Hi, I’m Saad. Welcome to my blog, and here is my story.

]]>

Our paper, titled How to Realize a Graph on Random Points, has gone up in the Arxiv. I’ll write more about it in future posts.

**Abstract:**

]]>We are given an integer , a graph , and a uniformly random

embedding of the vertices. We are interested in

the probability that can be “realized” by a scaled Euclidean norm on

, in the sense that there exists a non-negative scaling and a real threshold so thatwhere .

These constraints are similar to those found in the Euclidean minimum

spanning tree (EMST) realization problem. A crucial difference is that the

realization map is (partially) determined by the random variable .In this paper, we consider embeddings for

arbitrary . We prove that arbitrary trees can be realized

with high probability when . We prove an analogous result

for graphs parametrized by the arboricity: specifically, we show that an

arbitrary graph with arboricity can be realized with high probability

when . Additionally, if is the minimum effective

resistance of the edges, can be realized with high probability when

. Next, we show that it is necessary to

have to realize random graphs, or to

realize random spanning trees of the complete graph. This is true even if we

permit an arbitrary embedding for any or negative weights. Along the way, we prove a probabilistic analog

of Radon’s theorem for convex sets in .Our tree-realization result can complement existing results on statistical

inference for gene expression data which involves realizing a tree, such as

[GJP15].

I finished listening to the book “Endure” by Alex Hutchinson. It is one of the most important books that I have read. I have had multiple important realizations from it.

Brain sets an expectation. Giving up is almost always a choice.

**Brain sets an expectation.** You know it or not, feel it or not, your brain sets an expectation at a physiological as well as a psychological level. Try as we may, the brain controls your actions (again, at both the physiological and psychological levels) so that you meet the expectation, but don’t exceed it.

Therefore, **these expectations matter**. Sometimes these expectations are conscious, in that we can spell them out. Other times, they are at a subconscious or even unconscious level. Are you aware of what you expect of yourself? Expect does not mean hope: what do you really, really expect of yourself?

**Outside stimuli matters**. Often, these expectations are updated based on outside stimuli, such as excitement, competition, peer support, life-or-death situation, etc.

**Pain matters**. Pain is a signal from your brain, which urges you to slow down, or stop, whatever you are doing. It is not bad in itself. Even surprisingly, the pain is not always a true red flag: the brain always keeps a reserve of energy that it can borrow from, but it uses pain so that it doesn’t have to.

**We pace ourselves**. Mostly in long stretches that test our durability. It is most evident at physiological levels: long distance runners almost always have a sprint finish although they find it hard to sustain a top speed at the middle stages. However, I personally think that it is also true at a psychological level, too. For example, when I have a tough schedule in front, I find myself reprioritizing tasks so that I end up justifying to myself that dropping a particular task is okay.

**Giving up is a choice**. This is a big truth. Your body will urge you to stop, but it is up to you whether you’d listen. You should hear, but not obey. Because you already know that the sense of pain and efforts is a mere warning or begging from your body, not a true distress signal.

**We constantly compare against what we expect**. Again, this is both at physiological and psychological levels. Thus, be careful about what you decide to expect.

**Fat burns when the pace is easy/used to**. This is true for the early stages of a run. Carbohydrate is needed for a sudden push, such as the sprint finish. As someone gets more and more fit, she will start burning more fat and less carb at the same workout.

**Working out on an empty stomach burns fat** because at that moment you don’t have much of a carb reserve.

**The perceived effort is different from pain** or muscle fatigue. That’s right: the sense of effort is different from the sense of pain. We may not be in pain yet feel highly exerted.

**The training changes you physiologically**. It makes strenuous attempts feel easy over time. You grow new muscle fibers, forge new capillaries to supply your muscles with more oxygen, teach muscles and blood to store more oxygen, alter neuronal memory patterns in your brain to make some actions automatic.

**The training also changes you mentally** by changing your expectations. You accept a level of pain and discomfort as “okay,” and set higher standards for yourself. These two aspects trigger each other in an awesome positive feedback loop.

**If you ever attain a new max, that becomes the new normal for the brain**. This why you should always strive to push your limits. Even in small tasks. Over time, your brain will expect more from yourself.

**Great athletes are trained to perform response inhibition**: not reacting to initial pain/discomfort signals. **They are, without an exception, highly tolerant to pain**.

**Internal awareness makes both our pain reaction and perception less dramatic**. Focus on your present moment. How are you breathing? What are you thinking? Why? How are you feeling? Why? Think about the big picture, think about where you fit. Feel the harmony. Pain and other discomforts will also fall into their places. They will exist, but would not demand/receive as much (constant) attention as they get now.

**You can always, always do more than you think**. Don’t believe me? Just try this. Whenever you think you cannot do anymore, just take one more step. That is a proof that you can really do more than you believe.

