Below we present the simulator used in the proof that the UC implementation of Ouroboros Genesis securely realizes the ledger functionalityGledger. The simulator shares the basic structure with the simulator provided in [3] and differs in several low-level details.
Overview:
– The simulator internally emulates all local UC functionalities by running the code (and keeping the state) of
FVRF,FKES,FINIT,FN-MCbc , andFN-MCtx .
– The simulator mimics the execution ofOuroboros-Genesisfor each honest partyUp(including their state and the interaction with the hybrids).
– The simulator emulates a view towards the adversaryAin a black-box way, i.e., by internally running adversaryA and simulating his interaction with the protocol (and hybrids) as detailed below for each hybrid. To simplify the description, we assumeAdoes not violate the requirements by the wrapperWP oS
OG (·) as this
would imply no interaction betweenSledg(i.e., the emulated hybrids) andA.
– For global functionalities, the simulator simply relays the messages sent fromAto the global functionalities (and returns the generated replies). Recall that the ideal world consists of the dummy parties, the ledger functionality, the clock, and the global random oracle.
Party sets:
– As defined in the main body of this paper, honest parties are categorized. We denoteSalertthe alert parties
(synchronized and executing the protocol) and useSsyncStalled shorthand for parties that are synchronized
(and hence time aware and online) but stalled. Finally, we denote byPDS all honest but de-synchronized parties (both operational or stalled).
– For each registered honest party, the simulator maintains the local state containing in particular the local chainC(Up)
loc , the timetonit remembers when last being online. For each partyUpand clock timeτ, the simulator stores a flagupdateUp,τ (initiallyfalse) to remember whether this party has updated its state already in this round. Note that an registered party is registered with all its local hybrids.
– Upon any activation, the simulator will query the current party set from the ledger, the clock, and the random oracle to evaluate in which category an honest party belongs to. If a new honest party is registered to the ledger, it internally runs the initialization procedure ofOuroboros-Genesis.
– We assume that the simulator queries upon any activation for the sequence~IT
H, and the current timeτ from the clock. We note that the simulator is capable of determiningpredict-time(·) ofGledger.
Messages from the Clock:
– Upon receiving (clock-update,sidC, Up) fromGclock, ifUp is an honest registered party, then remember that this party has received such a clock update (and the environment gets an activation). Otherwise, send (clock-update,sidC, Up) toA.
Messages from the Ledger:
– Upon receiving (submit,BTX) fromGledger whereBTX:= (tx,txid, τ, Up) forward (multicast,sid,tx) to the simulated networkFN-MCin the name ofUp. Output the answer ofFN-MCto the adversary.
– Upon receiving (maintain-ledger,sid,minerID) fromGledger, extract from~I T
H the partyUpthat issued this query. IfUphas already completed its round-task, then ignore this request. Otherwise, execute
SimulateStaking(Up, τ).
Simulation of FunctionalityFINITtowardsA:
– The simulator relays back and forth the communication between the (internally emulated)FINITfunctionality and the adversaryAacting on behalf of a corrupted party.
– If at timeτ = 0, a corrupted partyUp∈ SinitStakeregisters via (ver keys, sid, Up, vvrfUp, v kes
Up) toFINIT, then input
(register,sid) toGledger on behalf ofUp.
Simulation of the FunctionalitiesFKESandFVRFtowardsA:
– The simulator relays back and forth the communication between the (internally emulated) hybrids and the adversaryA (either direct communication, communication toAcaused by emulating the actions of honest parties, or communication ofAon behalf of a corrupted party).
Simulation of the NetworkFbc
N-MC(over which chains are sent) towardsA:
– Upon receiving (multicast,sid,(Ci1, Ui1), . . . ,(Ci`, Ui`) with a list of chains and corresponding parties from A(or on behalf somecorruptedP ∈ Pnet), then do the following:
1. Relay this input to the simulate network functionality and record its response toA. 2. ExecuteExtendLedgerState(τ)
3. ProvideAwith the recorded output of the simulated network.
– Upon receiving (multicast,sid,C) fromA on behalf of somecorruptedpartyP, then do the following:
1. Relay this input to the simulate network functionality and record its response toA. 2. ExecuteExtendLedgerState(τ)
3. ProvideAwith the recorded output of the simulated network.
– Upon receiving (fetch,sid) fromA on behalf somecorrupted P∈ Pnet forward the request to the simulated
Fbc
N-MCand return whatever is returned toA.
– Upon receiving (delays,sid,(Tmidi1,midi1), . . . ,(Tmidi`,midi`)) fromA: Forward the request to the
simulatedFbc
N-MCand record the answer toA. Before giving this answer toA, query the ledger statestate and executeAdjustView(state).
– Upon receiving (swap,sid,mid,mid0) fromA: Forward the request to the simulatedFN-MCbc and record the answer toA. Before giving this answer toA, query the ledger statestateand executeAdjustView(state). Simulation of the NetworkFtx
N-MC(over which transactions are sent) towardsA:
– Upon receiving (multicast,sid,(mi1, Ui1), . . . ,(mi`, Ui`) with list of transactions fromAon behalf some
corruptedP ∈ Pnet, then do the following:
1. Submit the transaction(s) to the ledger on behalf of this corrupted party, and receive for each transaction the transaction id txid
2. Forward the request to the internally simulatedFtx
N-MC, which replies for each message with a message-ID mid
3. Remember the association between each mid and the corresponding txid 4. ProvideAwith whatever the network outputs.
– Upon receiving (multicast,sid, m) fromA on behalf of somecorruptedpartyP, then execute the
corresponding steps 1. to 4. as above.
