Owner: @Thomas Lavaur
Reviewers: 🟢@Mehmet 🟢@Daniel Sanchez Quiros 🟢@David Rusu 🟢@Youngjoon Lee
Revisions History
| Version |
Changes |
| v1 |
Initial revision. |
| v1.1 |
* Remove the protection against adaptive adversary from PoL removing a non-enforced feature, simplifying work for engineers, improving UX and performances of PoL and PoQ. |
- Update the performance according to the new circuit.
- Remove the notion of NOMOS in DSTs |
Introduction
The Proof of Leadership enables a leader to produce a zero-knowledge proof attesting to the fact that they have an eligible note that has won the leadership lottery. This proof must be as lightweight as possible to generate and verify, due to the following reasons:
- Impose minimal restrictions on access to the role of leader and thus maximize the decentralization of that role.
- Similarly, the proof and its context must be efficiently verifiable for validators
This document extends the work presented in the Ouroboros Crypsinous paper with recent cryptographic developments.
References
Overview
Overview of the Protocol
The PoL mechanism ensures that a note has legitimately won the leadership election while protecting the leader’s privacy. The protocol is:
- Setup: The note becomes eligible for PoS when it has aged sufficiently.
- PoL generation:
- First, check if the note is winning by simulating the lottery
- Prove the membership of the note identifier in an old snapshot of the Mantle Ledger, proving its age and its existence.
- Prove the membership of the note identifier in the most recent Mantle ledger, proving it’s unspent.
- Prove that the note won the PoS lottery.
- The proof is bound to a cryptographic public key used for signing the leader’s proposed blocks.
Comparison with Original Crypsinous PoL
Our description differs from the original paper proposition, proving that a note is unspent directly instead of delegating the verification to validators. Moreover, we don't include the protection against adaptive adversaries that cannot be enforced by the chain or incentivized. This design choice brings the following tradeoffs:
Advantages
- The ledger isn’t required to be private using shielded notes.
- Validators don’t need to maintain a nullifier list.
- Leaders keep their privacy unlinking their stake, block and PoL.
- There is no leader note evolution mechanism anymore (see the paper for details)
- There are no orphan proofs anymore, removing the need to include valid PoL proofs from abandoned forks.
- Crypsinous forced us to maintain a parallel note commitment set integrating evolving notes over time. This requirement is removed now
Disadvantages
- We cannot compute the PoL far in advance because the leader must know the latest ledger state of Mantle.
Protocol