Bitcoin  and its descendants [17, 16] are cryptocurrencies that provide secure automated value exchange without the need of a central managing authority. Instead a decentralized consensus protocol maintains a distributed public ledger known as the blockchain. To be able to rely on public ledger one needs to know that it has reached consensus on a certain block, i.e., when a block will not be reverted anymore, which we refer to as reaching finality. One of the challenges of Nakomoto-like consensus protocols is that they only satisfy eventual consensus, which only guarantees that an ever growing prefix of the chain will be agreed upon by all participants forever onward. The eventual consensus process generally takes tens of minutes and it only gives probabilistic guarantees (for a certain block number at a certain point in time).
Unfortunately these guarantees only hold if the underlying network is well-connected and the client is able to find an uncensored source of information, two assumptions that do not hold in adversarial environments [3, 9, 10]. The underlying problem which enables these attacks is that first generation blockchain protocols do not consider finality (i.e., when will a block never be reverted) as a first class property, prioritising liveness instead.
An alternative to probabilistic finality is having provable finality where anyone can be convinced of the finality of a block, regardless of being a consensus participants or actively following the network.New generation protocols [11, 6, 15] propose the complete opposite. They propose every block to be finalized one by one and to forfeit liveness when finality is not readily achievable. This gives provable finality immediately.Unfortunately, these types of protocols inherit the shortcoming of classic consensus protocol on losing performance when many nodes are required to participate. Hence, they need to put a limit on the number of consensus participants which might lead to centralization.
In this work we show the that the middle ground also merits exploration. The approach that we will take is similar to the approach that Ethereum plans to take with Casper the Friendly Finality Gadget (Casper FFG). We introduces and formalize the idea of lazy finality which is encapsulated in the abstraction of a finality gadget. Separating the liveness of the consensus protocol from the finality of the blocks. This approach has three concrete benefits for the overlying blockchain protocol.
A first benefit is that since consensus is not tied to liveness of the chain we can have optimistic execution. As a result, the chain can grow before it is certain that blocks are valid. Later on, we can finalize blocks when we are sure they are correct i.e., all verification information is available. A second benefit is that we can make some (unsafe) progress when the network is unstable. This enables a fast recovery process when the network heals. Similarly, we can make progress in chain growth even when finlzation is slow, e.g., when we have many particiapnts thus promoting decentenralization.
Third, a finality gadget can be deployed gradually and light clients can choose to consult it or follow the longest chain rule and ignore it, enabling light client heterogeneity. The light client that trust the gadget do not need to have the full chain or actively listen to the network. This can in turn enable scalability in an ecosystem of multiple chains (weather sharding [12, 1, 2] or heterogeneous ), where no single party receives or stores all the data in the system.
In short, we fromalize the abstraction of a finality gadget that runs along any block production mechanism (e.g., Nakamoto consensus) providing provable finality guarantees. We show that it is impossible to satisfy its properties with a deterministic asynchronous protocol. To circumvent this impossibility result, we introduce the GRANDPA finality gadget that works in a partially synchronous network model, in the presence of up to Byzantine actors.
The combination of GRANDPA with a classic block production mechanism like GHOST  results in the existing deployment of the polkadot network 111https://polkadot.network which provides fast finality under good network conditions and protects the clients without compromising the liveness when under attack. The implementation of GRANDPA is available on github 222See https://github.com/paritytech/finality-grandpa and https://github.com/paritytech/substrate/tree/master/client/finality-grandpa.
In summary we make the following contributions:
Introduce the idea of lazy finality and instantiate it through a finality gadget abstraction
Prove that BFG is impossible in asynchrony and present GRANDPA
2 Model, Definitions, and Impossibilities
We want to formalise the notion of finality gadget to be a sub-protocol that can be deployed along any protocol with eventual consensus and probabilistic finality and enhancing such protocol with provable finality. To achieve this, we need to incorporate into the classic definition of Byzantine agreement the fact that we additionally have access to a protocol that would achieve eventual consensus if we did not affect it.
2.1 Byzantine Agreement with a Consistency Oracle
Consider a typical definition of a multi-values Byzantine agreement: We have a set of participants , the majority of whom obey the protocol, but a constant fraction may be Byzantine, meaning they behave arbitrarily, e.g. provide false or inconsistent information or randomly go offline when they ought to be online.
