Skip to main content

How baking works?

In this section, we will discuss how baking works. The different actors of the mechanism and the technological solutions will be presented.

Bakers help running Tezos network by creating and attesting blocks, tez holders can stake/delegate to a baker to participate to its stake

FIGURE 1: How Baking Works?

Actors

Three types of actors are involved in the block creation process:

  • The Delegate, that can play two roles, by running two daemons:
    • a Baker, who participates in the consensus by creating new blocks and by attesting the blocks created by other bakers.
    • an Accuser, who participates in the consensus by monitoring validators works.
  • The Delegator, that can delegate their tokens to a Delegate.
  • The Staker, which is a Delegator that further stakes their tokens to their chosen Delegate.

Roles of a delegate

Baking blocks

Baking blocks is the act of creating, signing and publishing blocks.

Bakers select and validate all transactions and add them to the blockchain. If a baker behaves dishonestly, the protocol has a built-in mechanism that can cause them to lose their security deposit.

Bakers are rewarded with tez for securing the network.

In Tezos, the right to produce a block in cycle n is assigned to a randomly selected delegate in a randomly selected stake snapshot from cycle n-consensus_rights_delay-2.

Bakers of each block are randomly selected from the list of all nodes that have declared themselves as delegates, in proportion to the amount of tez they have (+ tez from external stakers and delegators).

A baker does not necessarily need delegators or stakers to function, they can play solo, but they have fewer chances to be selected for baking.

The selected baker is allowed to create the next block and add it to the chain then communicate it to the network. They receive a certain number of tez as a reward.

Several bakers are elected to create a priority list for baking any given block. The one with the highest priority will try to create a block. If they fail to do so within the time limit, the hand will pass to the next baker. A block generated by any other baker than the one at the current priority level will be invalid and refused by the network.

To create blocks, a baker has to freeze part of their tokens.

A baker can be marked as either active or passive. A passive delegate cannot be selected for baking or attesting. A baker becomes passive in cycle n if they fail to create any block or attestation in the past consensus_rights_delay cycles, that is to say, in cycles n-1, n-2, …, n - consensus_rights_delay.

Accusation

In the role of accusers, delegates monitor that other bakers do not create nor attest two competing blocks at the same level.

If an accusation is correct, the accuser gets a part of the funds that were frozen by the baker as a reward. The remaining part is burned.

Any attempt to fraud is therefore punished.

Cryptocurrency tokens or coins are burned when they are permanently removed from the circulating supply on purpose.

Cycle

The Tezos consensus is organized in cycles. One cycle corresponds to BLOCKS_PER_CYCLE = 24,576 blocks (≈ 2.8 days).

Delegates' rights selection

At each cycle, a random seed is created. A pseudo-random number generator uses the seed to generate the priority list based on a stake snapshot 2 cycles ago.

Random seed

Since Tezos runs a deterministic protocol, there is no real randomness. More specifically, there is no randomness in the snapshot selection and baking/attestation slots attribution, i.e., we know the result before the operation occurs (unlike in PoW where you can only estimate it).

The seed is a random number created by gathering secret numbers (nonces) from all delegates and combining them into a hash. This seed ensures unpredictability and fairness in the outcome, as it’s generated collectively. To prevent manipulation, a Commit & Reveal process is used: delegates first commit to their secret number without revealing it, and then reveal it. This two-phase approach ensures that no single delegate can influence the result, securing the seed's randomness and integrity.

The random seed for cycle n is a 256-bit number generated at the very end of cycle n-1 from the previous seed and the nonces that delegates commit during cycle n-2.

In cryptography, a nonce (number used once) is an arbitrary number intended to be used only once.
A commitment is the hash of a nonce.

Commit phase: 1) Alice computes her commitment 2) Alice hands her commitment to Bob. Reveal phase: 1) Alice reveals her nonce to Bob 2) Bob computes Alice's commitment 3) Bob compares Alice's commitment to what he computed. If they are equal, Alice was honest and the commitment is verified

FIGURE 2: Commit & Reveal

One out of every BLOCKS_PER_COMMITMENT (= 32 blocks) can contain a commitment. There are therefore, at most BLOCKS_PER_CYCLE / BLOCKS_PER_COMMITMENT (= 128 commitments) per cycle. The commitment is generated by the baker who produces the block and is included in the block header.