]]>

I intended this talk to be accessible in nature, so I intentionally skipped many details and strived not to flaunt any equation in it.

**Advertised Summary: **Bitcoin is a blockchain protocol where finalized transactions need a “proof of work”. Such protocols have been criticized for a high demand for computing power i.e., electricity. There is another family of protocols which deals with a “proof of stake”. In these protocols, the ability to make a transaction depends on your “stake” in the system instead of your computing power. In both cases, it is notoriously difficult to mathematically prove that these protocols are secure. Only a handful of provably secure protocols exist today. In this talk, I will tell a lighthearted story about the basics of the proof-of-work vs. proof-of-stake protocols. **No equations but a lot of movie references**.

Please enjoy, and please let me know your questions and comments.

]]>

Intuitively, a PCP (Probabilistically Checkable Proof) system is an interactive proof system where the verifier is given random bits and he is allowed to look into the proof in many locations. If the string is indeed in the language, then there exists a proof so that the verifier always accepts. However, if is not in the language, no prover can convince this verier with probability more than . The proof has to be short i.e., of size at most . This class of language is designated as **PCP[r(n), q(n)].**

Theorem A (PCP theorem).Every NP language has a highly efficient PCP verifier. In particular,.

Given a Boolean formula with clauses on variables, let be the maximum fraction of satisfiable clauses, taken over all variables assignments. The **MAX-3SAT** problem asks you to find for a given . A -approximation to the MAX-3SAT problem, for , outputs a number .

It is easy to conceive **a greedy -approximation algorithm for MAX-3SAT**: for the th variable, choose the assignment that satisfies at least half of the remaining clauses, remove the satisfied clauses as well as the current variable from consideration, and repeat with the next variable. The celebrated algorithm of Goemans-Willamson (based on Semidefinite Programming) gives a -approximation.

Theorem B (Approximating MAX-3SAT is NP-hard).There exists a such that for every language in NP, there is an efficient mapping from the instances of the language to the instances of MAX-3SAT, so that if then , and otherwise .

The above theorem immediately implies that there is a constant such that if we have an efficient -approximation algorithm for MAX-3SAT, then it could be used to decide *every *NP language. In other words, P = NP.

The **qCSP problem** is a generalization of the 3SAT problem where -variable Boolean clauses are replaced by -variable Boolean functions called *constraints*. The **-GAPCSP problem** is a decision problem where given a Boolean formula , we have to decide whether is one, or strictly below .

Theorem C.There exists constants and such that the -GAP-CSP problem is NP-hard.

We claim that Theorem B is equivalent to the PCP Theorem (A), via Theorem C.

Theorem D.Theorems A, B, and C are equivalent.

**Proof sketch: PCP implies GAP-CSP.** Suppose NP equals . Here, given any NP language , the trick is to imagine a -CSP constraint as a Boolean predicate which is true if there exists a verifier which accepts . By the soundness and completeness of the PCP verifier, we have constructed a -GAPCSP instance. If one can decide this instance, he can also decide any NP language.

**Proof sketch: GAP-CSP implies PCP. **This is easy. Suppose you can decide an NP-hard -GAPCSP instance with clauses. You can construct a verifier as follows: randomly choose a constraint and query the literals in this clause. This verifier has completeness 1 and soundness . The soundness can be boosted down to with sequential repetition.

**Proof sketch: Approximate MAX-3SAT implies GAP-3CSP.** This is easy, just treat each 3-CNF clause as a 3CSP constraint.

**Proof sketch: GAP-3CSP implies Approximate MAX-3SAT.** The idea is to treat a constraint as an AND of -variable Boolean clauses, and then convert this formula into a 3-SAT formula.

A **Minimum Vertex Cover** of a graph is a minimal set of vertices such that every other vertex is a neighbor to a member of this set. Computing the size of the minimum vertex cover of a graph is the **MIN-VERTEX-COVER** problem. A -approximation to MIN-VERTEX-COVER, for , outputs a set whose cardinality is at most a times larger than the size of the minimal cover.

Consider the following **approximation algorithm for the minimum vertex cover** in a graph : let be the empty set. Add an arbitrary edge in (that is, its endpoints), then delete its endpoints from as well as all edges adjacent to . Then repeat until no more edges can be included in . Since the edges in is a matching, any vertex cover must contain at least one vertex for every edge in ; hence . Hence this algorithm is a -approximation for MIN-VERTEX-COVER.

Recall that an **Independent Set** of a graph is a set of vertices that have no edges among themselves.

Fact (due to Tibor Gallai).The complement of the largest independent set in a graph is a minimum vertex cover.

