Why use key-evolving signatures?


#1

The latest Ouroboros Genesis paper uses key-evolving signatures (KES). I have a few questions regarding them:

  1. Why use of using key-evolving signatures (as opposed to non-key-evolving signatures like Bitcoin has)?
  2. What security risk do they address?
  3. What specific key-evolving construction does Cardano intend to use?

#2

Hello! I might try to address first two. And the answer to both is kinda the same.

Unlike in Proof-of-Work, where you have to spend computational power to create a single block (block costs you money), in Proof-of-Stake you don’t have to spend a resource like this - instead, protocol selects “a winner” that gets the right to create a block. And once the winner is selected - it costs him almost nothing to create a block.

This introduces the “Nothing on stake” problem, where malicious agent may just randomly try to create additional branches of the chain of any length, since it costs nothing to create a block. Ouroboros solves this problem by introducing slots and epochs. Once at the start of each epoch - special multiparty randomness algorithm selects a set of slot-leaders for the whole epoch (5 days, for now). So for each 5 days - there’s a kinda “fixed” set of leaders (elected randomly from all nodes - no “VIP” stuff here), so random adversary cannot just come in and try to game the whole system, since there’s already a schedule for the whole epoch.

This slots\epochs mechanism also protects system from “Nothing at stake”, cuz adversary cannot just randomly generate some random scam-chain from the same genesis block, since the set of slot-leaders would be the same from the start, and he would have to somehow corrupt the real existing nodes that was leaders at the time.

But this introduces another possibility - nodes that was elected slot-leaders in the past could be hacked, or loose, or just sell their private keys. And if adversary would be able to collect enough such keys for the whole history of the chain - he could be able to recreate it but with his transactions.

So, in order to eliminate the possibility of a past slot-leaders to give away their keys - Ouroboros Praos decides to destroy them. So every slot-leader at the time of his slot now has two key-sets - his private key as a node (like standard keys from a wallet) and a special block-signing key (afaik, derived from his private key by a special function). When his slot comes up - he produces a special key, then uses it to sign his block, and then destroys it. And in the future after that adversary is not able to reproduce the same key, so he can’t get the right to recreate past slots.

So, that’s why to do this. How exactly is it done - that’s another and waaaaay more complex question. I can’t explain it for now properly, and I hope someone else gonna do it. But I know that for now it causes some additional questions, like - how will system be sure that a node really destroyed those keys. I know that there might be some complex techniques, like proof-of-burn, and I’m really interested to see if they will be able to come up with something like proof-of-destruction. Would be cool as hell :slight_smile:


#3

I don’t see how key-evolving signatures helps here. For example, how does KES prevent nodes from selling the master private key? Same question for hacking. Is it that the master private key and the “special key” are on different machines? Is the master private key in cold storage somehow?


#4

As far, as I understand, “master” private key does not give the chance to recreate the signing-key. Or maybe it is not even used in obtaining signing-key. You can find more detail in this document, and correct me wherever I am wrong, I will be very glad:


#5

Interesting questions and assumptions.

What I wonder is how to define who is a dishonest adversary and who an honest minter who “lost” his former keys. Both are ways that would theoretically allow collecting enough keys for a future attack.

From my understanding: dishonest = dishonest period. We always must assume the worst from adversaries. If there are enough dishonest participants (majority) every blockchain would break.

So the mattering part of participants are the honest ones.
In my opinion, there is no honest minter who will sell his keys. At that moment he’s already a member of the dishonest group who wants to board the chain by “simply” bringing the honest majority below 50%. At that point they probably wouldn’t need the keys at all.

Real honest minters should destroy their keys because they want to protect themselves and all transactions on their own and all following blocks. And also because they don’t want to put at risk their own and all delegated stakes. This includes not only the execution of the destruction function and the overwriting of the bits on RAM and hard disk, but also the operation of the node in a secure environment. (no buggy kernel, virtualization or meltdowned CPUs)

But all others can’t rely on this until special (eco-friendly!) minting hardware or a proof-of-destruction algorithm guarantees it.

If I haven’t forgotten anything, it would mean that we have to look after a dishonest minority that could be able to hack enough (professional) staking pools to steal their keys and overwhelm the majority. Correct?