In summary, the seed for cycle n is a hash created from:

  • the seed of cycle n-1, a constant.
  • every nonce that was revealed in cycle n-1

This seed is used to randomly select:

  • a stake snapshot from cycle n-2
  • delegates in the selected snapshot

Baker selection

The generated list of priorities identifies which delegate has the responsibility to bake a block and which delegates have to attest this new block. It is a round-robin process that cycles on the list of priorities until the end of the cycle (4096 blocks).

A round robin is a way of choosing all elements in a group equally in some rational order, usually from the top to the bottom of a list and then starting again at the top of the list and so on.

Minimum time delay before baking a block

The minimum time delay between two blocks is 10 seconds, reached if the baker is of priority 0 and has gathered at least 66.7% of the attestations. If the priority 0 baker fails to bake, the priority 1 baker may then bake after a certain time, defined by a so-called round duration function. To be able to bake as rapidly as possible, the baker must gain enough attestations (66.7%, that is, endrosements with endrosing power of at least 4,667 out of 7,000). Rounds follow the structure below:

round_duration(0)=minimal_block_delay\bm{round\_duration(0) = minimal\_block\_delay}
round_duration(r+1)=round_duration(r)+delay_increment_per_round\bm{round\_duration(r+1) = round\_duration(r) + delay\_increment\_per\_round}
round_duration(r+1)=minimal_block_delay+(r+1)delay_increment_per_roundd\bm{round\_duration(r+1) = minimal\_block\_delay+(r+1) ∗ delay\_increment\_per\_roundd}

Round duration thus increases linearly with DELAY_INCREMENT_PER_ROUND = 5s, MINIMAL_BLOCK_DELAY = 10s,r = round.

Any block proposed ahead of the minimum time delay is automatically rejected under the protocol's rules.

Remote signing

Remote signing software is one way to reduce the exposure of private keys during baking operations.

In the block validation process (baking/attestation), the software interacts with a private key management system (e.g. Ledger Nano S, a remote machine communicating via a secure channel).

Remote signing involves physically separating baking/attestation requests originating from the network and intended for a given delegate, from that delegate's signing operation. The Octez client implements several built-in signing mechanisms (unix, tcp, http, and https) that use different communication channels to send signing requests for the baker.

The following events occur during a remote signing operation:

  1. The node sends a signing request to the remote signing software that interacts with the private key management system.
  2. The remote signing software verifies what the operation involves − usually the creation of a block or an attestation (The third, rarer option is a nonce revelation.) − then sends it to the key management system, which signs the operation.
  3. The signature is then validated by the remote signing software and sent back to the Tezos node, which propagates the operation to the network.

The key should preferably be held in a hardware vault so it is never directly accessible on the network. Moreover, it is more secure to ensure that the hardware vault authorizes only block signing rather than the signing of just any transaction (i.e. such as not to create a blind signing mechanism). For example: Ledger Nano S together with Kiln meets these two conditions.

In summary

  • At each cycle, a priority list of bakers is chosen and up to 7,000 delegates are chosen to attest the block of bakers. The bakers are elected pseudo randomly in proportion to the quantity of tez that they possess (+ staked + delegated).

By abuse of language, we often designate by bakers: the different validators creating blocks and attesting them. Because in practice, they are the same entities that carry out the operations of creation and validation of blocks.

  • To become a delegate, one must freeze a part of their tokens, at least 6000ꜩ.

  • A baker is a delegate and the one who delegates their tez is a delegator. Note that a baker does not necessarily need delegators to operate, they can play solo, but they will be less likely to be selected to create the block, because they will have less funds at their disposal.

  • Several bakers are added to a priority list. The one with the highest priority will try to create a block. If they fail to do so within the time limit, the hand will pass to the next baker. And so on.

  • The first baker who manages to create the block will be able to add it to the blockchain. They will receive a certain number of tez as a reward. In turn, bakers share the additional revenue generated from the delegated tokens with the delegators, in proportion to their participation.

  • The accusers monitor the process and punish the cheaters.

Conclusion

The Tezos consensus protocol uses the Liquid Proof of Stake algorithm. Delegates (people who have at least 6,000 ꜩ of delegated funds) are given the responsibility of creating and attesting blocks. They are rewarded for their action. They are also required to lock a portion of their capital as a security deposit to ensure honest behavior.