**Proof sketch:** Fix the largest independent set in any connected graph . Each of the remaining vertices must have at least one edge with vertices in ; otherwise, would have been in . The size of any minimal vertex cover must be at least : Clearly, is a valid vertex cover, and if we exclude some , we have to compensate by picking at least one vertex from . If we use a different independent set , the size of cannot be any smaller than that of since is the largest independent set.

Lemma (Approximating MIN-VERTEX-COVER is hard for some ).There exists a constant such that computing a -approximation to the minimum vertex cover problem is NP-hard.

**Proof sketch:** Theorem B tells us that obtaining a -approximation to the MAX-3SAT problem is NP-hard. Given a 3-CNF formula , consider its ** conflict graph **: every clause is associated with seven vertices, one for each candidate assignments to its literals. (One of the eight possible assignments for a clause can never satisfy the clause: namely, the assignment culminating in a Boolean OR of three zeros.) There is an edge in the graph (between vertices associated with different clauses) if and only if the two clauses conflict on the same variable. For example, the two clauses and conflict on the variable ; no assignment can satisfy them simultaneously. Suppose has vertices, in which case will have clauses.

The minimum vertex cover of has size , since the largest independent set in has size .

- Suppose . Then the size of the minimum vertex cover is at least since .
- Suppose . A approximation to the minimum vertex cover would give us a vertex cover of size since . If we set , then this size is at most .

Thus a -approximation to the minimum vertex cover on would allows us to decide whether which, by Theorem B, is NP-hard. Thus a -approximation to the minimum vertex cover problem is NP-hard as well. (End proof.)

Computing the size of the largest independent set of a graph is called the **INDSET** problem.

Lemma (Approximating INDSET is hard for some ).There exists a real constant such that a -approximation to INDSET is NP-hard.

**Proof sketch:** Consider the graph in the preceding proof. In particular, the largest independent set of has size . If we can make a -approximation to the largest independent set problem on , we can use it to obtain a -approximation to the MAX-3CNF problem; but this is NP-hard by Theorem B. Hence a -approximation to the largest independent set problem on is NP-hard as well. (End Proof.)

]]>

A blockchain protocol is essentially a distributed consensus protocol. A Proof-of-Work protocol such as Bitcoin requires a user to show a proof — such as making a large number of computations — before he can add a block to an existing chain. Proof-of-Stake protocols, on the other hand, would not require “burning electricity” since the ability to “mine” a coin would depend only on the user’s current stake at the system.

The growing computing power of the bitcoin miners is already consuming a significant amount of electricity. One can easily see the necessity of a *provably secure* and efficient cryptocurrency without the heavy energy requirement. However, it is easier said than done. So far, I am aware of only three Proof-of-Stake protocols which give provable security guarantees. These are *Ouroboros*, led by Aggelos Kiayias, Alex Russell, and others; *Snow White*, led by Rafael Pass and Elaine Shi; *Ouroboros Praos *from the Ouroboros team; and Algorand, led by Silvio Micali. There is also an open-source initiative to implement *Ourorboros*, named *Cardano*.

In this post, I am going to present the main theorems of *Ouroboros*.

Garay, Kiayias, and Leonardos proved that the Bitcoin backbone protocol is secure. Pass, Seeman, and Shelat proved that the blockchain protocol is secure even in an asynchronous network. *Ouroboros* was the first proof-of-stake protocol which was provably secure in the synchronous setting. *Snow White* came soon after, proving security in an asynchronous setting with a focus on allowing users to leave and join as they wish.

In the traditional blockchain protocol, each user computes a hash function on a random input. This is similar to tossing a biased coin: If (a prefix of) the output string contains a given number of zeros, the user “wins” and becomes a “leader” i.e., he gets to add a block to a chain. ** Ouroboros** departs from this idea in that the leaders for a designated number of future time slots are publicly precomputed. This, however, makes it necessary that the honest users be present when the leader election takes place. Additionally,

On the other hand, in ** Ouroboros Praos**, the leader election happens in private. This makes the protocol secure against an adversary who can immediately corrupt anyone. In addition, the protocol operates on a semi-synchronous network: packets are allowed to have at most a delay; this parameter is known only to the protocol but not to the users. A nice commentary on both

** Snow White **operates on an asynchronous network. They circumvent the “sporadic presence” issue by using their Sleepy Consensus protocol which allows the users to become online/offline in an arbitrary way. They also keep the coin-tossing approach while focusing on preventing the corruption of past leaders. Every node decides in private whether he is a leader, as is done in

** Algorand**, meanwhile, solves the leader-election problem using a Byzantine Agreement protocol which reaches an agreement with probability at least at every round; the BA protocol completes, in expectation, in a constant number of rounds. Although the protocol mentioned in the

Without further ado, let us delve into a deeper discussion about *Ouroboros*.

