Find Latest Articles on Crypto, Blockchain and Regulations Worldwide.
$ 19,304.04
$ 1,342.32
$ 1.00
$ 1.00
$ 276.97
$ 0.473040
$ 1.00
$ 0.449646
$ 34.18
$ 0.061465

How Cardano protects itself from 51% attack?


Cardano’s PoS works in many ways very similarly to Bitcoin’s PoW. You may be surprised to learn that when a blockchain forks, Cardano applies the longest chain rule similar to Bitcoin. It doesn’t take a lot of energy to create a PoS block, so there must be some additional rules in the Cardano protocol. Let’s explain some of them and show how the rules protect Cardano from the 51% attack.


  • Cardano uses the longest chain rule that is similar to Bitcoin’s rule.
  • The Plenitude rule is used against long-range attacks.
  • If private keys used to sign blocks are erased, attempting to overwrite the history of the blockchain is impossible.

The protocols are about the rules

A blockchain is a chain of blocks. The network adds new blocks to the end of the chain. Occasionally, two blocks may be produced by two (or more) independent nodes simultaneously. This event is called a fork. It means that two new blocks follow the previous block. Some rule is required to ensure that one block is a winner and stays forever in the blockchain, while the other block is discarded (orphaned forever). You can see the fork in the picture below. The node that is going to produce the next block must choose between block A or B.

In the Bitcoin network, the pool (block producer) can choose a block A or B, whichever it likes better. If one of the blocks was created by a pool that wants to add another block, it will choose its block because it wants to get a reward for it. The pool cannot continue on both blocks because it would have to split the hash rate. It will not do this because another pool would probably add the following block faster. Splitting the hash rate reduces the chance of success in the PoW lottery. Once the next block is added, it will be obvious which chain is longer. The next pool knows which chain to build on since it can apply the longest chain rule.

In the picture below you can see that the blue chain is longer. It is advantageous for the pool to try to add another block to the blue chain, as the red chain is less likely to assert itself in the context of a longer time period. No pool operator knows in advance who will succeed in adding a new block and which chain it will follow. From a game theory perspective, it is advantageous to assume that everyone will behave rationally and choose the blue chain.

If any node wants to find out what version of the blockchain is correct, it can do so based on PoW work. Nodes that connect to the network for the first time can also rely on PoW work.

In the Cardano network, it is cheap to produce a new block (the phenomenon of costless simulation, or nothing at stake). This also applies to a longer series of blocks. Thus, a node can theoretically quickly and cheaply follow both blocks A and B. If every next node that is subsequently to produce a block did this as well, it might be difficult to determine which chain is correct.

Cardano nodes do not compete with each other to add a new block. Instead, a modern cryptographic function called Verifiable Random Function (VRF) is used to draw a winner. In the Carano network, time is divided into slots. In each slot, each node uses the VRF function to get the VRF output. Let’s say it is a number. If the number is less than a certain threshold (which is derived from the stake size), the node is the winner and gets the right to produce a new block.

Occasionally, two (or more) nodes in the same slot may get the right to produce a block. Two valid blocks can be created simultaneously, similar to the Bitcoin network. This situation is called a slot battle. Cardano has a simple rule to determine which block is to be part of a longer chain. The VRF outputs of two competing blocks A and B are compared to each other. The winner is the block that has been produced by the node with smaller VRF output.

Although the protocol rules make it clear which chain is considered longer (the blue one), you can see in the image above that node has added a new block to both chains. Visually, it looks like there are two chains of equal length. A node can do this because it costs nothing to create the block. What prevents nodes from behaving this way? It is a reputation. Once a pool behaved this way, it would be considered by the community as an attempt to attack the network. The pool would lose its reputation and the stakeholders would delegate ADA coins elsewhere. The next honest node would probably only add a new block to the correct chain, so the fraudulent chain would eventually be orphaned anyway.

It is important to mention the importance of positive motivation. A pool operator can add blocks cheaply, but if it were to have a negative impact on network operations and reputation, the value of ADA coins would decrease. Operators would receive lower dollar value rewards. It is in everyone’s interest for the network to function properly and have a good reputation.

Each node sees the fork and when it is to add a new block, it decides according to the VRF output in the blocks that are right after the fork. The rules make it easy to infer which way the right chain should go. In the case of further forks, the rule would apply exactly the same way.

Randomness determines the node that gets the right to create a new block. It may happen that the attacker gets the right several times in a row. So he can theoretically add multiple blocks to the deceitful chain (the red one). As a result, the red chain will be longer for a short period of time (for a few slots). Once the honest node gets the right to produce a block, it will add blocks to the correct, i.e. blue chain. In the longer term, the blue chain will always win.

As you can see, a modern cryptographic function and a simple rule are used by the Cardano protocol to replace the draw system that takes place in PoW networks. Bitcoin does not define a rule that would decide which block to choose for continuation in the case of forks. Chains are the same length so the longest chain rule cannot be applied. One block is simply chosen by a pool and for the next round, the longest chain rule can be applied.

