Cardano & Algorand: Leader Selection Explained
In this post we’ll talk about the difference between Cardano and Algorand when it comes to leader election that is how do you choose who makes the next block in these networks. Now obviously Cardano and Algorand are very different projects, but they’re both proof of stake blockchain so it’s interesting to compare them and see how they’re different.
Classical consensus BFT vs Nakamoto consensus
Terminology note: Although we will define these terms in more detail soon, we first clarify terminology: protocols that follow classical consensus usually are shortened to be called just “BFT” protocols. Example: Tower BFT (Solana), Tendermint BFT (Cosmos), etc. This is usually done to contrast them against Nakamoto consensus protocols (despite the fact Nakamoto consensus is also Byzantime Fault Tolerant)
Two key points where these two chains differ that matter for our discussion:
- Cardano is UTXO-based for smart contracts and Algorand is account based.
- Cardano is Nakamoto-based and Algorand is classical BFT-based. You might not have heard of these definitions, so let us give you an intuition about how these are different and some of the implications because this is really key for understanding why these protocols are so different. Usually, with the Nakamoto consensus, from a high level point of view it’s a system where anybody can join there’s no restriction for joining the network. For example, for Bitcoin is Nakamoto consensus (which is named after Satoshi Nakamoto) where as long as you have a computer anywhere in the world, you can start mining Bitcoin and, if you find one block, you can publish the block you found. There’s no kind of committee you have to apply for to join — it’s all open. Similarly, Cardano is also Nakamoto consensus. As long as you have ADA on the network, you can start your own stake pool or delegate with any amount of ADA you have — there’s no kind of committee you have to join to take part in. More classical BFT protocols, on your hand, tend to be run by committees that vote to reach consensus. For example, you have a committee of 10 people and then if you want to join the committee you need to be invited to the committee by the existing members. The goal of Algorand is to leverage this BFT model, but instead make committee membership be based off token ownership of the network (the ALGO token). This the interesting approach of the Algorand blockchain — trying to leverage the advantages of more classical BFT consensus, but still keep it decentralized using proof of stake. So what are the implications of Nakamoto consensus versus more classical BFT? What does this actually change when it comes to protocols because this is the the key to understanding why these Protocols are designed so differently.
Difference #1: Scalability
First let’s talk talk about scalability: scalability in the Nakamoto consensus case is hard and what we mean is that there’s a reason that Cardano, Bitcoin and Ethereum all have very low transactions per second — either 1-digit or 2-digit. It’s because it’s very hard to have a high scalability in a fully decentralized network if you don’t know who the members of the system are and where they’re geographically located. It often means you need a lot of time to wait for any potential response to make sure that the data actually propagates through the entire network no matter where the participants are locate. Classical BFT protocols, on the other hand, have a much easier time with scalability because they usually have a relatively small committees and all you need is to come to consensus between these committee members. This makes it much easier to coordinate, has a much lower network overhead, and allows you to move much faster. For example Algorand has 5-digit TPS and other examples of BFT blockchains include Solana, Aptos and Sui who also have high TPS values. So usually anytime you hear a blockchain that talks about transactions per second in the 4-digits, 5-digits or 6-digits transactions per second, it’s a pretty good bet that this is a BFT protocol. So with BFT, you get you know really good scalability, really good performance, really good latency in BFT.
Difference #2: Safety
What about safety? With BFT, you take a cost on safety. With Nakamoto consensus, if you want to attack the network, you need more than 50% of the network (often referred to as 51% attack). There’s a caveat that if you have 33% of the network there is something called “selfish mining”, but generally speaking you need 50% of network. Whereas in more classical BFT Protocol, if an adversary has more than a 33% of the stake (so one-third), they can usually attack the protocol. So you take a hit in security on top of the decentralization with classical BFT protocols.
Difference #3: Finality
Finality says how long it take for the blockchain to have confirmation that it won’t revert — you won’t have a rollback — the state won’t be undone. In Nakamoto consensus, usually you have probabilistic finally. In classical BFT, often you have instant or near-instant which means that for example in the Algorand blockchain, once the blockchain has finalized a block, there’s no way for it to rollback. You’ll often hear, for example, Algorand talk about how it’s a blockchain without forks — where forks aren’t possible and this is thanks to them using classical BFT. However, in Cardano, Bitcoin and Ethereum for example, you can have a rollback so the state of the blockchain might get undone and this can be a way for people to do 51% attacks. It means also if you’re building a protocol on top of Cardano, you need to make sure that you wait enough time to have enough probabilistic finality. Now this might sound really bad, but actually if you assume an adversary has 10% of the tokens (they own 10% of the Cardano Network) usually waiting 10 blocks (so about 200 seconds) will give you as good probability finality as you’ll ever need. Obviously this is still a decent amount of time, but it’s not that big in the grand scheme of things.
