The cryptography behind Cardano blocks
Cryptocurrencies could be invented due to the many major achievements in cryptography. It is not a surprise that cryptography is used not only for signing transactions but it is also used for the creation of new blocks. In the article, we will have a look at how a new block is created in the Cardano network from the point of view of cryptography.
Blocks are created by pools
In the Cardano network, the nodes of staking pool operators are responsible for the production of new blocks. Every pool operator needs to generate a few pairs of keys and register herself as a block producer in order to become a slot leader. Time is divided into epochs and every epoch is divided into slots. A slot lasts one second. There are 432,000 slots in every epoch so the epoch lasts 5 days. It is possible to configure how often a new block is to be created by the parameter d. Currently, it is set to a value that lets the network create a new block approximately every 20 seconds. It means that approximately every 20 seconds some node becomes the slot leader and can mint a new block. In every epoch, approximately 21,600 blocks are created. Due to the randomness that is implemented in the protocol, it can be actually created more or fewer blocks.
In the Cardano network, every registered pool verifies every second whether it is the slot leader in the given slot. If yes then it can mint a new block and provide a certain proof that is validated by other nodes in the network. The higher stake a pool has the more often it can become a slot leader. The selection of a slot leader is based on randomness. In the ideal case, only one slot leader is selected in a given slot. Obviously, it must not be possible that many new valid blocks are created in a slot.
In PoW networks, computation power must be consumed to produce a new block. All pools compete among each other to resolve the complex puzzle and it is very probable that only one pool succeeds in a given cycle. It can happen in PoW networks that two valid blocks can be produced in a cycle. Let’s call them to block A and block B. In the next cycle, pools need to decide to which block they will wish to append a new block. In most cases, a pool starts working on a new block once a valid block is produced. It can happen that a few pools wish to build on block A since they received it before block B. The opposite can happen to other pools and they build on block B. As a few new blocks are added over time, the longer chain will win and remain in the blockchain. The rest of the blocks (after the fork) will be orphaned (blocks are not part of the blockchain including all transactions). Notice that PoW consensus protects the network against the creation of many valid blocks in a given cycle. It is financially expensive to create a block since for approximately 10 minutes a lot of electricity is spent to solve the puzzle.
In the Cardano network, the protection against flooding the network by a bunch of valid blocks is based on cryptography. Only a selected slot leader is able to produce a valid block in a given slot. A pool needs to provide cryptographic proof that can be easily verified by other nodes. It is impossible to somehow guess in advance how the proof looks like so it is impossible to cheat. Cardano is able to create a block cheaply but only a slot leader is able to create one in a given slot.
Cardano’s security is about keys
You have probably heard that you need to use cryptographic keys to be able to send a transaction. To be more precise, asymmetric cryptography key pairs are generated for that purpose. A key pair consists of a private key and a public key. The private key is the secret that the owner must guard well and keep offline in the ideal case. The public key can be published and everybody can see it. When a user signs a transaction by the private key it provides proof that owns the coins. It is possible to sign more transactions with the same private key since the key is not compromised by the process of signing. The counterparty needs to have the corresponding public key to validate the signature. The owner of the private key can spend ADA coins from the address that has been created via the corresponding public key. The rest of the network can easily validate it. Signing a staking certificate is a very similar process. Only the owner of ADA coins can make decisions related to staking. The principle is the same. Private keys are used for signing by owners and public keys for verifying by others. Staking certificates are sent to the network and stored in the blockchain. Thus, everybody can verify it.
Cryptography is used also for the PoS consensus of the Cardano network. There are two types of keys: Address keys and node keys. In the article, we will talk mainly about the node keys since we are interested in the production of blocks.
Staking pool operators need to generate a few key pairs:
- An operational cold key pair. The key grants the right to sign blocks to the KES key.
- Key Evolving Signature (KES) key pair. The key is used for signing a new block. The key expires periodically and a new one is computed.
- Verifiable Random Function (VRF) key pair. The key is used to find out whether a node is a slot leader in an ongoing slot. The node does it every second.