**Epochs, Slots, Slot Leaders, Committee.** The protocol proceeds in epochs. An *epoch* is a sequence of a fixed number of time-steps, called *slots*. Some elected user adds a block to a chain at each slot; this user is called a *slot leader*. However, it is possible that no blocks are issued in a slot. This means the length of the current chain does not equal the number of slots in the past. See the Chain Growth property below.

The probability that a user becomes a leader is proportional to his stake in the system. The pool of potential leaders is called a *committee*. Importantly, the set of slot-leaders are computed before an epoch begins.

**Stake Evolution.** The probabilities used for the leader-election are the ones at the beginning of each epoch. These probabilities change as stakes evolve. However, Ouroboros assume that the stake distribution does not change “too much” — that is, the statistical difference in the stake distribution before and after an epoch is no more than some — a protocol parameter.

**Message Delay and Synchrony.** Ouroboros assumes synchronous network, meaning no network delay. However, the adversary is responsible to deliver messages to all users.

**Chain Adoption.** An honest leader always chooses the longest available chain; ties are broken by the adversary.

**Sporadic Presence.** It is not clear *to me at this point *how new users would join the system and get a consistent view. However, for the sake of leader election, the protocol stipulates that users can be offline for no more than a fixed number of contiguous slots.

**Corruption Model.**

- There is a corruption delay — that is, it takes a while for the adversary to corrupt a user
- The adversary controls strictly less than 50% stake
- The adversary generates all keys. He is responsible for delivering messages to the stakeholders.
- When an honest user has to choose between multiple chains of the same length, the adversary breaks the tie.

We expect that the following three properties hold during the lifetime of the protocol with high probability in the number of users and the length of an epoch.

Common Prefix (CP) propertywith parameter:The view of all honest users must be the same if they ignore the most recent blocks.

Chain Quality (CQ) propertywith parameters and : In a chain of length at least , the number of adversarial blocks is at most .

Chain Growth (CG) propertywith parameters and:The length of the blockchain generated from a sequence of slots — where the terminal slots are honest — must be at least .

The three properties above ensure the following two properties:

**Liveness:** A newly-added block becomes a part of the common-view after a sufficient period of time.

**Persistence:** If an honest node proclaims a block to be “stable,” all other truthful nodes must agree.

There is another, non-cryptographic desideratum: rational players will not gain “much” by making an adversarial-coalition. Ideally, they should stand to lose in such an endeavor.

The first epoch is bootstrapped with fresh random bits needed for the first leader-election process. The random bits for subsequent epochs are generated by the users at an earlier time in private; these random bits are added to each block and is called “per-block randomness.” These bits are propagated through the blockchain and later accumulated to form a “random” key, giving an *impression* of a source of randomness or a “Trusted Randomness Beacon.”

The key, called “per-epoch randomness,” is used to select a hash function. This function is used in (a distributed) leader election as well as generating per-block random bits. The list of elected leaders is made public, with proofs.

The adversary will likely try to tamper with the per-epoch randomness so that (a) his stake increases over time, and (b) he controls more slot leaders than what is expected from a binomial distribution according to honest/adversarial relative stake.

- The lifetime of the protocol is epochs, where each epoch contains slots.
- The stake distribution has bias, . That is, the honest players control at least fraction of the total stakes at the beginning of each epoch.
- is the fraction of the adversarial stake at the beginning of any epoch.
- The
*maximum relative stake-shift*in an epoch is at most . That is, after an epoch, the stake of the adversary players is at most . - The honest players have to be online at least once in every slots.

**Characteristic String.** In Ouroboros, slot leaders are already assigned before an epoch begins. A characteristic string for an epoch is a Boolean string of length with indicating a dishonest node and for an honest node. Clearly, this string has a binomial distribution with parameters and .

**Tine.** A tine is a stripped-down valid blockchain that can possibly be generated from a characteristic string . Each node in a tine contains only the slot-index it was issued.

**A Forkable String.** Since the adversary is in control of delivering messages, he can confuse an honest player by presenting him with two competing tines of the same length. A characteristic string is *forkable* if there exist two different tines, each with the maximum length among all tines of .

It is easy to see that a forkable string does not bode well for the protocol. Fortunately, forkable strings are rare.

Theorem.For a characteristic string of length , the probability that it is forkable is at most .

Divergence. Consider two tines of a characteristic string of length . If the length of the common prefix is , we say that these two tines have divergence . The divergence of , denoted by , is the maximum of where the maximum is taken over all tine-pairs.

Intuitively, the divergence captures the power of the adversary to produce competing tines. As you have imagined, the notion of divergence is intricately related to the notion of forkability. Indeed, a large divergence implies the forkability of a substring of the characteristic string.

Theorem.There exists a forkable substring of the characteristic string . Its length is at least .

The above theorem can be used to show the following important theorem about common prefix.

