Understanding Cardano Certificates

Published 18.8.2023

Staking is based on certificates that are stored in the blockchain. Pool operators (SPOs) must register their pool through certificates. Stakers must create certificates in order to delegate staking rights to chosen pools. Behind all of this are cryptographic keys. Come and dive into the world of Cardano certificates.

Production of blocks

In the Cardano network, only the entity that owns ADA coins can produce blocks. ADA is a scarce resource on which the decentralization and security of the network are based. Every entity that wants to produce blocks in the Cardano network must operate a Cardano node and register it as a pool through a certificate. All ADA owners, including pool operators, can delegate ADA coins (staking rights) to the chosen pool, for which they also need to create a certificate and submit it to the blockchain.

No central entity controls these processes. Anyone can become an ADA coin owner or register as a pool operator without third-party permission. Anyone can delegate ADA to a chosen pool.

In order to properly understand certificates and how block production works, you must first know about the structure of addresses.

Cardano uses a unique address structure that allows the right to spend coins to be separated from the delegation of staking rights. The Shelley payment addresses consist of two parts: payment credentials (which define how funds can be spent from a given address) and a reference to a stake address.

Stake address defines if ADA on payment addresses will be used for staking and in what way. The stake address allows the exercise of staking rights through credentials (staking key or hash of a script).

There are dedicated key pairs for both, i.e. a pair of keys for the spending address and a pair of keys for the staking address.

In the picture below you can see the Shelley payment address. UTxO and credentials are stored in the left part named Funds. Credentials define the possibility of spending funds through a signing key or script. In the right part named Stake Address Reference, there is a reference to the Stake Address.

The stake address is used as input to create the delegation certificate. Note the link between the payment address and the reference to the stake address. The number of ADAs on addresses may change (the user of the address can buy more ADA coins or spend them), or the user may create multiple new addresses referencing the same stake address.

The reference points to the credentials, i.e. to the staking key (or hash of script) which can be used to delegate ADA coins from the funds section. Alternatively, it can refer to a certificate containing credentials or Null. A Null value means that funds cannot be delegated (i.e. used for staking).

Note that the stake address contains a non-UTxO-based account in which the system accumulates rewards for staking. The owner of the staking key (or script) has control over the staking rewards and can withdraw it. Both stakers and pool operators use a similar mechanism to delegate ADA to a pool.

All ADA coins (respectively stake addresses) that have been delegated to a pool are included in the total stake of that pool in the slot leader election. The number of blocks that pools can mint per epoch (how many times they are elected as slot leaders) depends on the size of the total stake. The amount of the reward depends on the number of blocks that the pool mints (slot leaders can miss a slot and not create a block for some reason). If the total stake is low, it may happen that the pool does not mint a single block. In this case, he will not receive any reward.

When the pool operator creates a registration certificate, in addition to other parameters (which we will talk about below), he defines a reward for himself (fixed reward and margin). This will affect the amount of reward for delegators (stakers). Rewards are distributed automatically by the Cardano protocol. Pool operators have no control over the distribution of staking rewards to reward accounts. As already mentioned, only the one who holds the staking key can withdraw rewards from the reward account.

Certificates

In this section, we will focus on certificates. For the sake of simplicity, we will not deal with the possibility of delegating staking rights through scripts. During explanations, we will only consider a pair of keys. A Signing Key (a private key that the owner must keep secret) and a Verification Key (a public key that can be published). In the images, the signing key will be shown in red and the verification key in green. Verification keys are mostly used in hashed form. We will not deal with it in the pictures. You can think of the hashed form as another representation of the same value (one string becomes another string, always the same when repeated).

The image below shows the user's control over spending funds and the delegation of staking rights through signing keys. A verification spending key is used to create a spending address. To spend funds from the address, a corresponding signing spending key is required. The verification staking key is used to generate the stake address. The signing staking key is required for delegating staking rights (ADA coins) and also for withdrawing staking rewards from the reward account. Users keep signing keys secret (ideally in cold storage, i.e. on Trezor or Ledger HW wallets). Blockchain addresses are public.