A protocol for multi-valued Byzantine agreement has a set of values and a set of voters , a constant fraction of which may be Byzantine, for which each voter starts with an initial value and, in the end, decides a final value such that the following holds:
Agreement: All honest voters decide the same value for
Termination: All honest voters eventually decide a value
Validity: If all honest voters have the same initial value, then they all decide that value
We can change this definition to assume that instead of having an initial value, all voters have access to an external protocol, an oracle for values, that achieves eventual consensus in that it returns the same value to all voters when called after some unknown time.
We say an oracle in a protocol is eventually consistent if it returns the same value to all participants after some unspecified time.
A protocol for the multi-valued Byzantine finality gadget problem has a set of values , a set of voters , a constant fraction of which may be Byzantine, for which each voter has access to an eventually consistent oracle and, in the end, each voter decides a final value such that the following holds:
Agreement: All honest voters decide the same value for
Termination: All honest voters eventually decide a value
Validity: All honest voters decide a value that returned to some honest voter sometime.
Impossibility of Deterministic Agreement with an Oracle.
For the binary case, i.e. when , the Byzantine finality gadget problem is reducible to Byzantine agreement. This does not hold for , because the definition of validity is stronger in our protocol. Note that it is impossible for multi-valued Byzantine agreement to make the validity condition require that we decide an initial value of some honest voter and tolerate more than a fraction of faults, since we may have a fraction of voters reporting each initial value and Byzantine voters can act honestly enough not to be detectable. For finality gadgets, this stronger validity condition is possible. A natural question is then weather the celebrated FLP  impossibility holds for our stronger requirements. Next, we show that an asynchronous, deterministic binary finality gadget is impossible, even with one fault. This means that the extra information voters have here, that will eventually agree for all voters, is not enough to make this possible.
The asynchronous binary fault tolerant agreement problem is as follows:
We have number of voters which each have an initial in
We may have one or more faulty nodes, which here means going offline at some point. Nodes have asynchronous communication - so any message arrives but we have no guarantee when it will. The goal is to have all non-faulty nodes output the same , which must be if all inputs are and if all are .
Fischer, Lynch and Paterson showed that this is impossible if there is one faulty node.
The binary fault-safe finality gadget problem is similar, except now there is an oracle that any node can call at any time with the following properties:
either always outputs in to all nodes at all times or else there is an in and for each node , there is a such that when calls before . it gives but if it calls after , it returns not .
and we want that if A never switches, then all non-faulty nodes output x. If A does switch then all non-faulty nodes should output the same thing, but it can be 0 or 1.
Then this is also impossible, even for one faulty node, which just goes offline. Note that this generalises Byzantine agreement, since if we could each node could call once at the start and use the output as . (For the multi-valued case, we will define the problem so that this reduction does not hold.)
We follow the notation of  and assume for a contradiction that we use a correct protocol. Let be a run of the protocol where gives all the time. Then by correctness decides . Now we consider what can happen when switches to after each configuration in . If it switches to at the start, then the protocol decides . If we switch to when all node have already decided , then we decide .
We claim that some configuration in the run , where there are two runs from it where is always that decide and . We call such states -bivalent. To see this, assume for a contradiction that contains no such configurations. Then there are successive configurations , such that if return in the future from then we always decide but from , we always decide . Let events be where node (processor/voter) receives message (which may be null) and executes some code where any calls to A return in , then sends some messages. Then there is some event that when applied to gives . Now suppose that goes offline at , then if always returns afterwards, then we still decide . Thus there is a run that starts at where takes no steps, always returns and all other nodes still output . But since takes no steps in , we can apply after and so we have that has a run where always returns but decides , which is a contradiction.
Now let be a -bivalent configuration. We can follow the FLP proof to show that there is a run from for which always returns , all messages are delivered but all configurations are 1-bivalent and so the protocol never decides. This completes the proof by contradiction that there is no correct protocol. ∎
2.2 Definition of a Finality Gadget
In this section we show how to extend the one-shot agreement to agreeing on a chain of blocks. One difficulty in formalising the problem is that the block production mechanism cannot be entirely separate from the finality gadget. In order to finalise new blocks, we must first build on the chain we have already finalised. So at a minimum, the block production mechanism needs to recognise which blocks the finality gadget has finalised. We will also allow the block production mechanism to interact with the state of the finality gadget in other ways.