Main Theorem. (Common Prefix, Static Stake.)The probability that the protocol satisfies the common prefix property with parameter throughout an epoch of slots is at least . The constant hidden by the notation depends only on , the bias in favor of honest stakes; it is the same as the -expression in the exponent of the bad probability from the Forkability Theorem.

Now on to the chain growth and chain quality.

Main Theorem. (Chain Growth, Static Stake.)Let be the adversarial stake ratio. The protocol satisfies the CG property with parameters and throughout an epoch of slots with probability at least .

Main Theorem. (Chain Quality, Static Stake.)Let be the adversarial stake ratio. The protocol satisfies the CQ property with parameters and throughout an epoch of slots is at least .

Main Theorem. (Full Protocol)

- Fix , the security parameter. Also fix $latex \epsilon, \sigma \in (0, 1)$ to be used below.
- Let be the epoch length of the system, and $L$ the total number of slots in the lifetime of the system.
Assumethat the fraction of the adversarial stake is at most .Assumethat the protocol for static-stake satisfies the CP property with parameter throughout slots, with probability of error. This means, if two honest players are at slots and have chains , then the prefix obtained by deleting the last blocks from would also be a prefix of .Assumethat the protocol for static-stake satisfies the CQ property with parameters and , with probability of error. This means, in every consecutive blocks, at most blocks are generated by the adversary.Assumethat the protocol for static-stake satisfies the CG property with parameters and , with probability of error. This means, if two honest parties are separated by at least slots, their respective chains must differ by at least in length.Assumethat the dynamic-stake protocol simulates a perfect randomness beacon with distinguishing advantage .Assumethat is the maximum stake-shift over slotsAssumethat the adversary is restricted to a corruption delay slotsAssumethat no honest player is offline for more than slots.Then, the protocol for dynamic-stake satisfies persistence with parameters and liveness with parameter throughout a period of slots with probability

.

I would like to present a similar overview of *Snow White* and *Ouroboros Praos*, as well as details about *Ouroboros:* I did not talk about the incentive mechanism in the protocol, and how it achieves approximate Nash equilibrium for the players. I also did not discuss various attack scenarios. We’ll do these in future posts. Until then, goodbye.

Imagine that a particle is walking in a two-dimensional space, starting at the origin . At every time-step (or “epoch”) it takes a vertical step. At every step, the particle either moves up by , or down by $altex -1$. This walk is “unbiased” in the sense that the up/down steps are equiprobable.

In this post, we will discuss some natural questions about this “unbiased random walk.” For example, how long will it take for the particle to return to zero? What is the probability that it will ever reach +1? When will it touch for the first time? Contents of this post are a summary of the Chapter “Random Walks” from the awesome “Introduction to Probability” (Volume I) by William Feller.

We start with some definitions. Let be the position of the particle at time if it starts at the origin. The probability that is

.

Let be the number of paths (that the particle could possible take) of length starting at and ending at . Clearly, . Let be the number of paths that touches or crosses the horizontal axis i.e., the zero line.

The Reflection Principle.

*Proof:* For every path that starts at and touches zero for the first time at , there is another — symmetric — path that starts at and touches zero for the first time at .

The Ballot Theorem.The number of paths of length that never touches zero is.

**A Return to the Origin.** Suppose a walk, starting at the origin, returns to the origin at epoch . It is clear that this path takes steps up and steps down, in some order. The probability that this happens is

as .

**The First Return to the Origin.** Let denotes the probability that the path returns to the origin for the first time at epoch . Suppose a (possibly not the first) return to the origin happens at epoch . Then, the first return could have happened at epochs . Thus

.

**No Return to the Origin.** The probability that a return to the origin happens at is the same as the probability that a return never occurs in steps.

**The First Return to the Origin (Revisited). **The above interpretation gives

.

This is equivalent to saying that the number of non-returning paths up to epoch are of two kinds: those that return at (for the first time), and those that do not return at . A little calculation shows that

.

**The Last Return to the Origin.** The probability that up to and including epoch the last visit to the origin occurs at epoch is given by

.

The first factor is the probability that a return occurs at epoch , and the second factor is the probability that a path of length never returns to the origin.(Recall that is also the probability of no return.)

**Staying on One Side for Long Time.** An integration of the above shows that for a fixed and sufficiently large,

.

This means an unbiased random walk stays on the positive side “most” of the time with large (constant) probability. In particular, we can have the following:

The probability that a path of length spends time on one side is .

**Number of Sign-Changes.** The number of lead-changes in an trial game is proportional to . This is surprising because ordinarily, one would think that the number of side-changes is proportional to the length of the path. Specifically,

Suppose there are exactly sign-changes in a path of length . The corresponding probability is

.

Observe that this probability decreases as increases with fixed. This means that a path is more likely to experience few sign-changes.

Suppose and is large. We know that if for some positive real , then where $\mathcal{R}(x)$ is the area of the standard normal distribution in the interval .