In order to use ADA coins for block production, it is necessary to register stake addresses and delegate them to pools. This takes place through the creation of certificates which are subsequently submitted to the network through transactions. All certificates are stored in the blockchain, i.e. publicly available to all participants.

Certificates are valid until they are overwritten by the owner of the signing staking key or until they expire. In case of expiration, the certificate can be renewed. This concerns only one type of certificate that must be renewed by pool operators. Certificates used by regular stakers are valid forever until overwritten (de-registration).

Below is a list of all certificates that can be created and stored in the Cardano blockchain.

  • Stake address registration certificate
  • Stake address de-registration certificate
  • Delegation certificate
  • Stake pool registration certificate
  • Stake pool retirement certificate
  • Operational key certificate

Stakers (i.e. also pool operators) only use certificates related to the registration of stake addresses and delegation. Pool operators must register the pool through the certificate and regularly renew its ability to mint blocks, also through the certificate.

Staker certificates

To delegate ADA coins to a pool, two certificates must be used: A stake address registration certificate and a delegation certificate. It is possible to de-register a stake address through a stake address de-registration certificate.

In the picture below, you can see how the user creates stake address certificates for multiple payment addresses (they are all associated with the same stake address). For registration, it is needed to possess the signing staking key. This process is similar for both stakers and pool operators.

Certificates for registration and de-registration must contain a stake address and credentials (verification key). When registering stake addresses, a reward account is created. The reward account is deleted when the stake address is de-registered. A witness is not required to register a stake address, unlike de-registration.

Once stake addresses are registered, they can be delegated to a pool.

The user (in the picture it is Alice) can transfer the staking rights of a given stake address to a stake pool by creating a delegation certificate and submitting it to the Cardano blockchain. The delegation certificate contains a stake address associated with payment addresses and a stake pool verification key (ID), which is the identifier of the pool to which ADA coins are to be delegated.

In the picture, you can see the pool operator (Bob) who owns the signing key that represents ownership of the pool. Alice found the pool ID by name in the wallet. That is, according to the name that Alice chose, the wallet inserted the corresponding ID into the certificate.

A stake address registration certificate is only needed when a staker wants to register a new stake address on the blockchain, which is a one-time operation. A delegation certificate is needed always when a staker wants to delegate or redelegate their stake to a stake pool of their choice.

Let's add that users do not have to create certificates manually and wallets help them in this. They just choose one of the pools offered by the wallet and sign the transaction. The transaction contains a certificate, and after being included in the block, the certificate will be part of the blockchain.

Pool operator certificates

The pool operator must create several key pairs that are required for pool registration.

  • Stake pool key pair (cold key)
  • Key-Evolving Signature (KES) key pair (hot key)
  • Verification Random Function (VRF) key pair (hot key)
  • Stake address key pair (cold key)

A stake pool key pair is used for pool identification (verification key), signing certificates for pool registration (and retirement), and delegating (transferring) rights for a KES key in an operational key certificate. We will talk more about it later.

The signing KES key is used for signing minted blocks by the node. The verification KES key is used for the validation of blocks by other nodes.

The signing VRF key is used by a node to find out if it has become the slot leader in a given slot. On all pool nodes, a private lottery takes place in each slot, in which one or more nodes get the right to mint a block. The verification VRF key is used by other nodes to verify the VRF proofs that are inserted into newly minted blocks. Any node can verify that the proposer of the new block actually won the VRF lottery in the given slot.

The pool operator also owns the staking keys to its stake address which is used as a reward address for the registered pool.

The most important pair of keys is the stake pool keys because it identifies the pool and certificates for pool registration (retirement) and operational key certificates must be signed through the signing key.

If the signing keys stored by the node in hot storage are compromised, the signing pool key can be used to create new certificates that invalidate the previous ones. The pool operator has full control over the pool if he is the sole owner of the stake pool key. This is why it is essential that the signing pool key is stored in cold storage.

You can see the pool registration in the image below. The pool operator (Bob) created 4 pairs of keys: Stake pool keys, KES keys, VRF keys, and stake address keys. The verification stake pool key is used to identify the pool and also as one of the inputs for creating a pool registration certificate. In addition, the verification VRF key, verification stake address key (reward address), a list of other stake addresses of the operator, parameters defining the reward for the operator (fixed fee and margin), and IP or DNS addresses of all relay nodes are inserted into the certificate.