We want the finality gadget to work with the most general block production mechanisms as possible. Thus we need a condition that combines the property of eventual consensus and this requirement to build on the last finalised block, but is otherwise not too restrictive. We assume a kind of conditional eventual consensus. If we keep building on our last finalised block and don’t finalise any new blocks, then eventually we have consensus on a longer chain than just , which the finality gadget can use to finalise another block. We also want a protocol that does not terminate, but instead keeps on finalising more blocks.
We assume that there is a block production protocol that runs at the same time as the finality gadget protocol . Actors who are participants in both protocols may behave differently in depending on what happened in . However in the reverse direction, the only way that an honest voter ’s behaviour in is affected by is through a voting rule, a function that depends on and its state and takes a block and returns a block at the head of a chain including .
We say that the system , , and achieves conditional eventual consensus, if has finalised a block , then eventually, either will finalise some descendant of or else all the chains with head for all voters at all future states will contain the same descendant of .
Let be a protocol with a set of voters , a constant fraction of which may be Byzantine. We say that solves blockchain Byzantine finality gadget problem if for every block production protocol and voting rule we have the following
Safety: All honest voters finalise the same block at each block number.
Liveness: If the system achieves conditional eventual consensus, then all honest voters keep finalising blocks.
Validity: If an honest voter finalises a block then that block was seen in the best chain observed by some honest voter containing some previously finalised ancestor of ,
As an example, we could assume uses proof of work to build on the longest chain and includes the last block finalised. Then we take as being the longest chain which includes and which sees in state . It is well-known  that longest chain with proof of work achieves eventual consensus under the right assumptions and similar arguments show that in this case we have conditional eventual consensus. As long as we do not change the chain we are building on by finalising another block, we will eventually agree on some prefix longer than the last finalised block. Thus, any finality gadget that satisfies Definition 2.4 will work in this system so that all honest voters finalise an increasingly long common chain. Thanks to the abstraction above, we can switch for one of many possible alternative consensus algorithms and will still work.
: We will be using the partially synchronous network model introduced by  and in particular the gossip network variant used in . We assume that any message sent or received by an honest participant reaches all honest participants within time , but possibly only after some Global Synchronisation Time . Concretely, any message sent or received by some honest participant at time is received by all honest participants by time at the latest.
For each voting step, there is a set of voters. We will frequently need to assume that for each such step, at most voters are Byzantine. We need of voters to agree on finality. Whether or not block producers ever vote, they will need to be participants who track the state of the protocol.
A vote is a block hash, together with some metadata such as round number and the type of vote, such as prevote or precommit, all signed with a voter’s private key.
Each participant has their own idea of what is the current round number. Every prevote and precommit has an associated round number. Honest voters only vote once (for each type of vote) in each round and do not vote in earlier rounds after later ones. Participants need to keep track of which block they see as currently being the latest finalised block and an estimate of which block could have been finalised in the last round.
For block , we write for the chain whose head is . The block number, of a block is the length of . For blocks and , we say is later than if it has a higher block number. We write or that is descendant of for , appearing in the same blockchain with later i.e. with . and are similar except allowing . We write or and are on the same chain if , or ; and or and are not on the same chain if there is no such chain.
Blocks are ordered as a tree with the genesis block as root. So any two blocks have a common ancestor but two blocks not on the same chain do not have a common descendant. A vote for a block by a voter is a message signed by containing the blockhash of and meta-information like the round numbers and the type of vote.
A voter equivocates in a set of votes if they have cast multiple different votes in . We call a set of votes safe if the number of voters who equivocate in is at most . We say that has a supermajority for a block if the set of voters who either have a vote for blocks or equivocate in has size at least . We count equivocations as votes for everything so that observing a vote is monotonic, meaning that if then if has a supermajority for so does , while being able to ignore yet more equivocating votes from an equivocating voter.
For our finality gadget (GRANDPA) we use the ghost  eventual consensus algorithm as . The -GHOST function takes a set of votes and returns the block with highest block number such that has a supermajority for . If there is no such block, then it returns ‘nil‘. Note that, if is safe, then we can compute by starting at the genesis block and iteratively looking for a child of our current block with a supermajority, which must be unique if it exists. Thus we have:
Let be a safe set of votes. Then
The above definition uniquely defines
If has nil, then .
If for then all non-nil are on a single chain with head .