The Cardano protocol clearly defines which chain is to be considered the longest immediately after a fork is created. The longest rule can be used in any round and there is no situation where the pool can choose the block it likes better. Theoretically, it can be said, that every new block is automatically final. There is no fight about which chain will be the winning one. VRF outputs always clearly declare the correct (the longest) chain unless two identical VRF outputs appear which is unlikely.

What happens if an attacker creates a long alternative chain, say from the Genesis block? This is relatively easy since, as we said, it costs nothing to create a block, so it is possible to create an entire blockchain. Do not worry. There is an additional rule.

How Cardano protects itself from the long-range attacks

A long-range attack represents for PoS networks roughly the same mechanism as 51% attack in PoW networks. The aim of the attacker is to make a longer chain that rewrites the blockchain in the attacker’s favor. Instead of starting the attack a few blocks back, the long-range attack has to go much further back in the chain’s history (i.e. even tens of thousands of blocks). This poses a problem for PoS networks since there’s no proof of work required to rewrite a very long chain.

In a long-range attack, the attacker tries to create his own chain of the entire blockchain and wants to enforce it as the correct chain (the main chain or the longest chain). He usually does this secretly and then publishes his version at the right time. The reason why an attacker might attempt something like this is mainly to try to reorganize blocks or increase the reward. This is because the alternate chain may contain different blocks or transactions than the original main chain.

This type of attack is possible due to a phenomenon called Weak Subjectivity. The term comes from the “blindness” of new or long-disconnected nodes that are forced to decide which branch of the blockchain is the correct one. When a node is plugged into the network, it is only certain of the initial block (the Genesis block), because that is the only one that is universally agreed upon. Everyone can find the Genesis block in any blockchain explorer. When a node needs to synchronize, it can receive a list of all currently published alternative chains (multiple chains that start with the same Genesis block). The node must be able to reliably and correctly determine which chain is the correct one.

It must be said that the online nodes do not suffer from this attack, because they know up to a certain point in time which branch was last agreed to be the main one. Online nodes have no reason to rewrite history if it would mean rewriting hundreds or thousands of blocks back. This attack is thus quite limited in terms of success. The ongoing consensus may not be affected by the long-range attack, as the protocol is mainly governed by the longest chain rule.

Different PoS protocols use different rules to prevent this type of attack. For Cardano, it is even more complicated because it does not have slashing, so it cannot directly punish the attacker by taking his coins as Ethereum does. For Cardano, as for Bitcoin, participants in the network consensus are paid for doing the right thing. Not receiving a reward is a form of punishment, so motivation is positive. In the case of Ethereum, participants are paid for doing the right thing but they can also be actively punished for doing the wrong thing. In other words, they can get into a significant economic loss that will not be caused by market volatility.

Let’s see how an attacker can try to commit a long-range attack on Cardano.

First of all, it is important to note that the attacker is limited by the number of blocks he can create at the beginning of the deceitful chain. Even on its private deceitful chain, the attacker cannot sign blocks faster than on the real main chain. A valid block must contain VRF proof. The attacker is limited by the size of his stake (assuming he does not have a majority) which limits the number of valid blocks that can be created.

If the attacker has, let’s say, only a 20% stake, he can only create 20% blocks in the initial phase of the deceitful chain. The problem is that the main chain (80% stake) may contain more valid blocks (this is very likely but some slots might miss blocks). In the picture below, the blue chain is the main one. The attacker is trying to create a red chain.

The attacker tries to pretend on his chain that the other nodes are not producing blocks and that he is gradually gaining a higher stake since only he is getting the rewards. He can therefore produce more and more blocks and eventually reach a state where he is the only one who produces blocks regularly (even every 20 seconds as it is usual). He can therefore theoretically create the longest chain (longer than the main chain).

In the beginning, the deceitful chain is almost empty. Over time, it gets progressively denser. Therefore, a large number of blocks are needed for the attack.

We’ll see later why the attacker has already failed in this attack at this point. Before that, we have a look at what can increase the chance of the attacker succeeding. It is important to mention that the attacker may have access to the private keys of other pool operators. This would allow him to create multiple fraudulent but valid blocks in the deceitful chain. If the attacker obtained the keys of the other two pool operators and each of them had a 10% stake, the attacker would have a total of 40% stake. The attack would have a better chance of success since his chain would be denser right from the beginning. Still not dense enough compared to the main chain.

It is theoretically possible that a pool operator backs up the private keys used for block production and can provide them to an attacker for money. Tor example, the attacker can bribe other pool operators. Alternatively, block producers might be willing to sell private keys when they decide to leave the business. It is also possible that the attacker manages to steal these keys. Both are unlikely on a large scale but possible.

