Algorand spec defined how ephemeral keys work. My question is why Algorand doesn’t simply use User Account key for signing the consensus messages? Consider that it brought additional complexity to the code.
Spec says:
This allows Algorand to be secure against dynamic corruptions where an adversary may corrupt a user after seeing her propagate a message through the network. (Recall that since users use their VRFs to perform cryptographic self-selection, an adversary does not even know whom to corrupt prior to round r).
Since the Participant Public Key in known and the ephemeral keys are signed with Participant key, adversary can guess who is signing the message. Did I miss anything?
It’s true but it’s not an issue.
Ephemeral keys are not used to hide identity, they are used to prevent forgeries in the past.
You need ephemeral keys in all cases if you want security
Indeed, if you directly use your participation key, the adversary may fork the blockchain in the past by corrupting a very small percentage of nodes.
Suppose that at round 1, nodes A, B, and C hold 80% of the stake.
But then at round 1000, things get very decentralized and A, B, and C only hold 10% of the stake.
If you don’t use ephemeral keys, by corrupting nodes A, B, C at round 1000 (which only correspond to 10% of the stake), then you can fork the blockchain at round 1!
Ephemeral keys are even more important in the “YOSO” model of Algorand
Algorand is actually secure in a very strong model where the adversary can corrupt any node immediately after they send any message, as long as at most about 20% of the nodes are corrupted at any point in time.
We call this model “You Speak Only Once” (YOSO).
It is important than when corrupted just after sending message for round r step s, no signing material for round r step s is available to the adversary. Otherwise, the adversary may use this signing material to make the node send invalid messages (e.g., trying to propose two blocks / vote on two blocks).