Additionally, you can use solutions like Multiverse by dcSpark, which can give you faster finality on these these times. It can do this because usually there’s two ways to attack the network: there’s a way to do an overt attack, where people know you’re attacking their work; and a way to do a covert attack, where people don’t know you’re attacking the network. It’s much harder to pull off a covert attack, and so Multiverse essentially tries to detect if a overt attack is happening and assumes that a covert attack is not happening. This assumption allows you to reduce this 200 seconds to a much shorter time frame.
Addresses and keys
To understand how we know who the participants are on the network, first, we’ll talk about addresses. In Algorand you have a fixed address (keep in mind this is the account model), and in Cardano it’s the utxo model and your addresses are actually split up into two parts: the first part is the payment key which decides which utxos you can spend with a certain private key, and the second part is a staking key which is how we decide who gets the staking rights and the delegation rights to any ADA stored inside these utxos. Now, if you want to participate in the Algorand network, the equivalent to the staking key is something that you generate as a separate thing called a participation key now. In both cases, the staking key and participation key, by default, are not registered on the network, in the sense that by default there is no participation key for an Algorand address unless you create it and, on Cardano’s side, the staking key exists, but it does not actually do anything unless you actually register it, which means if you ever try to delegate your ADA on Cardano, the first thing the wallet will ask you to do is ask you to pay a 2ADA deposit to register your staking key on the network so that the Cardano protocol knows to track your staking key, check who is delegating to this staking key, who it is delegating to, and how much it is associated with that staking key. So if you use any Carano wallet, when you want to delegate for the first time, or if you want to create a staking pool, you’ll be asked to do a staking key registration which happens on-chain. Similarly, for Algorand, you can generate this participation key and then you also register the this participation key on-chain. So from this perspective, they’re fairly simple and fairly similar. The only difference is that in Algorand, the participation key is separate from the address, whereas in Cardano they’re coupled together where the address contains both things.
“Delegated” PoS vs Pure PoS
Terminology note: where I say “delegated” proof-of-stake to mean a proof-of-stake protocol that supports delegation. Be careful, because there is a name conflict with a different protocol called “dpos” (which unfortunately stands for “delgated proof of stake”). You may occasionally see people refer to Solana, Cosmos, Cardano as “delegated” proof of stake protocols, but in those context they mean a proof of stake protocol that supports delegation, and not the “dpos” model (which is a more classical BFT system and not Nakamoto consensus). You can learn more about this topic here
So now you you’ve created your your staking key, now how do you actually do something with it? Well here’s another difference between the two protocols. In Cardano, you have a Proof of Stake that supports delegation, which means that you have the choice between creating a stake pool yourself, or delegating your Ada to somebody else. Whereas in Algorand, you have Pure Proof of Stake, which means that there is no delegation mechanism — you cannot delegate to a stake pool you cannot run a stake pool, but you can participate in these Proof of Stake protocol yourself as an individual. So in Cardano, there’s such a thing as a key delegation certificate, similar to a key registration certificate, where you delegate Ada to somebody else — to their stake pool. Whereas in Algorand, there’s no such concept as delegation you are simply participating in the protocol as yourself.
Slots, blocks, epochs and rounds
So imagine you’re running a Cardano stake pool and you want to make blocks. How do you know if if you’re making a block well? Cardano is split into slots, and you have epochs, and somewhere in between there’s “blocks”. The concept is that slots in Cardano are one second, so every second there’s a new slot that gets created. These slots may or may not contain blocks, so you can have some empty slots and occasionally a slot with a block in it. These blocks are created by stake pools and we’ll see later when a slot is empty and when the slot will have a block in it and we’ll make the distinction more clear. The creation of blocks and Slots is based off snapshots of the network state, so every five days a new epoch in Cardano the network will take a new snapshot of everybody’s balances and that will be used for future epochs of the proof of stake. The system kind of evolves over time with these snapshots. Now Algorand has a similar system, but instead of slots they call them “rounds””, so you have rounds and some of these rounds may have blocks in them some, and some of these rounds may have empty blocks in them . Instead of having a kind of more clear Epoch usually they say stuff like “a thousand rounds will be used as the interval between refreshing the network”, and so you can kind of think of this this magic number as the equivalent of an epoch.
