Heidelberg (2005).  https://doi.org/10.1007/978-3-540-30580-4_28CrossRefGoogle Scholar
  11. 11.
    Dwork, C., Lynch, N.A., Stockmeyer, L.J.: Consensus in the presence of partial synchrony. J. ACM 35(2), 288–323 (1988)MathSciNetCrossRefGoogle Scholar
  12. 12.
    Garay, J., Kiayias, A., Leonardos, N.: The bitcoin backbone protocol: analysis and applications. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 281–310. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46803-6_10Google Scholar
  13. 13.
    Itkis, G., Reyzin, L.: Forward-secure signatures with optimal signing and verifying. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 332–354. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-44647-8_20CrossRefGoogle Scholar
  14. 14.
    Jarecki, S., Kiayias, A., Krawczyk, H.: Round-optimal password-protected secret sharing and T-PAKE in the password-only model. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 233–253. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-45608-8_13Google Scholar
  15. 15.
    Kiayias, A., Panagiotakos, G.: Speed-security tradeoffs in blockchain protocols. Cryptology ePrint Archive, Report 2015/1019 (2015). http://eprint.iacr.org/2015/1019
  16. 16.
    Kiayias, A., Russell, A., David, B., Oliynykov, R.: Ouroboros: a provably secure proof-of-stake blockchain protocol. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 357–388. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-63688-7_12CrossRefGoogle Scholar
  17. 17.
    King, S., Nadal, S.: PPCoin: peer-to-peer crypto-currency with proof-of-stake, August 2012. https://peercoin.net/assets/paper/peercoin-paper.pdf
  18. 18.
    Lindell, A.Y.: Adaptively secure two-party computation with erasures. In: Fischlin, M. (ed.) CT-RSA 2009. LNCS, vol. 5473, pp. 117–132. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-00862-7_8CrossRefGoogle Scholar
  19. 19.
    Micali, S.: ALGORAND: the efficient and democratic ledger. CoRR, abs/1607.01341 (2016)Google Scholar
  20. 20.
    Nakamoto, S.: The proof-of-work chain is a solution to the byzantine generals’ problem. The Cryptography Mailing List, November 2008. https://www.mail-archive.com/cryptography@metzdowd.com/msg09997.html
  21. 21.
    Pass, R., Seeman, L., Shelat, A.: Analysis of the blockchain protocol in asynchronous networks. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10211, pp. 643–673. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-56614-6_22CrossRefGoogle Scholar
  22. 22.
    Pass, R., Shi, E.: The sleepy model of consensus. Cryptology ePrint Archive, Report 2016/918 (2016). http://eprint.iacr.org/2016/918
  23. 23.
    Russell, A., Moore, C., Kiayias, A., Quader, S.: Forkable strings are rare. Cryptology ePrint Archive, Report 2017/241 (2017). http://eprint.iacr.org/2017/241

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  • Bernardo David
    • 1
    • 2
  • Peter Gaži
    • 2
  • Aggelos Kiayias
    • 2
    • 3
  • Alexander Russell
    • 4
  1. 1.Tokyo Institute of TechnologyTokyoJapan
  2. 2.IOHKHong KongChina
  3. 3.University of EdinburghEdinburghUK
  4. 4.University of ConnecticutMansfieldUSA

Personalised recommendations