The probability that there are at most sign-changes in epochs, tends to .

Supremum.Let . The probability that a path of length has a maximum at most equals.

This probability, obtained via the reflection principle, is the same as the probability that the said path touched or crossed the line .

Maximum.Let be a random variable denoting the maximum of a path of length . Let if have different parity, and zero otherwise. Then.

First Passage Time/Hitting Time.The probability that the first passage through occurs at epoch is given by.

Moreover, as , the probability that the first passage through occurs before epoch (for fixed ) tends to

.

This means, the **waiting time** for the first passage through scales as .

The th Return to the Origin.An th return at epoch has the same probability as a first passage through and epoch , which equals defined above.

]]>

Time Spent on the Positive Side.The number of paths of length such that and exactly of its sides are above the axis, is independent of , and equal towhere .

In a proof-of-stake blockchain protocol such as Ouroboros, at most half of the users are dishonest. While an honest user always extends the longest available blockchain, the dishonest users try to fool him into extending a manipulated blockchain. Here, the user who is allowed to issue a block at any time-slot is called the “slot leader.” As it happens, a number of future slot leaders are computed in advance using the random values present in the blocks. Although counterintuitive, such a scheme ensures that if the adversary does not control more than half the users now, it is very unlikely that he cannot control more than half the slot leaders. The time-slots are divided into “epochs” of length .

We consider a variant of Ouroboros where the random bits necessary for selecting the slot leaders for the next epoch come from a per-epoch random value, plus the random values from a certain prefix of the blocks issued in the current epoch. Because the random values do not depend on the contents of the block, the adversary cannot maliciously choose a block-content that affects the leader selection. He, however, has one of three options:

- Issuing a block and attaching it to the longest available chain
- Not issuing a block
- Issuing a block but linking it to a shorter, possibly malicious chain. If an honest block is bypassed by this maneuver, we say the adversary has
an honest player*skipped*

We are interested in giving an upper bound to the expected number of competing chains that the adversary can possibly present to the leader selection process. This number would limit the choices for even a computationally-unbounded adversary. Not surprisingly, we call this number the ** grinding power **of the adversary.

**Competitive Chains.** If the adversary has to “sell” a manipulated chain to an honest player at the end of an epoch, the chain has to satisfy the following:

- It has to be competitive. That is, it has to be at least as large as the number of honest users preceding because these honest players will always add a new block to the longest available chain. Otherwise, there is no chance that will select this chain.
- Moreover, every prefix of this chain, ending in an honest block, must be competitive for the same reason.

**Towards a Formal Definition.** A *characteristic string* is a Boolean string where a zero denotes an honest player and a one denotes an adversarial player. Suppose contains zeros located at increasing positions . Set because we assume that an honest player is going to be presented with the outcomes dictated by . A substring of can only be obtained by deleting bits from . For any string , let be the first bits of . Let be the suffix of starting at position . Let denote the th bit in a string .

Let and denote the number of zeros and ones in a string , respectively. Define as the * discrepancy *of . Fix and . Let denote a closed interval. We write to refer to the substring . Let and denote the number of ones and zeros, respectively, in the interval . Let denote the reverse string of any string .

Definition (Admissible strings and grinding power).Let be an -bit Boolean string containing zeros. Let be the th zero-bit in . Let be the substring of supported on a characteristic vector . is “‘” if the following hold:admissible

- , and
- If contains but not , then must contain at least one-bits from the interval .
The number is called the “

” of .grinding power

The second constraint says that must include at least one one-bit from for every such that but i.e., *an honest player is skipped*. The first constraint takes care of the case that the last zero-bit is skipped.

Let us make one more definition before we proceed.

Definition (ZPDC strings).Given Boolean string , consider a string , with , which obeys the following rule: if then

- , hence we say is pinned on the zeros of ; and
- The discrepancy of the suffix of beginning at is nonnegative.
We call a zero-pinned discrepancy-constrained string, or a

in short. Let denote the number of possible ZPDC strings for .ZPDC string for

**Towards an Expression for . **

For an index set , let be the number of admissible substrings that contain the zero-bits from the positions indexed by . That is, if , considers the substrings which contain zero-bits from -positions where .

*Boundary values.* For completeness, set and z_0 := 0, z_{m+1} := n+1$.

Claim.The grinding power is, where

and

**Explanation.** Every subset of the zero-bits of gives rise to a family of substrings, each containing the zero-bits indexed by . A fixed subset partitions into intervals. The admissible substrings pertaining to exclude the zero-bits that are interior to these intervals.

