Some familiarity with Crypsinous or other protocols in the Ouroboros family (e.g. Praos, or later revisions) is required for an understanding of the rest of this document.
We can identify two main things in a protocol:
In essence, the Ouroboros family of consensus protocols evolves on Bitcoin by modifying only leadership conditions, leaving fork-choice rule almost unchanged (see Ouroboros Genesis for a modification on that: an additional rule for solving forks that branched more than k blocks in the past -i.e. how to validate full history without having to watch a chain live).
On a high level, time is divided into discrete units, called slots, at fixed intervals (e.g. every 1s). For each of these slots, the protocol runs a lottery that selects winners (leaders) with probability proportional to their stake in the system. These winners are then allowed to propose a new block to append to the tree.
While in Ouroboros Genesis (the version implemented in Cardano) this lottery is public and leaks the amount of stake of each party, Crypsinous improves on Genesis by keeping stake information private.
We have deemed this improvement essential for a number of reasons, but mainly to ensure infrastructure resilience. The Nomos Architecture whitepaper discusses this in greater detail.
Unfortunately, Crypsinous is not perfect, and we (and other people) have identified missing and broken pieces, or, generally speaking, things we can improve on.
These pieces are highlighted in the following points, and our solutions to them will constitute, alongside the rest of the original consensus protocol, the backbone of Cryptarchia.
These are things that are left out in the paper but are required for an implementation:
Stake relativization
The lottery function relies on being able to compute each party’s relative stake compared to the whole network. Unfortunately, the amount of eligible stake fluctuates since recent coins can’t participate in the lottery and not all old coins are participating in the lottery. This means that computing relative stake is not straightforward.
Unfortunately, Crypsinous does not share this information (and for good reasons), so this becomes a bit more convoluted. The paper does not contain a solution for this, and to our knowledge, a satisfying solution has not been published yet.
Network anonymity: The paper correctly acknowledges that even with a lottery that does not disclose the amount of stake owned by each party nor the party’s identity, an adversary able to observe the network can approximate that value by looking at how often a node publishes a new block to the network.