Repeating protocols
So now we have a system with with we have blocks, we have rounds, and now we have to talk about what happens inside one epoch, and what happens inside this thousand round range. How does the protocol behave inside this, and then once we know what happens in one epoch, we know that the protocol repeat. First we do epoch 1, then 2, then 3. It’s the same protocol that repeats over time and that’s actually where the name Ouroboros comes from if you’re curious. Cardano’s proof of stake algorithm is called Ouroboros which is a snake eating its own tail, and the reason it’s called like that is because you first you have epoch 1 which feeds into epoch 2, which feeds into epoch 3. It’s the imagery you have to have in mind to understand how this works.
Source of randomness
We want to be able to create a block for example on Cardano. Well, how do you do this? First, we want to have randomness in the protocol — for example we want to give everybody a random chance of creating a block based on how much stake they own. So maybe if you own 10 Ada, you should create 10% of all of blocks. We want this to be random, so you don’t know which 10 you’re going to make — you just know that on average, you’re going to get around 10% of the blocks. There’s a lot of ways to get a randomness inside protocols. One of them you might have heard of MPC (you don’t need to know what this, but just know that Cardano used to use MPC. There was a version 1 of Cardano that used an MPC protocol to generate randomness and the way it worked is that all the stake pools got together and they generated a source of randomness together and then use that to feed the protocol. This is really inefficient, both in size and in computation time, and so Cardano no longer uses it), and the other is VRFs (verifiable random functions). Both Cardano and Algorand use VRFs. In fact Algorand was one of the pioneers who did work on VRFs, and were one of the inspirations for Cardano’s protocol. VRFs are a way to generate random numbers that are verifiable — you can verify the random number was generated correctly. Now, if you want to know how that’s possible, you can find a video about “verifiable random functions” on YouTube by our CTO Sebastien that talks about the math in more detail here, but if you don’t want to know how the math works, just know that there’s a way to generate random numbers where you can prove that the number really is random.
Generating the key ahead of time
Now that we have a way to generate random numbers, and what we want is to have is that every stake pool in Cardano has their own VRF key, and similarly every participant inside the Algorand network will have its own VRF key, and this VRF key that you generate for your stake pool or you generate as a participant in the Algorand network will be what decides how you when you’re able to create a block. The key thing to note is that the VRF key has to be created ahead of time, so this key you create will be before this set of rounds — before this Epoch. You’ll create your VRF key and you’ll submit your participation key to the network and then your participation key and your VRF key will be taken into account in a future protocol execution iteration. Same thing for Cardano — when you create your stake pool in Cardano, you do not get to participate in the proof of State protocol right away — you have to wait a few epochs before you can actually start participating in the protocol and that’s why if you’ve ever delegated to a stake pool in Cardano, you’ll know that it takes 15–20 days for your delegation certificate to actually come into an effect. The reason for that is because if it was used right away, you could keep creating VRF keys until you find one that works best for the specific epoch and then use that. Since you’re generating the VRF key ahead of time, you cannot take advantage of this — you’ll have to pre-commit to it in a sense.
Number of people elected for a specific slot
So now we have our protocol, and we have our VRF keys for both networks, and we want to decide “okay well how do we know if we’re actually elected to create a block for this slot”. We mentioned that the blockchain has one second slots, and we want to know whether or not we are able to make a block for this specific slot. There might be somebody elected, and there might be nobody elected. To understand why, think about how everybody has their own VRF key and their VRF key decides whether or not they are elected for a specific slot. There might be, just by random chance, multiple people elected for the same block. We might have a VRF key that says “oh you’re elected for this block”, and somebody else might have a VRF key that also says they’re elected for this block, so some blocks have multiple blocks posted. Conversely, slots and Cardano have no blocks where nobody won nobody had the right VRF for that specific block — or maybe somebody had the right VRF, but their state pool was offline at that time and so there’s just no block for that slot. The same thing applies for Algorand as well, so there might be nobody elected, or there might be multiple people elected. The difference is that Cardano tries to have about one person — that’s the target goal. Whereas Algorand tries to have many people — for example for block proposer selection, Algorand defines some parameter that’s equal to 26 that means they want around 26 people elected. The reason this is different is because in Cardano you’re aiming to elect a single person that makes a single block whereas in Algorand (remember we mentioned it’s more of a classical BFT protocol) you need to elect a committee of people. That means you need to select not just one person, but to to select an entire committee. If you make the committee size 26, then those 26 people will get together and decide the result of that step of the protocol which ultimately decides the valid extension of the blockchain. To make it a bit more detailed, those 26 people will not decide the next block per se — the 26 people will propose blocks. They’ll each make a block that they’ll propose and then there will be some future steps in which different committees decide which block is the one that wins. We won’t go into that that far into the protocol, but hopefully that gives you the right intuition.
