Scientific Review of Key Retroactivity Network Consensus and its critisism against Proof of Stake protocols like Cardano (TLDR: My opinion its a lot of hogwash)

So the backdrop to this review is this twitter post:

According to the author:
“It demonstrates, among other things, that Ouroboros fails to replicate the core security guarantees of Nakamoto consensus”

The 103 pages technical paper can be found here:

I just read it myself.

For concern to Cardano is two suggested new forms of attack:
book-prize attacks and pseudo-transfer attacks.

It also has some interesting ideas regarding signal theory and how instead of having a cost to send a signal (like how you stake your value to participate in a lottery for proof of stake) you could make the cost zero for honest signals and very large for dishonest signals thus the author argues that the whole system design of both proof of work and proof of stake is flawed and presents 3 arguments for this to be the case (and we will tackle that part of the criticism first in this post):

The first premise is that it is very wasteful to make signals have cost and that a better approach is to identify and give a great enough cost to a dishonest signal. Problem is this all rests on fact you can correctly identify an dishonest signal and introduces a whole slew of problems on its own and angles of attack (masking dishonest signals etc. there are many good reasons why cryptocurrencies put a cost on signaling) so that the authors claim “There is thus no intrinsic reason that participants in permissionless consensus should be forced to waste money or computing power.” is for me a claim that has not been backed up by research as it rest on the fact that you do not need to imply such a cost. To put it into a mental image its like saying we only need to pay the guards to show up at the bank when the bank robbery is about to take place. Any other security system is wasteful in the authors opinion.

The second argument regarding signaling using a wrong statistical understanding is for me also flawed as it suggests models are based on statistical sampling when most models are based on mathematical assumptions and not sampling of data, and as we shall see this relates to the book-prize attack that is named after an “attack” on winner of Book of the Year in Netherlands because only 92000 voted for such a book price and 70% voted for a new translation of the bible because a group wanting to vote for this translation. So basically the argument is that the sample that participated in the voting was not representative of the entire population (Netherland) and they where able to vote something else than what the majority would have wanted. First it assumes the cost of not voting is the same - when lets be frank - not a majority of people in Netherland gave a slight concern to what would be the book of the year. Secondly it assumes that there is no incentive to participate in any such sampling. This is far from the case as Cardano gives staking rewards to participate in any voting (basically a negative cost otherwise known as a reward) and not only does it give such a price its a price in itself to protect the value of your current ADA by participating in the network to keep it safe, not to speak of social values / ideological reasons to wanting to have such a system for each individual user. To put it in a mental image its like saying you can steal this free pamphlet from the bank and this shows that the bank is not secure, while in reality it is because frankly the bank or the bank depositors does not care enough to want to tackle this stealing behavior.

The third argument is that corruption could be adaptive and basically if an attack robs a bank he would have resources to rob even more banks, or said in cryptocurrency terms the maximum resources an attacker can bring to bear is more than his current resources but the resources he have + the amount he can grab during any such attack or from outside the system involved. But this is also flawed as it assumes the user of said cryptocurrency would stand idle by to watch these attacks unfold and that the trickle of resources is not time limited nor sale of the token itself is not limited. In Cardano you would get a small trickle of resources flown into the system during any given time slot (20) seconds and even during an epoch this is far less than the resources available in the system and plenty of time for users to react to such an attack over time. Same with coins sold on the market. In a mental image its like saying Iraq can dominate saudi arabian oil field installations and attack them one by one while in reality at some point allies or the world would start to react before it was too late.

The conclusion that it costs a lot for users to participate in the signaling is also wrong, it costs a user very little computational power to delegate a stake to a pool, we are talking minutes or seconds in a 5 day period of time and a small fee much less than the reward. So this type of theoretical attack and not based on actual use cases in Cardano is for me very odd to see and not really based or grounded in reality.