Keys are used for the creation of an operational certificate and further for checking whether a node is a slot leader in a given slot and for the signing of blocks. Cold key pairs should be stored offline, meaning not on a computer that is connected to the internet. Cold key pair allows operators to generate a new operational certificate for every KES period. KES key pair (hot) is an operational key that authenticates the node.
A new operational certificate is sent to the network and stored in the blockchain. All pools are registered and every node knows about the registered pools. The operational certificate is used for the verification that the pool has the authority to run. Certificates contain public information about the pools like addresses, keys, and the operators’ signatures. Operators need to guard well the cryptographic secrets that allow them to become slot leaders and sign new blocks. The operational certificates represent the link between the operators’ offline keys and operational keys.
As we said, an operational key certificate must be signed by the offline (cold) key. It grants the right to sign blocks to the KES key that regularly expires after some epochs and that is based on the genesis parameters. A mechanism similar to the forward secure signature scheme is used. This mechanism is based on the idea that an adversary is not able to forge the signatures that have been made in the past since it allows to keep the same public key but create a new private key pair over and over. Thus, the private key can be immediately erased once it has been used. The KES signing key regularly expires (KES-period) and a new one must be computed for the next period. The old KES key is erased. Thus, nobody is able to sign a block by the erased KES key again. If a hacker compromises the key and gets access to the signing key, he can only use that one to sign blocks from now on, but not blocks that have been signed in the past. It makes it impossible for the hacker to rewrite history.
When a node generates the operational certificate it includes a counter. A counter is a number that is incremented always when a new certificate is created and published by the node. When the node becomes a slot leader and mints a new block it includes the counter into the header of the new block. Other nodes in the network validate the blocks and they can check whether a certificate is the current one, or whether it has been superseded by a newer one. The counter is a simple mechanism of how to overrule a certificate when the KES key is compromised. For example, stolen by a hacker. Operators should keep their cold keys offline. Thus, only operators are able to generate a newer certificate and increment the counter. Validating nodes can receive two blocks for the same slot. One is signed by the hacker and the other by the operator whose KES key has been compromised. Nodes validating blocks have an easy job. They can see that there are two blocks claiming that they are produced by the same node (node corresponding to a given cold key) but includes different KES keys. Certificates are stored in the blockchain so validation nodes know which certificates are the latest. The block that contains a higher counter will win and will be added to blockchains of validating nodes. Hacker’s block will be thrown away.
When and how a new block is created?
As we said, a lottery decides about a registered node that becomes a slot leader and thus it is assigned the right to produce a new block. All registered nodes in the Cardano network utilize VRF to autonomously find out whether they can create a new block in a given slot. More nodes can become slot leaders in a given slot. It is not a problem and we will show you later how the conflict is resolved. It can happen that more blocks can be created in 20 seconds since the lottery is a random process and nodes use VRF independently on each other. A new phase of the lottery happens every single second and a new block can be created for example in the 5th subsequent slot after the latest one has been added. However, it can take a longer time when a new slot leader is selected. It is also possible that it can happen in the 30th subsequent slot after the latest one has been added. Approximately 21,600 blocks should be created in every epoch but it can be more or it can be less. A special network parameter can be used to decrease or increase the rate of slot leader selection.
VRF is a kind of function that takes a few inputs and it produces an output. The VRF function takes a slot ID for which the current decision is being made, a VRF signing key (unique for every node), and a nonce. The Nonce is a hash that is created by using the first 2/3 of VRF outputs from the blocks that have been produced in the previous epoch. These inputs are processed by the VRF function and a random number is produced. Based on a pool’s stake a threshold is computed. When the random number is less than the threshold then a node is a slot leader. Notice that the size of a pool’s stake influences the rate at which the pool becomes a slot leader. The higher the stake the higher rate.
When a node becomes a slot leader it inserts transactions that wait for the processing into a new block. It also inserts a computed VRF output and the VRF proof that the node got the right to produce a new block. The new block is signed by the KES key and broadcast to the network.
Other nodes in the network will receive the new block and validate it. Besides validation of transactions in the block, also the VRF proof is verified by using the public key of the pool that has produced the block. All pool certificates are stored in the blockchain. Thus, it is easy for validators to validate the block’s signature. The block must be signed by the private key that corresponds to the public key that can be found in the corresponding certificate of the pool. If the block is valid then honest validators insert it into their versions of the blockchain.