– Upon receiving (fetch,sid) fromA on behalf somecorrupted P∈ Pnet forward the request to the simulated
Ftx
N-MCand return whatever is returned toA.
– Upon receiving (delays,sid,(Tmidi1,midi1), . . . ,(Tmidi`,midi`)) fromAforward the request to the simulated Ftx
N-MCand return whatever is returned toA.
– Upon receiving (swap,sid,mid,mid0) fromAforward the request to the simulatedFtx
N-MCand return whatever is returned toA.
procedureSimulateStaking(Up, τ)
Simulate the core staking procedure of party Up as in the protocol in round τ. This includes running proceduresFetchInformation andUpdateStakeDist of partyUp(using the emulated network).
if updateU
p,τ then
Send (clock-update,sidC, Up) toAifSledghas received such an input in roundτ
else
Execute theStakingProcedureand setupdateUp,τ←true
- Includes sending messages to the emulated networkFbc N-MC. Before the activation goes toA, executeExtendLedgerState(τ). end if
Remember that partyUphas completed for this roundτ. end procedure
procedureExtendLedgerState(τ)
foreach synchronized partyUp∈ Salert∪ SsyncStalledof roundτ do
LetCloc(Up) be the party’s currently stored local chain.
Determine the number of roundsρ(Up) this party legs behindτ, i.e.,ρ(Up)=τ−t(Up) on .
Let C(Up) 1 , . . . ,C
(Up)
k be the chains contained in the receiver bufferM~
(Up) of Fbc
N-MCwith delay at most
ρ(Up) . EvaluateCUp←maxvalid-bg(C (Up) loc ,C (Up) 1 , . . . ,C (Up)
k ) and let this chain’s encoded state best~Up.
end for
Letst~ be the longest state among all such statesst~Up,Up∈ Salert∪ SsyncStalledfrom above.
Comparest~dk with the current statestateof the ledger if |state|>|st~dk|then// Only pointers need adjustments
ExecuteAdjustView(state) end if
if stateis not a prefix ofst~dkthen// Simulation fails
Abortsimulation: consistency violation among synchronized parties.// EventBAD-CPk end if
Define the differencediffto be the block sequence s.t.state||diff=st~dk. Parsediff:=diff1||. . .||diffn.
forj= 1 tondo
Map each transactiontx in this block to its unique transaction ID txid. If a transaction does not yet have a txid, then submit it to the ledger first and receive the corresponding txid fromGledger
Letlistj= (txidj,1, . . . ,txidj,`j) be the corresponding list for this blockdiffj
if coinbase txidj,1 specifies a party honest at block creation timethen
hFlagj←1 else
hFlagj←0 end if
Output (next-block,hFlagj,listj) toGledger (receiving (next-block, ok) as an immediate answer) end for
if Fraction of blocks with hFlag = 0 in the recentkblocks>1−µthen Abortsimulation: chain quality violation.// EventBAD-CQµ,k else if State increases less thankblocks during the last k
τCG roundsthen Abortsimulation: chain growth violation.// EventBAD-CGτCG,k/τCG end if
// If no bad event occurs, we can adjust pointers into this new state.
ExecuteAdjustView(state||diff) end procedure
procedureAdjustView(state, τ)
// Adjust the view of synchronized parties. pointers←ε
forUp∈ P of roundτ do LetC(Up)
loc be the party’s currently stored local chain. Determine the number of roundsρ(Up)
this party legs behindτ, i.e.,ρ(Up)
=τ−t(Up) on .
Let C1(Up), . . . ,Ck(Up) be the chains contained in the receiver bufferM~(Up) of Fbc
N-MCwith delay at most
ρ(Up). EvaluateCUp←maxvalid-bg(C (Up) loc ,C (Up) 1 , . . . ,C (Up)
k ) and let this chain’s encoded state best~Up.
end for
foreach synchronized partyUp∈ Salert∪ SsyncStalledof roundτ do
Determine the pointerptUp s.t.st~dkUp=state|ptUp
if such a pointer value does not existthen
return// Call on invalid input or eventBAD-CPk occurred end if
if updateUp,τ=falsethen// Party did not startStakingProcedureinτ. pointers←pointers||(Up,ptUp)
end if // As otherwise, the new state is only fetched in the next round
end for
Output (set-slack,pointers) toGledger
// Now, adjust the view of de-synchronized parties. pointers←ε
desyncStates←ε
foreach de-synchronized partyUp∈ PDS do if updateUp,τ=falsethen
Set the pointerptU
p to be|st~ dk Up| pointers←pointers||(Up,ptUp) desyncStates←desyncState||(Up, ~st dk Up)
end if // As otherwise, the new state is only fetched in the next round
Output (set-slack,pointers) toGledger
Output (desync-state,desyncStates) toGledger end for
end procedure