All zero-bits of are turned off inside the interval . However, if we look at any suffix of , at least one one-bit must be “on” in the admissible string to render a zero-bit “off.” Consider the characteristic vector of the one-bits of an admissible string restricted to the interval , and let us call it . It will certainly have zeros where has zeros. Since these zeros are “off” in the admissible string, every suffix of rooted at these zeros must have a nonnegative discrepancy. That is, suppose , rooted at a zero-bit, has zeros in it. Then will contain at least ones. This condition can be stated as the discrepancy of every suffix of , rooted at zeros of , is nonnegative. is the number of such ZPDC strings (see the definition above).

The boundary values above ensure that the expression works for all intervals, especially the first and the last. This leads to the following.

The number of admissible strings for a characteristic string , which we call , is the same as the number of ways we can partition into intervals using subsets of the zero-bits of , times the number of ZPDC strings for each interval in each partition.

**What is** N**ext?**

Naturally, we would like to give an upper bound to this number. Moreover, we want to bound the expectation of this number when is drawn from the Binomial distribution with a biased probability .

While I don’t know how to do that at this moment, I’ll tackle that in a future post.

**References**

[1] Ouroboros: A Provably Secure Proof-of-Stake Blockchain Protocol

]]>A bad guy is activated when for some . He may try to present the good guys with a conflicting view of the world, such as presenting multiple candidate blockchains of equal length. This view is called a “fork”. A string that allows the bad guy to fork (with nonnegligible probability) is called a “forkable string”. Naturally, we would like to show that forkable strings are rare: that the manipulative power of the bad guys over the good guys is negligible.

**Claim **([1], Bound 2)**.** Suppose is a Boolean string, with every bit independently set to with probability for some . The probability that is forkable is at most .

In this post, we present a commentary on the proof that forkable strings are rare. I like the proof because it uses simple facts about random walks, generating functions, and stochastic domination to bound an apparently difficult random process.

**The Biased Random Walk, .** Let be a Boolean string with

Define to be the -biased random walk on the two-dimensional grid, starting at the origin. The horizontal axis is indexed by nonnegative “time” steps. The vertical axis is index by the integers. The walk takes a step “up” with probability and a step “down” with probability . In this note, we refer to this walk by ** the** random walk.

**Two More Random Walks, and . **Define two more random walk variables that depend on . Both and are zero at . If , both take a step “up” i.e., their value increases by one. When , they take one step “down” with the following exception:

- If then
- If and , then

These rules imply that

and whenever equals , they take the value zero.

**The Divergence of .** Imagine a stream on incoming zero-one symbols which determine the walks. Let be the last time was nonnegative. We say “diverges” at time .

**Forkability.** The string is “forkable” if .

Let be an upper bound on this probability.

Want to Show:

**Two Kinds of Epochs.** Every time when marks the beginning of an epoch. If the first symbol in an epoch is 1, we call this an “up-epoch”; otherwise, we call it a “down-epoch”. Inside an up-epoch, it is always the case that .

The down-epochs are more interesting, however:

- At the beginning of a down-epoch, only takes the step down while stays at zero.
- It remains there as long as the incoming symbols are all zeros.
- Whenever , both and move up in unison. Let .
- Next, two things can happen. Either reaches zero before does. Then we go back to step 2.
- Otherwise, reaches zero when is at . This completes the
**first part of a down-epoch**. - Now begins the
**second part of a down-epoch:**now waits at zero for to make descends and reach zero again. - When eventually reaches zero, a down-epoch is complete.

In order to bound the probability of eventual divergence, we need to bound the probability of an epoch-completion. Let us begin with some definitions.

First epoch completion probability.Let be the probability that thefirstepoch completes at time .

Divergence probability.Let be the probability that diverges at .

Our goal is to bound the forkability:

.

Before we lay out the plan, let us introduce some key ingredients which we will use. These are:

- Generating functions
- Convergence of GFs
- Stochastic dominance of GFs
- Gambler’s Ruin
- Facts about a biased random walk

**Generating Functions, or GF in short.** A *generating function* is a formal power series which “generates” the sequence as its coefficients. “A generating function is a clothesline where we hang the coefficients”, says Herbert Wilf. We identify the GF with its coefficients . If the coefficients of a GF are probabilities, then it is called a *probability generating function*, or PGF in short. These GFs satisfy . We use the notation to indicate the th coefficient .

**Radius of Convergence of a GF.** Suppose a generating function converges at some , with the radius of convergence being . This means, converges for all , but there is some with so that does not converge. When converges with radius , it means

, or .

**Thin Tail of a Converging GF.** Then,

because if we sum a constant number of terms, each , the sum is still .

**Stochastic Dominance of PGFs.** The probability distribution “stochastically dominates” another distribution if, for all , it holds that . We express this fact as . Because , the above also means $b_t \geq a_t$ for all .

**Gambler’s Ruin.** Suppose at present. The probability that *ever* reaches is $(p/q)^z$. See here for more on the Gambler’s ruin problem.

Let us define some properties of the biased random walk .