Note that we can easily update to , by checking if any child of now has a supermajority. The third rule tells us that even if participants see different subsets of the votes cast in a given voting round, this rule may give them different blocks but all such blocks are in the same chain under this assumption.
Next, we define a notion of possibility to have a supermajority which says that if the set of all votes in a vote is safe and some participant observes a subset that has a supermajority for a block then all participants who see some other subset still see that it is possible for to have a supermajority for . We need a definition that extends to unsafe sets. We say that it is impossible for a set to have a supermajority for if at least voters either vote for a block or equivocate in . Otherwise it is possible for to have a supermajority for .
Note that if is safe, it is possible for to have a supermajority for if and only if there is a safe that has a supermajority for , which can be constructed by adding a vote from for all voters without votes in and enough voters who already have votes in to bring the number of equivocations up to .
We say that it is impossible for any child of to have a supermajority in if has votes from at least voters and it is impossible for to have a supermajority for each child of appearing on the chain of any vote in . Again, provided is safe, this holds if and only if for any possible child of , there is no safe that has a supermajority for that child.
If and it is impossible for to have a supermajority for , then it is impossible for to have a supermajority for .
If and it is impossible for to have a supermajority for , then it is impossible for to have a supermajority for .
If exists and then it is impossible for to have a supermajority for .
3 Finality Gadget Protocols
In order to find a solution to the finality gadget protocol we look in consensus protocols that solve the stronger problem as described in the previous section. The key idea for our solution is to inherit the safety properties of a consensus protocol, but use the underlying blockchain as the driving force of liveness. This results in a protocol which does not stop when for example the network is split. Instead, only the finalization stops, but the blocks keep getting created and propagated to everyone. This means that when the conditions are safe again, the finality gadget only needs to finalize the head of the chain333Which the oracle will return quickly to a supermajority of miners., instead of having to transmit and run consensus on every block.
3.1 The GRANDPA Protocol
In this section, we give our solution to the Byzantine finality gadget problem, GRANDPA. Our finality gadget works the partially synchronous setting, we also provide a fully asynchronous solution in Appendix LABEL:app:async.
GRANDPA works in rounds, each round has a set of eligible voters, of which are assumed honest. Furthermore, we assume that each round has a participant designated as primary and all participants agree on the voter sets and primary. We will can either choose the primary pseudorandomly from or rotate through the voter set. On a high-level, each round consists of a double-echo protocol after which every party waits in order to detect whether we can finalize a block in this round (this block does not need to be the immediate ancestor of the last finalized block, it might be far ahead from the last finalized block). If the round is unsuccessful, the parties simply move on to the next round with a new primary. When a good primary is selected, the oracle is consistent (returns the same value to all honest parties), and the network is in synchrony (after ), then a new block will be finalized and it will transitively finalized all its ancestors.
More specifically, we let and be the sets of prevotes and precommits respectively received by from round at the current time.
We define to be ’s estimate of what might have been finalised in round , given by the last block in the chain with head for which it is possible for to have a supermajority. Next we define a condition which will allow us to safely conclude that for all that might be finalised in round : If either or it is impossible for to have a supermajority for any children of , then we say that sees that round is completable. is the genesis block, assuming we start at .
In other words, a round is completable when our estimate chain contains everything that could have been finalised in round , which makes it possible to begin the next round .
We have a time bound that after suffices for all honest participants to communicate with each other. Inside a round, the properties both of having a supermajority, meaning , as well as of it being impossible to have a supermajority for some given block are monotone, so the property of being completable is monotone as well. We therefore expect that, if anyone sees a round is completable, then everyone will see this within time . Leaving a gap of between steps is then enough to ensure that every party receives all honest votes before continuing.
In round an honest participant does the following:
A voter can start round when round is completable and has cast votes in all previous rounds where they are a voter. Let be the time starts round . At time , if is the primary of this round and has not finalised then they broadcast . If they have finalised it, they can broadcast anyway (but do not need to). If is a voter for the prevote of round , waits until either it is at least time or round is completable, then broadcasts a prevote. They prevote for the head of the best chain containing unless we received a block from the primary and , in which case they use the best chain containing instead. If is a voter for the precommit step in round , then they wait until and one of the following conditions holds it is at least time , round is completable or it is impossible for to have a supermajority for any child of , and then broadcasts a precommit for ( (iii) is optional, we can get away with just (i) and (ii)).