The pseudo-transfer attack on the other hand rests on the premise that users can hide that they are in control since well internet is anonymous. Or as the author writes " It demonstrates that the adversary can execute a pseudo-transfer attack, in which it shifts stake between its own cryptographic addresses to generate the illusion of decentralization. The movement of stake on a Proof-of-Stake ledger therefore provides no assurance of security". Yes the movement in itself does not prove the pools and users are decentralized this is a fair assessment. KYC however does to quite an extent and is one of the reasons I am very much for transparency in ICO’s and from ownership from IOHK, EMURGO and CF. And it also still rests on the premise that the attack will be worth it for the attacker so that the costs of the signal is not too high. It does not help to shift around your ADA in different addresses if the cost of taking over the network is too high.

The author also suggest a form of attack where you buy a majority while the cryptocurrency is low in price and then attack when later the network has great value for a much reduced cost compared with the current value flowing in the system. But this is counter logic as if you have a majority at a greater value why would you even risk such an attack that could end up making the cryptocurrency fall like a rock in price as users discover that the currency is corrupted. Granted you could siphon out money slowly but still you risk any users finding out and then you will have a race to bottom to sell all the value you are sitting on. For me this only makes sense if say a government wanted to stop Cardano from getting off the ground. But if they did not do this at the very start (Highly unlikely) this type of attack gets harder and harder to accomplish and assumes that other governmental interest would not want to interfere. And frankly no cryptocurrency is currently safe from an attacker that is willing to bear the full cost of any such attack. (Say US wanting to sacrifice 1 trillion if that is the cost of the whole entire ADA ecosystem). However this assumes they are able to acquire said resource and what is stopping users from not selling for reasons that cannot be measured in valuations (freedom, liberty). In general I think social costs of attacks are very much an under-looked area of research.

Finally in regards to Oroborus failing to replicate core securities guarantees of Nakamoto concensus the author claims: "In Nakamoto consensus, late-joining agents are not forced to place their trust
in the initial set of protocol participants, because control of the protocol becomes verifiably decentralized as the total hashing power on the network expands; in Proof-of-Stake algorithms, the total quantity of cryptographic stake does not increase when new agents join the protocol, so the initial
participants can remain in control indefinitely.

It has previously been argued that, even if such an attack is
theoretically possible, it can be ruled out on a given blockchain once
enough stake has migrated to new addresses.

The present paper disproves this claim. It demonstrates that the adversary can execute a
pseudo-transfer attack, in which it shifts stake between its own
cryptographic addresses to generate the illusion of decentralization. The
movement of stake on a Proof-of-Stake ledger therefore provides no
assurance of security"

As you can read from above yes it is true that you can do pseudo transfer attacks as the current Cardano method has no Know Your Customer (KYC) after the initial distribution and so it is easy to fake identifies and shift money around to make a system look decentalized it still flawed since this does not matter for the safety of Cardano as it is design based on not knowing any single user and using mathematics to show the cost of gaining majority would be too large for any such attacker to consider such an attack. And the owners we do know from genesis/birth are very transparent and have a vested interest in not allowing any attack to sucseed (iohk emurgo cf) since they profit far more as Cardano grows as they have a majority of ADA and can only sell for profit if other users trust the system. (prices would plummit like a rock if say IOHK did a double spend attack).


anticipation of IOHK’s response is killing me now


I should add the author(s) has a very good observation in how bitcoins proof of work system means in reality that the adoption of the currency will at most be as large as the number of users who are able to trust the staking pools with the highest computational power. But would add this differs significantly for Cardano since its based on a stake, and a staking process that is very little resource demanding on any single user to participate and in fact encourages and rewards participation by everyone.

1 Like

Also the author(s) should go back to statistics 101 course to read up on exactly how to use population in statistics as you only need to account for all observations possible at a given time in any system for the current population not its potential population (Math used in the paper uses an estimated Internet population of 4 billion users to compare with current users and this is just a wrong use of population terminology.) Mental image of this is like saying you will not pick any of the kids in the school yard to play on your team since you want Ronaldo but you are not selecting players from the world pool.