Cardano network security increases with the number of block producers. Let us add that it will be much more difficult to obtain the private keys of pool operators who are still active and receive rewards from the protocol.

Notice that an attacker can only sign old blocks on a deceitful chain. If the bribed operator has gone out of business, he has no new private keys. It is theoretically possible to convince multiple pool operators to participate in the creation of a deceitful chain. The motivation is that the operators could receive higher rewards. This attack is similar to the 51% attack as it would require a supermajority stake.

The attacker (or more attackers) can increase the chance of enforcing a deceitful chain by staying on the main chain as an active block producer. Whenever he gets a chance to produce a new block, he gives up that chance. The slot remains empty and no one else can produce the block. Blocks in the main chain will gradually thin out while those in the deceitful chain will become denser at the end.

Note that the attacker will not receive rewards on the main chains, as he intentionally did not produce blocks. His stakes will decrease. The attacker can buy coins on the market, but this makes the attack more expensive.

Let’s explore how Cardano defends against the long-range attack. The Cardano protocol cannot rely solely on the longest chain rule. Fortunately, another rule is defined called the Plenitude rule. If a fork occurs in a short period of time, the longest chain rule still applies. However, once the fork occurs for a longer period of time, the Plenitude rule is applied.

The Plenitude rule determines which chain is the right one by the density of blocks in a short period of time. Based on the rule, the node looks at several slots that are located just after the fork. In other words, the rule considers only the initial parts of long chains. A chain in which there are more valid blocks in this section will be chosen as the right one. The number of blocks in the rest of the chain does not matter.

The rule is based on the assumption that the attacker cannot form many blocks immediately after the fork because he did not have enough stake to do so. As we have shown above, the deceitful chain is almost empty at the beginning.

Simply put, these two rules are enough for the Cardano node to always recognize which chain is the right one. It applies the longest chain rule to short chains after forks and the Plenitude rule to long chains, again after forks. Most of the time Cardano just needs the longest chain rule. The Plenitude rule is only used in the event of an attack.

Key Evolving Signature

Key Evolving Signature (KES) is another cryptographic tool that helps protect Cardano from attacks. KES keys are used by block producers to sign new blocks. KES key regularly expires after a few epochs.

The idea of the forward secure signature scheme is used. The mechanism is based on the idea that an attacker is not able to forge the signatures that have been made in the past. It is possible to keep the same public key but create a new private key over and over. Thus, the old private key can be erased and replaced by a newly computed one.

Thus, nobody is able to sign blocks by the erased KES key again. If an attacker compromises the current key that is used to sign blocks, he can only use that one to sign blocks from now on (and a few blocks back), but not blocks that have been signed in the (faraway) past. It makes it impossible for the attacker to rewrite history. To be more precise, it is impossible to sign already created blocks when signing keys have been erased. It is assumed that block producers will not intentionally keep their KES keys.

There is a cryptographic construct called quantum one-shot signature that would allow a private key to be used to sign a block (or anything else) once and only once. If this concept could be implemented and used in Cardano, it would mean that an attacker could not create private chains and sign blocks with private keys that have already been used once in the past. In other words, operators could keep private keys but they would not have any value to the attacker.


No protection mechanism is 100% effective and if enough resources are invested in the attack, it can succeed. The susceptibility of decentralized networks to 51% attacks is an inherent characteristic. Vulnerability is a tax on decentralization. If one invests enough resources in energy and ASIC hardware, one can create a longer chain in the PoW network. In a PoS network, an attacker only has a chance to commit a similar attack if he obtains a sufficient number of private keys. Pool operators are experts and know that they must keep the keys on a hardware device that is not connected to the Internet. So attackers only have a chance to get “hot” keys, but not “cold” keys. With the increasing decentralization of the Cardano network, the chance of an attack decreases significantly. Obviously, the more independent block producers holding keys, the more difficult the attack becomes. If the keys are erased, a long-range attack is essentially impossible and would require a brute force attack (using enormous computing power).

The attacker has one more way how to commit the 51% attack on Cardano. He can try to buy on the open market the amount of ADA coins that will give him dominance in the network consensus. However, this attack is economically very costly and exceeds the cost of the 51% attack on Bitcoin. We consider this attack almost impossible, yet it is a valid attack vector.

There are pools in the Bitcoin network that have existed since the concept was invented. The same is repeated in the Cardano network. If a pool operator is doing well, there is no reason for them to leave the business and participate in the attack. It is safe to assume that the old pools will remain for a long time and new pools will gradually appear. Each new single pool operator increases the security of the Cardano network.

Disclaimer: Cardano Feed is a Decentralized News Aggregator that enables journalists, influencers, editors, publishers, websites and community members to share news about the Cardano Ecosystem. User must always do their own research and none of those articles are financial advices. The content is for informational purposes only and does not necessarily reflect our opinion.

Source link

Leave A Reply

Your email address will not be published.