Optionally, a URL and a hash of the URL content for additional metadata about the pool can be inserted into the certificate. This data is displayed in wallets for users looking for a pool to delegate ADA to. If no URL and content hash is provided, the stake pool will not be listed in wallets (it can be a private pool).

The certificate must be signed by the signing stake pool key. This is the most important step in creating a certificate, as no one but the owner of the key can do it.

Note that there are KES and VRF keys in hot storage on the node. The node needs the keys to be able to produce blocks (VRF lottery and signing of blocks).

A list of stake addresses controlled by the pool operator can be inserted into the certificate. If these addresses are delegated to the same pool that is registered through the delegation certificate, ADA will count as a pledge of the operator (skin in the game of the operator). Inserting stake addresses in the certificate is not enough to delegate ADA coins. The pool operator must create a delegation certificate and submit it to the network, similar to what stakers do. During the distribution of rewards, the rewards will not be paid to the accounts of these stake addresses, but to the stake address account (reward address) of the pool operator. In the picture, this stake address (reward address) corresponds to the staking address key. Note that the signing key is also stored in cold storage. This key is used by the operator to withdraw rewards from the account.

Note that the KES key was not inserted into this certificate.

The stake pool retirement certificate contains only the verification stake pool key (ID) and the epoch number from which the pool should stop producing blocks and thus become retired.

When the pool operator submits the stake pool registration certificate to the network, the pool is registered, but it cannot yet start producing blocks. The operator must send one more certificate, namely the operational key certificate.

In order to achieve maximum key security, it is necessary for the operator to follow the hot and cold key arrangement. This significantly reduces the risk associated with the exposure of keys on the node (KES and VRF keys in the hot storage).

The operator always keeps the signing stake pool key in cold storage (off the internet) and uses it at regular intervals to sign a new operation key certificate. The signing stake pool key is used to transfer the signing right to the KES key (also called an operational key), which is stored in hot storage on the node and is used to sign new blocks. If the hot KES key is compromised, the operator can immediately create a new operational key certificate (with a higher counter number) and thereby invalidate the previous one.

The signing KES key expires at regular intervals, specifically after 90 days. The pool operator must always create a new operational key certificate, sign it with the signing stake pool key, and submit it to the network.

The old signing KES key will be used to generate a new KES key. The old KES key is subsequently deleted. This protects the immutability of blockchain history. The KES key can only be used to sign blocks in a given time period. The verification KES key that was inserted into the register stake pool certificate remains the same (it is not necessary to change it when creating a new signing KES key).

The operational key certificate contains a slot from which it will be valid for 90 days (KES period), verification KES key, verification stake pool key (ID), and counter number. The counter number is a value that indicates how many times the operational key certificate has been renewed. This value is incremented every time a new operational key certificate is created. This immediately invalidates the old certificate (with a lower counter number).

In the picture below, you can see how the pool operator created an operational key certificate, which allows the node to mint new blocks for 90 days through the renewed signing KES key. Note that the operational key certificate must be signed by the signing stake pool key.

Once the network reaches the slot specified in the operation key certificate, the pool can be elected as a slot leader and mint a new block. The block will be signed with a valid KES key. All other nodes in the network can easily verify the signature through the verification KES key, which was included in the stake pool registration certificate.

Conclusion

All participants are able to find all information about the distribution of ADA on payment addresses, stake addresses, delegations to pools, and pools from the on-chain data. Thanks to the certificates and cryptographic proofs contained in the block headers, everyone can validate the blocks and verify that they were minted and correctly signed (signed with a KES key that is valid for the given KES period) by the nodes that actually became the slot leaders in the given slots.

Cardano's security and decentralization are based on the ownership of signing keys and certificates that are publicly available to everyone through the blockchain. Anyone who owns ADA coins essentially can decentralize Cardano, as they have direct control over who will produce blocks. ADA holders can use certificates to register pools and delegate ADA coins to them without the need to obtain permission from a third party.

Featured:

Related articles

Did you enjoy this article? Other great articles by the same author