Livres blancs Stories Figures Glossaire Graphique Rechercher
Whitepaper Deep Dive

Algorand: Pure Proof of Stake and Cryptographic Sortition

Silvio Micali's approach to achieving consensus without forks: VRF-based committee selection, BA⋆ agreement, and instant finality.

Algorand Algorand

proof-of-stake-and-instant-finality">Algorand: Pure Proof of Stake and Instant Finality

In 2017, Silvio Micali, a Turing Award-winning cryptographer at MIT, published a whitepaper describing a new blockchain protocol. Unlike most cryptocurrency projects of that era, Algorand came with formal mathematical proofs of its security properties and a detailed analysis of the assumptions on which those proofs rest. The protocol's design reflects decades of academic cryptography: it solves blockchain's hardest problems — scalability, security, and decentralization — through careful application of cryptographic primitives rather than engineering heuristics.

The central claim of the Algorand whitepaper is that the protocol achieves instant, irreversible finality without forks, while keeping participation open to anyone who holds tokens. Understanding how this is possible requires understanding two cryptographic tools that Algorand uses in novel ways: Verifiable Random Functions (VRFs) and Byzantine Agreement.

The Blockchain Trilemma, Algorand's Way

The "blockchain trilemma" — the idea that a blockchain can achieve at most two of decentralization, security, and scalability simultaneously — frames much of the whitepaper's motivation. Proof-of-Work achieves reasonable security and decentralization but sacrifices scalability. Early Proof-of-Stake designs often sacrificed decentralization by concentrating power among large validators.

Algorand's answer is Pure Proof of Stake (PPoS): a system in which every token holder participates in consensus proportionally to their stake, with no delegation, no bonding periods, and no risk of slashing. The security of the network comes from the assumption that more than two-thirds of the total stake is held by honest participants — a weaker and more realistic assumption than requiring honest miners in a PoW system.

Verifiable Random Functions: Secret, Unpredictable Selection

The most distinctive feature of Algorand is how it selects the committees that propose and validate blocks. Rather than announcing validators in advance, Algorand uses a Verifiable Random Function to let each token holder privately determine whether they have been selected for a given round.

How VRF Selection Works

A VRF is a cryptographic function that takes a secret key and a public seed as inputs and produces two outputs: a pseudorandom value and a proof. The crucial properties are:

  1. The output is unpredictable to anyone who doesn't know the secret key.
  2. The proof allows anyone to verify that the output was computed correctly, without revealing the secret key.

In each round of Algorand, every token holder runs the VRF on their private key and the current round's seed. The output determines whether they are selected for that round's committee. The probability of selection is proportional to their stake: a holder with 1% of all tokens has a 1% chance of being selected per token, so on average they participate in 1% of committees.

Crucially, this selection is private until the selected participant reveals it. A malicious actor cannot target validators for attack because they don't know who the validators will be until the validators themselves reveal their selection (along with their VRF proof) when they broadcast a message. By the time an attacker knows who to target, the targeted validator has already sent their message and the round has moved on.

Ephemeral Keys

The whitepaper goes further: Algorand recommends that participants use ephemeral (one-time) keys for signing messages within each round, deleting the keys immediately after use. This provides forward secrecy: even if an attacker compromises a validator after the fact, they cannot forge messages that appear to have been sent in past rounds.

This property is critical for preventing "adaptive adversaries" — attackers who can corrupt validators based on observing who is selected. By making selection unpredictable and messages non-forgeable after the fact, Algorand closes both attack vectors simultaneously.

BA*: Byzantine Agreement with a Cryptographic Twist

Once a committee is selected for a round, it must agree on the next block through a consensus protocol. Algorand uses a protocol the whitepaper calls BA* — a Byzantine Agreement protocol adapted specifically for the blockchain context.

The Two Phases of BA*

BA* runs in two phases per round. In the first phase, the committee runs a reduction protocol that takes the potentially many candidate blocks proposed by selected validators and reduces the choice to at most one. The reduction guarantees that if any honest validator is committed to a value at the end of phase one, all honest validators are considering the same value.

In the second phase, the committee runs a binary Byzantine Agreement on the output of phase one: either commit the block or output an empty block (indicating no agreement). Binary BA is well-studied in the cryptography literature and can be proven to terminate with overwhelmingly high probability.