This mechanism protects the network from the Nothing-at-Stake problem. The schedule of slot leaders is not known in advance and cannot be deduced. Pools determine the leadership of slots independently and other nodes will find out winners of the slot-leadership lottery at the moment they receive new blocks. Only owners of pools know their VRF private keys that are needed for the determination of the slot leadership.
When VRF and KES keys would be stolen by an adversary then the operator can use the operational cold key and create a new certificate. Of course, after fixing the security issue and preventing another hack of the node. Even if the operator did not do it the KES key would expire. Operators need to keep the operational key offline similarly as users keep their seeds on a piece of paper. Do not worry. Most of the operators are professionals and know well how to protect cryptographic secrets.
An adversary cannot just randomly generate some random scam chain from the same genesis block. The set of slot leaders is always the same from the beginning up to the end of the blockchain and it evolves dynamically. A new set of slot leaders for the next epoch can be calculated when the nonce is known. A new nonce is known firstly at the moment when the current epoch ends and 2/3 of blocks can be used to compute it. Many scam blocks can be created in order to try flooding the network but only blocks that have been created by slot leaders and signed by them will pass the validation process.
Notice that also in the PoW network it is possible to create plenty of scam blocks and flood the network. The process of validation is very similar. Only blocks that contain proof about the resolved complex computational work will be added to the blockchain. The difference is that in the case of Cardano, the consumption of electricity is very low. Cryptography is used differently to create proof that allows validators to accept a newly created block. In PoW networks, the electricity must be consumed to create a proof.
As we have said above, it can happen that two nodes become slot leaders in the same slot and both produce valid blocks. Only one of them can be appended to the blockchain. Thus, when validators receive two valid blocks and they need to choose one of them. There is a very simple rule that determines which block will win. Validators append the block that has lower VRF proof. You can imagine it as a comparison of two numbers. The block with the higher VRF proof is orphaned. It means it is thrown away together with all transactions.
Blockchain is a sequence of blocks. A new block is always appended to the end. When a node is the slot leader it creates a new block that is to be appended to the end. Every block contains a block number. The block number is incremented with every newly appended block.
Let’s assume that Alice’s pool is the slot leader at slot X and produces a new valid block. Bob’s pool becomes the slot leader at slot X+1 and also produces a new valid block. Both blocks have been produced at a very similar time and have the same block number. Alice’s pool did not know about Bob’s block at the time of producing its own block and vice versa. Now, Carol’s pool is a slot leader at slot X+20 (nobody was a slot leader in slots from X+2 up to X+19). Carol’s pool will use Bob’s block since it is newer regarding the slot. There is again a simple rule that determines the winner. When there are more valid blocks available with the same block number then a node chooses the block with the higher slot number. In other words, the most recent block. The other block is orphaned.
In the case that Bob’s block would not be propagated in time and Carol’s pool would receive only Alice’s block then Bob’s block would be orphaned despite the fact that it has a higher slot number. It could hypothetically happen in our scenario when Carol’s pool would find out that it is a slot leader in slot X+3 and the pool of Alice is geographically closer than the pool of Bob. Thus Bob’s block has not arrived in time at Carol’s pool. Carol’s pool considers Alice’s block as the most recent one. Alice’s block would be appended in the blockchain and it would be followed by Carol’s block. Notice that Carol’s block increments the block number. Bob’s block will arrive at Carol’s pool later and it will be discarded. As Carol’s block is propagated through the network Bob’s block is discarded also by other nodes. Pool operators should ensure that their blocks are propagated as fast as possible to avoid the situation that their blocks will be orphaned.
Similarly, as an owner of a private key can sign a transaction in order to spend coins, a pool can sign a new block. In both cases, the signature can be verified fast and simply. Pool nodes need to store keys online and these keys might be stolen. It can happen but as you could see there are mechanisms that prevent hackers to hurt the network or rewrite the history of blockchain. Moreover, we will see some improvements in the future that will make Ouroboros PoS even more secure.