First Ascent Time.Let be the probabilities that the -biased random walk , starting at the origin, visits (orhits) for the first time at step . Let be the corresponding generating function. We can see thatObserve that is not a PGF, since the gambler’s ruin tells us that there is a probability of that the first ascent never happens, giving .

First Descent Time.Let be the probability that the -biased random walk , starting at the origin, visits (orhits) for the first time at step . Let be the corresponding generating function. We can see thatSince , is indeed a PGF.

-Descent Time.Let be the probability that the -biased random walk , starting at the origin, visits (orhits) for the first time at step . The convolution rule for GFs tells us that the GF for this sequence is .We observe that , and for .

**GF for Epoch-Completion and Divergence.** Let and be the GF and GF of the sequences and , respectively.

**Epoch-Completion Probability. **The GF is indeed a PGF since the divergence can occur at any time step. However, is not a PGF: if , the probability that reaches zero *ever* again is . On the other hand, if (respectively, ) the future event (respectively, ) happens with probability since . Together, the probability that an epoch is ever complete is

This means ; there is an probability that no epoch ever completes. This is why is not a probability generating function.

**The Plan.** Recall that we want to get an upper-bound to the quantity . Since are probabilities, it suffices to get an upper-bound for the radius of convergence of . This will give us . However, we need to express and solve the generating function before we can talk about its radius of convergence.

**Expressing in terms of .** Observe that we can describe the combined random walk as the regular expression

.

The probability that never meets for is . We make two observations: (1) A divergence at can happen in many ways: zero epoch then divergence, or one epoch then divergence, or two epochs then divergence, and so on; and (2) An epoch is independent of the previous epoch. Now we can express in terms of as follows:

**A Problem with the Down-Epoch.** The generating function seems problematic to analyze: in particular, the length of the second part of a down-epoch depends on the quantity , the position of at the end of the first part of that epoch. However, we observe that is at most the length of the first part of a down-epoch. This allows us to express a “relaxed” epoch as described next.

Let be the sequence of “relaxed” epoch-completion probabilities. Let be the corresponding GF. Let be the corresponding divergence GF if we replace with in the expression of above. The relaxation happens in the sense that for every , the “relaxed” epoch-completion probability is never larger than the actual epoch-completion probability . This means, , and consequently, .

Therefore, we have a new plan.

**The Revised Plan.** Recall that our goal is to upper-bound the quantity . Our original plan was to get an upper-bound for the radius of convergence of . Now it suffices to get an upper-bound for the radius of convergence of , because the tail the sequence will be thicker than the tail of the sequence . Therefore, the quantity we seek to bound, , will be .

Now we have a plan of action:

- Find an expression of
- Find the radius of convergence for
- Show that when
- Since , it would follow that for
- This would imply, in turn, that converges with the radius of convergece
- This would imply when

We begin by defining the relaxed epoch.

**The “Relaxed” Epoch.**

- An epoch starts with an up-step of , in which case has to descend one step to complete the epoch
- Alternatively, an epoch starts with a down-step of , so that now and the gap between and is
- From here, reaches zero after an unspecified number of horizontal steps. This completes the first part of the down-epoch
- Later on, will have to descend one vertical step for each of these horizontal steps
- will have to descend one more step to cover the gap mentioned in step 2. This completes the second part of the down-epoch

**Defining the GF .** How do we express this “relaxed” epoch-completion probabilities? Of course, we will use a generating function in variable . Recall the definitions of and . Step 1 would be simply . Step 2+5 would be . Step 3+5 would be . Step 4 is tricky.

For Step 4, let be the probability that the random walk makes the first ascent at , times the probability that the same walk ever descends vertical positions. After some head scratching, we write

where is the probability that the biased walk , starting at the origin, visits for the first time at time , times the probability that the biased walk , starting at the origin, visits for the first time at time . The corresponding GF is

Putting these all together,

The GF for the “relaxed” epochis

**The Radius of Convergence for and .** By solving the quadratic expressions of and , we see that

, and

.

Hence these GFs converge as long as the discriminant , or $latex \displaystyle z^2 < \frac{1}{4pq} = \frac{1}{1-\epsilon^2}, or

.

**The Radius of Convergence for . **The second term in the expression of is . After expanding this expression, the discriminant has to be positive for convergence. That is,

This boils down to

.

**An Upper Bound on . ** When converges, it converges to a value less than . The same is true for . In particular,

where .

This means, when . In turn, this implies converges for .

**Bounding the Tail of .** Using the Taylor series expansion , we get .

The quantity we desire, . Our final result, then, is

**References**

[2] Ouroboros: A Provably Secure Proof-of-Stake Blockchain Protocol

[3] Ouroboros Praos: An adaptively-secure, semi-synchronous

proof-of-stake blockchain

]]>