Owner: @Thomas Lavaur

Reviewers: 🟢@Mehmet 🟢@Giacomo Pasini 🟢@Daniel Sanchez Quiros 🟢@Álvaro Castro-Castilla 🟢@David Rusu

Introduction

The Proof of Leadership enables a leader to produce a zero-knowledge proof attesting to the fact that they have an eligible note that has won the leadership lottery. This proof must be as lightweight as possible to generate and verify, due to the following reasons:

• Impose minimal restrictions on access to the role of leader and thus maximize the decentralization of that role.
• Similarly, the proof and its context must be efficiently verifiable for validators

This document extends the work presented in the Ouroboros Crypsinous paper with recent cryptographic developments.

References

• Cryptarchia v1 Protocol Specification.

Overview

Overview of the Protocol

The PoL mechanism ensures that a note has legitimately won the leadership election while protecting the leader’s privacy. The protocol is comprised of two parts: setup and PoL generation.

• Setup:
  1. Draw uniformly a random seed.
  2. Construct a Merkle tree composed of slot secrets derived from the seed.
  3. Use the root of the tree and the starting slot to get the leader’s secret key. The starting slot is when the note can start to be used for PoL.
  4. The leader receives their stake in a note that uses this generated secret key. The leader either transfers this stake to themselves or obtains it from a different user.
  5. The note becomes eligible for PoS when it has aged sufficiently, and the actual slot number is greater than or equal to the starting slot of the note.
• PoL generation:
  1. First, check if the note is winning by simulating the lottery
  2. Prove the membership of the note identifier in an old snapshot of the Mantle Ledger, proving its age and its existence.
  3. Prove the membership of the note identifier in the most recent Mantle ledger, proving it’s unspent.
  4. Prove that the note won the PoS lottery.
  5. Prove the knowledge of the slot secret for the winning slot.
  6. The proof is bound to a cryptographic public key used for signing the leader’s proposed blocks.

Comparison with Original Crypsinous PoL

Our description differs from the original paper proposition, proving that a note is unspent directly instead of delegating the verification to validators. This design choice brings the following tradeoffs:

Advantages

1. The ledger isn’t required to be private using shielded notes.
   • Validators don’t need to maintain a nullifier list.
   • Leaders keep their privacy unlinking their stake, block and PoL.
2. There is no leader note evolution mechanism anymore (see the paper for details)
   • There are no orphan proofs anymore, removing the need to include valid PoL proofs from abandoned forks.
   • Crypsinous forced us to maintain a parallel note commitment set integrating evolving notes over time. This requirement is removed now.
   • The derivation of the slot secret and its Merkle proof can be done locally without connection to the Nomos chain.

Disadvantages

1. We cannot compute the PoL far in advance because the leader must know the latest ledger state of Mantle.

Protocol

Protection Against Adaptive Adversaries

Introduction