«We can apply the minimum participation requirements for permissionless consensus in our deterministic-participation model to protocols running on the internet by assuming a maximum cardinality of 4 billion for N, based on present estimates of the number of unique internet users. (|𝑁|MQR≈ 4x10^9).To exceed 2% participation, as required if 99% of the internet population is correct, a consensus protocol needs more than 80 million users. To exceed 20% participation, as required if 90% of the internet population is correct, the protocol needs more than 800 million users. To exceed 40% participation, as required if 80% of the internet population is correct, the protocol needs more than 1.6 billion users.»

Yeah. If Cardano has 4 billion users thats not really going to be a problem is it…

Note here the key is the usage of population. I understand the point given is that at most for any math would be 4 billion but this in itself is a flawed logic and is at the core of how you use this statistical term. Population is the maximum observations/data points given in any moment of time on a set of data. We do not know if this would be 4 billion at most and its full of assumptions we have no causality to make. For example imagine with hot air baloon wifi or satelite wifi 5 billion will have internet in 5 years from now or that only a subset of 3 billion could ever utilize the access they are given. It is for such reasons you use the maximum observations in a given time and make no assumptions on the future you cannot make.


Another flaw of logic is in the assumption that anything can be purchased given an unlimited amount of resources thus any cryptocurrency truly safe needs to be tied to the value of resources already in the world.

«Indeed, since every resource can be bought or sold for money, an adversary of sufficient wealth can acquire the majority of any resource. Our structural axiom must therefore be the maximum overall wealth of 𝒜, as measured by the combined value of all the resources it controls. This axiom is intrinsically reliable, because even if 𝒜 trades its endowment for a different allocation of resources, it does not have the power to volitionally increase its wealth.»

1.Lets say goverment of US wants to buy Cardano for 1 trillion but surprisingly users refuse! Many claim value of Liberty is more to them than (social argument) any resource offered and also government Y is offering a better deal of only participating with a shard instead of full control (competing resources argument) as they have more to gain and users less to loose. Another example would be the political cost of such an action if the population of said country supported the idea of a global cryptocurrency.

Author then again uses statistics wrongly by assuming wealth population must mean all liquid wealth in world.

«It is indisputably necessary for any definition of liquid wealth to include the global economy’s most liquid asset, fiat money. Given that the combined value of all fiat money is approximately 80 Trillion USD, we can therefore conclude that 𝑊 ≥ 80x10^12. If k=0.5, then verifiably secure permissionless resource-weighted Byzantine consensus requires a staking resource whose value exceeds $16 Trillion USD. This figure is orders of magnitude larger than the sample sizes achieved by existing protocols. The largest Proof-of-Stake ICO in history purportedly attracted $4 Billion in investment, which is 0.00025 of the minimum sample size we have just calculated.»

But this is not a correct assesment in oh so many ways for example:

  1. For attacks to gain value you would only spend less resources than what you could gain so you must compare with current or near term valuations not a potential value of all liquid resources. As I showed above in first post even if value grew massively it would then make no sense to finish the attack. This also shows how wrong it is to use population data in the way the author thinks it can be used.

  2. for attacks other than value (for example governmental control) you would also have to account for the owner of the users disposition to want to part with the resources. For example hell would freeze over before I sold my ada to a government wanting to do a hostile takeover and I think I am not the only one. As a bare minimum greedy users would want more and more as they saw any nation tried to buy and liquidity of the resource would dry up quickly (not only value of a resurce needs to be put in such a model but availability thus again driving home the fact population consists of all data points in any given time in this case because of scarcity of availability less than potential resources available over an infinitive amount of time).


I would read his damn “scientific review” when his paper would have been through ACS, Financial crypto, Euro crypt or some REAL peer review. That’s why I have read IOHK papers !

I am Not going to read some words he wrotes while thinking he’s a Genius ! Cardano papers have been through peer review, it seems to me his rebuttal should go through the same process.

Just so right persons give their comments. Isn’t it what Charles taught us : Process over people !

1 Like

Sure I would love for the author to submit to a peer review process for expert review. But please be better than “damn paper” he clearly put a lot of work into it and had some interesting viewpoints. Good arguments are good no matter where and how they come around. The community can also engage in discussion on these papers too not just domain experts.