Now that we have an idea of how this VRF key is used, what is your probability of being selected to be a block producer? We mentioned that for Algorand we’re aiming for 26 approximately, and for Cardano we’re aiming for approximately one. Well how does that actually work? How do we actually get one, or how do we get to 26?
Cardano selection mechanism
First let’s start with Cardano. Let us give you some math. It’s kind of unfortunate, but there will be a bit of math in this post, but hopefully not too much. Keep in mind the VRF will give you a random number between 0 and 2⁵¹². Generally speaking, you can see this as equivalent to a random number between 0~1 (just squish everything down to fit).
Now that you have a random number from 0~1 you want to check in the Cardano case “p” (which is this the random number that results from this VRF) is less than 1 — (1 — F)^σ .
That’s the equation that decides if you’re elected for a block. Now let us go through this equation and detail, so you understand all the parameters that are that are in play.
What is the “F ” term?
First what is this “F ” parameter here? F decides what percentage of Cardano slots should have a block and in Cardano that is equal to 0.05 which means you’re have a block every 20 seconds (1/20 = 0.05). As we explain, the the idea is that if we had a block every second, this would be too much for the protocol to handle. Keep in mind Cardano’s not using classical BFT consensus — it’s Nakamoto consensus. You have people all over the world creating blocks and that’s just too much to have one second block time. The network would get out of sync — before your block reaches other people, they would already be creating their own block. Since one second is just too fast, the idea is that we want not every block to have a slot, and instead to have around one block every 20 seconds, and that’s what this F parameter decides.
So if you go all the way to F=0, what happens is that you now have p< 1 — (1–0)^σ = 1–1 = 0. Since p < 0 can never happen, you will never have any blocks on the network
So if you go all the way to F=1, what happens is that you now have p< 1 — (1–1)^σ. This cancels out to just p<1, and remember that we said we’re generating a random number from 0~1, so this means that you always get to create a block. So don’t set f equals one — you’re setting yourself up to break the network, and so that’s why F is like a fairly small number such as right now it’s 0.05 which corresponds to one block every 20 seconds.
What is the “σ ” term?
Next, what is this σ term? It indicates how much your stake you own in the network and is set between 0~1. 0 means that you have no stake in the network, and 1 means that you have all the Ada in the world and the network belongs entirely to you. So this σ term is basically your Ada divided by all the ADA on the network. So if you have 100 Ada, and there’s 45 billion Ada in total, the value of σ would be 100/45 billion.
So let’s see what happens σ=1 — when we have all the the Ada on the network. You have p < 1 — (1–0.05)¹ = (1–0.95) = 0.05 which is equal to f as expected
So now what happens when you have, σ is instead equal to zero. Now you’ll have p < 1 — (1–0.05)⁰. Keep in mind anything to the power of zero is 1, so it’s equal to p< 1–1 = 0, which means that you never make a block.
So you can see that if you set σ=1, you get f. If you set σ=0, you have no chance of making a block.
Now, every single time there’s a slot in the network, you somehow include the information about that slot inside your VRF you run your VRF for that specific slot. Then, you check the result of this equation and if you win the equation then you get to propose a block for that slot. Now, there might be two people elected for the same block as we mentioned, and this is sometimes called in Cardano a “slot battle” which means there’s two different stake pools elected for the same block. When that happens, you want to have a tie breaker and the tiebreaker right now is just lowest value of the VRF output (this changed recently in the last hard fork), but you can just have any kind of arbitrary tiebreaker — whatever you prefer just to to decide who gets to be the real uh block maker for that slot.
Algorand selection mechanism
Now, what happens on Algorand? Algorand is fairly different because you don’t want to have for a single person, and instead want to have 26 people elected. So how do you choose who these people are? The idea is that again, you run your VRF, and again this will give you a number between 0~1.
Keep in mind this time we want this VRF to not choose a single person, but instead choose a committee of 26. We accomplish that by taking the VRF output as a position on a range from 0 to “a”, where we’re going to say “a” is the amount of Algo you have. So if you have a million Algo, this will be from 0~1,000,000.
We want this this range to represent how many Algo you have and every Algo is like a lottery ticket. If you think about the Cardano case, all the Ada is treated the same — all gets grouped together into one σ term and that’s all that really matters. On Algorand, it’s better to visualize it like a lottery where every single Algo you have is a lottery ticket, so if you have 5 algo, you have five lottery tickets. So 26/(total amount of algo in existence) is the number of winning tickets, and your chance of having a winning ticket is a probability distribution that chooses how many winning tickets you have.