The combination of these two phases allows Algorand to commit a block in just a few rounds of message passing — typically two to three — without any possibility of a fork.

Why Algorand Cannot Fork

In Bitcoin, two miners can independently find valid blocks at the same time, creating a temporary fork. The network eventually converges on the longest chain, but this convergence takes time and means that recently-confirmed blocks have some probability of being reversed.

In Algorand, a fork requires two conflicting blocks to each receive a certificate — a collection of committee votes representing more than two-thirds of the selected stake. For two conflicting blocks to both be certified, the same validators would need to vote for both. Since the honest validators — representing more than two-thirds of the stake — vote for exactly one block, a second conflicting certificate is computationally impossible to produce.

This means Algorand's finality is truly instant: once a block is certified, it cannot be reversed. Applications built on Algorand can treat one-confirmation transactions as final, which is a meaningful practical advantage for payment applications.

Pure Proof of Stake: No Delegation, No Slashing

Algorand's consensus model is "pure" in the sense that participation is directly proportional to token ownership, with no intermediaries. Other PoS systems often require validators to bond large amounts of stake, creating economies of scale that favor large holders and professional operators. Small holders typically participate only indirectly, by delegating to a validator and trusting that validator to behave honestly.

In Algorand, every token holder participates directly in consensus. The system handles the logistics: VRF selection, committee formation, and BA* all happen automatically as part of the protocol. A holder with a single Algo has the same per-token participation rights as a holder with a million Algo.

There is also no slashing in Algorand. In many PoS systems, validators who behave dishonestly (for example, by signing conflicting blocks) have a portion of their stake destroyed as a penalty. The threat of slashing is meant to deter attacks, but it also creates implementation risk: a software bug that causes a validator to double-sign can result in accidental loss of staked funds.

Algorand avoids slashing by making it mathematically impossible for the system to reach inconsistent state when more than two-thirds of stake is honest. There is nothing to slash because no dishonest behavior can succeed.

AVM: The Algorand Virtual Machine

The Algorand whitepaper focuses on consensus, but the platform has since developed a complete smart contract environment. The Algorand Virtual Machine (AVM) executes contracts written in TEAL (Transaction Execution Approval Language), a stack-based assembly language, or in PyTeal, a Python library that compiles to TEAL.

Algorand contracts come in two forms: stateless smart contracts (LogicSigs) that control transaction authorization, and stateful smart contracts (Apps) that maintain persistent state. This distinction is intentional: many use cases — multi-signature wallets, atomic swaps, simple payment conditions — can be handled by stateless logic that is cheaper and simpler to reason about.

Instant Finality in Practice

The practical implications of Algorand's finality guarantee are significant. Settlement in traditional finance takes days because of the possibility of transaction reversal. Algorand's protocol enables truly final settlement in seconds, opening possibilities for real-world financial applications that cannot tolerate the uncertainty of probabilistic finality.

The Algorand Foundation has pursued this angle aggressively, with integrations in central bank digital currency pilots, supply chain finance, and real estate tokenization — all applications where the irreversibility of settlement is a core requirement rather than a nice-to-have feature. The whitepaper's cryptographic foundations make these applications possible in ways that probabilistically-final systems simply cannot match.

Related Stories

Whitepaper Deep Dive

Bitcoin Whitepaper: A Section-by-Section Analysis

An in-depth analysis of Satoshi Nakamoto's original 2008 whitepaper, breaking down every section from the abstract to t…
Whitepaper Deep Dive

Ethereum Whitepaper: From Bitcoin's Limitations to a World Computer

How Vitalik Buterin reimagined blockchain as a universal computation platform, introducing smart contracts, the EVM, an…
Whitepaper Deep Dive

Solana Whitepaper: How Proof of History Enables 400ms Blocks

Exploring Anatoly Yakovenko's novel clock mechanism that lets Solana achieve sub-second finality and process tens of th…
Whitepaper Deep Dive

Chainlink 2.0: Decentralized Oracle Networks and the Metalayer Vision

A comprehensive look at Chainlink's expanded vision for DONs: hybrid smart contracts, FSS, super-linear staking, and th…