Note that and may change with time and also that , which is a function of and , can also change with time if sees more votes from the previous round.
If, for some round , at any point after the precommit step of round , we have that is later than our last finalised block and has a supermajority, then we finalise . We may also send a commit message for that consists of and a set of precommits for blocks (ideally for itself if possible see ”Alternatives to the last blockhash” below).
To avoid spam, we only send commit messages for if we have not receive any valid commit messages for and its descendants and we wait some time chosen uniformly at random from seconds or so before broadcasting. If we receive a valid commit message for for round , then it contains enough precommits to finalise itself if we haven’t already done so, so we’ll finalise as long as we are past the precommit step of round .
To analyse the performance of our finality gadget, we will need versions of our properties that appropriately depend on time:
Fast termination: If the last finalised block has number and, until another block is finalised, the best chain observed by all participants will include the same block with block number , then a block with number will be finalised within time .
Recent validity: If an honest voter finalises a block then that block was seen in the best chain observed by some honest voter containing some previously finalised ancestor of more recently than time ago.
Intuitively, fast termination implies that we finalise blocks fast as long as the block production mechanism achieves consensus fast whereas recent validity bounds the cost of starting to agree on something the block production mechanism’s consensus later decides is not the best. In this case, we may waste time building on a chain that is never finalised so it is important to bound how long we do that.
These properties will typically only hold with high probability. In the asynchronous case, we would need to measure time in rounds of the protocol rather than seconds to make sense of these properties. We are also interested in being able to remove and punish Byzantine voters, for which we will need:
Accountable Safety: If blocks on different chains are finalised, then we can identify at least Byzantine voters.
4.1 Accountable Safety
The first thing we want to show is asynchronous safety, assuming we have at most Byzantine voters. This follows from the property that if sees round as completable then any block with has that it is impossible for one of or to have a supermajority for and so was not finalised in round . This ensures that all honest prevotes and precommits in round are for chains that include any blocks that could have been finalised in round . With an induction, this is what ensures that we cannot finalise blocks on different chains. To show accountable safety, we need to turn this proof around to show the contrapositive, when we finalise different blocks , then there are Byzantine voters. If we make this proof constructive, then it gives us a challenge procedure, that can assign blame to such voters.
If the protocol finalises any two blocks for which valid commit messages were sent, but which do not lie on the same chain, then there are at least Byzantine voters who all voted in a particular vote. Furthermore, there is a synchronous procedure to find some such set of Byzantine voters.
The challenge procedure works as follows: If and are committed in the same round, then the union of their precommits must contain at least equivocations, so we are done. Otherwise, we may assume by symmetry that was committed in round and in round . There are at least voters who precommitted or equivocated in round in their commit messages, so we ask those who precommitted why they did so.
Starting with , we ask queries of the following form:
Why was when you prevoted for or precommitted to in round ?
Any honest voter should be able to respond to this, as is shown in Lemma 4.2 below.
The response is of the following form:
A either a set of prevotes for round , or else a set of precommits for round , in either case such that it is impossible for to have a supermajority for .
Any honest voter should respond. In particular, if no voter responds, then we consider all voters how should have responded but didn’t as Byzantine and we return this set of voters, along with any equivocators, which will be at least voters total. If any do respond, then if , we can ask the same query for at least voters in round . We note however that if any voters do respond then we will not punish non-responders.
If we ask such queries for a vote in all rounds between and and get valid responses, since some voter responds when , then we have either a set of prevotes or precommits in round that show it is impossible for to have a supermajority for in round .
If is a set of precommits, then if we take the union of and the set of precommits in the commit message for , then the resulting set of precommits for round has a supermajority for and it is impossible for it to have a supermajority for . This is possible if the set is not safe and so there must be at least voters who equivocate an so are Byzantine.
If we get a set of prevotes for round that does not have a supermajority for , then we need to ask a query of the form
Which prevotes for round have you seen?
to all the voters of precommit in the commit message for who voted for blocks . There must be such voters and a valid response to this query is a set of prevotes for round with a supermajority for and so a supermajority for .
If any give a valid response, by a similar argument to the above, will have equivocations.
So we either discover equivocations in a vote or else voters either equivocate or fail to validly respond like a honest voter could do to a query.
An honest voter can answer the first type of query.