Let’s give an example. Imagine you have a lottery system and you have a 25% chance of winning the lottery, and you you play twice. You have four cases, you might win twice, you might win and then lose, you might lose and then win, and you might lose twice.
So the chance you win twice is 25% * 25% = 6.25%
The chance that you win and then you lose is 25% * 75% = 18.75%
The chance you lose and win is 75% * 25% = 18.75%
The chance that you lose twice is 75% * 75% = 0.5625%
So this gives you a probability distribution and, if you calculate how that looks, you’ll notice that the buckets are not of even length. Instead what you get is a large bucket of 0 (ex: lose twice), a slightly smaller bucket of 1, some even smaller bucket of 2, all the way on until you get a really small bucket of just “a”.
So the question is if you have a million algo, how many of these are winning tickets? the chance that you get three winning tickets is your chance that your VRF lands the “3” bucket. By setting this (called the Bernoulli distribution) as the probability distribution, you will end up with about 26 people who win the election and who then become the block proposes for that specific round. Again, because this is all probability based, you might have less than 26, you might have more than 26, and it’s shown that in the Algorand paper that the chance that you get zero people is basically negligible and for any reasonable probability you’ll get around 1~70 people. So you might have some rounds with one person elected and only one, and you might get some rounds with 70 people elected.
So how do you do the tie breaking between them? Like in Cardano there’s only going to be one actual block at the end of the day. Let’s see an example where you win twice:
- you take the hash of the VRF output and combine it with 1 up to the number of times you’ve won.
ex:
- hash(vrf_output || 1)
- hash(vrf_output || 2)
where || here means concatenation. - Take the largest of these two values and that’s what we submit out to the chain.
Once everybody who’s selected does this, you take the highest values and that’s the person that wins the block.
Algorand’s multiple elections per block
Another difference between Cardano and Algorand is that on Cardano’s side, once you’ve created your block, you publish it and you walk away and you’re done, whereas in on Algorand’s side, the protocol continues. In Algorand, once you’ve done this whole protocol and you find the block producers and you select which block got the highest value, next you have to do more rounds of voting and each round of voting reruns VRFs with new people. The idea is that first you decide the block producers, then you vote on who wins, then you do a soft vote to try and gain larger agreements on which block has won, and lastly you do a certify vote to get the final result. Every time you do this voting step, you become more and more certain of the result using a larger and larger committee of people. So the difference is that in Cardano, you’re you’re running a single VRF for the slot, but in Algorand’s case, the VRF you run multiple VRFs — one for each step in the protocol that requires a committee, each time giving you a different number from zero to one. There might be multiple times that you’re elected for different roles for the same block.
VRF randomness source
The VRF is source of randomness is decided once every Epoch for Cardano, and a thousand rounds for Algorand. That means when you’re running a block for Algorand, you’re referring to the randomness sets at the last set of 1000 rounds. For Cardano, you’re running the VRF based off the randomness of previous epochs. In both cases, the way the randomness is refreshed is that every block created in the network contributes a bit of randomness that will be used when refreshing the randomness in future epochs.
Long-range attacks and key deletion
We want to avoid people accidentally keep their private keys that they used to create blocks. The reason you do this is because imagine you run a stake pool for a year and create a bunch of blocks, and then at some point decide to sell all your Algo or sell all your Ada. You might as well also sell my private key for your stake pool. However, if you do this, then you’re actually attacking the network because somebody can use my key for your stake pool and use it to try and attack the part of the blockchain history that included your old blocks by creating new and different blocks using your key to try and fork the chain. To avoid this Cardano, uses a system called KES (key evolving signatures) which means that you make blocks on the Cardano network with a key that evolves over time, so that even if you retire a stake pool and you stop making blocks, you no longer have the old keys used to make older blocks you created in the past. The way Algorand handles this is that the participation key is actually creating multiple ephemeral keys that are used in single rounds, and then get deleted as once the round is done.
Conclusion
Hopefully this gives you a general idea of the difference between the two protocols. There are a few other points that we didn’t mention — especially what happens after the block gets created, how do you validate blocks and and so — but this post should have given you the background to dig deeper yourself.
Both of these are very interesting in their own way, they both have trade-offs. You’re now well-equipped to go on and learn more about different proof-of-stake protocols (there are many out there that all work slightly differently), or you can use this knowledge to help you dig deeper into either Cardano or Algorand and get deeper into those communities both of which are exciting in their own way.
Our company dcSpark does work in both protocols, so you may also be interested in our work!