We first show that, if a prevote or precommit in round is cast by an honest voter for a block , then at the time of the vote we had . Prevotes should be for the head of a chain containing either or some by step 2 or 3. In either case we have . Precommits should be for but waits until , by step 4, before precommitting, so again this holds. It follows that, if , then we had .
We next show that if we had at the time of the vote then we can respond to the query validly, by demonstrating the impossibility of a supermajority for . If was not on the same chain with , then by Lemma 2.6 (iii), it was impossible for to have a supermajority for , as desired. If was on the same chain as , then it was on the same chain as as well. In this case, we must have since . However, possibly using that round is completable, it was impossible for to have a supermajority for any child of on the same chain with and in particular for the child of on . By Lemma 2.6 (i), this means did not have a supermajority for , again as desired.
Thus we have that, at the time of the vote, for one of , , it was impossible to have a supermajority for . The current sets and are supersets of those at the time of the vote, and so by Lemma 2.6 (ii), it is still impossible. Thus can respond validly.
This is enough to show Theorem 4.1. Note that if sees a commit message for a block in round and has that , for some completable round , then they should also be able to start a challenge procedure that successfully identifies at least Byzantine voters in some round. Thus we have that:
If there at most Byzantine voters in any vote, was finalised in round , and an honest participant sees that round is completable, then .
We show the protocol is deadlock free and also that it finalises new blocks quickly in a weakly synchronous model. For this section, we will assume that there are at most Byzantine voters for each vote, and so that the sets of prevotes and precommits for each round are safe.
We define be the set at time and similarly for and the block .
We first show that the completability of a round and the estimate for a completable round are monotone in the votes we see, in the latter case monotonically decreasing:
Let be (possibly identical) honest participants, be times, and be a round. Then if and and sees that is completable at time , then and sees that is completable at time .
Since sees that is completable at time , either requiring votes, or else it is impossible for to have a supermajority for any children of , requiring votes. In either case, both and contain votes from voters and so the same holds for and . By Lemma 2.5 (ii), . As it is impossible for to have a supermajority for any children of , it follows from Lemma 2.6 (i & ii) that it is impossible for as well, and so both and sees is completable at time . But now and are the last blocks on for which it is possible for and respectively to have a supermajority, As it is possible for to have a supermajority for , then it is possible for to have a supermajority for as well, by Lemma 2.6 (ii) and tolerance assumptions, so . ∎
4.2.1 Deadlock Freeness
Now we can show deadlock freeness for the asynchronous gossip network model, when a message that is sent or received by any honest participant is eventually received by all honest participants.
Suppose that we are in the asynchronous gossip network model and that at most voters for any vote are Byzantine. Then the protocol is deadlock free.
We need to show that if all honest participants reach some vote, then all of them eventually reach the next.
If all honest voters reach a vote, then they will vote and all honest participants see their votes. We need to deal with the two conditions that might block the algorithm even then. To reach the prevote of round , a participant may be held up at the condition that round must be completable. To reach the precommit, a voter may be held up by the condition that .
For the first case, the prevote, let be the set of all prevotes from round that any honest voter saw before they precommitted in round . By Lemma 2.5, when voter precommitted, they do it for block . Let be the set of precommits in round cast by honest voters. Then for any block , does not contain any votes that are and so it is impossible for to have a supermajority for . In particular, it is impossible for to have a supermajority for any child of .
Now consider a voter . By our network assumption, there is a time by which they have seen the votes in and . Consider any . At this point we have . It is impossible for to have a supermajority for any child of and so , whether or not this inequality is strict, we satisfy one of the two conditions for to see that round is completable at time . Thus if all honest voters reach the precommit vote of round , all honest voters reach the prevote of round .
Now we consider the second case, reaching the precommit. Note that any honest prevoter in round votes for a block where is the time they vote. Now consider any honest voter for the precommit . By some time , they have received all the messages received by each honest voter at time and ’s prevote. Then by Corollary 4.3, . Since contains these , . Thus if all honest voters prevote in round , eventually all honest voters precommit in round .
An easy induction completes the proof of the proposition. ∎
4.2.2 Weakly synchronous liveness
Now we consider the weakly synchronous gossip network model. The idea that there is some global stabilisation time() such that any message received or sent by an honest participant at time is received by all honest participants at time .
Let be the first time any honest participant enters round i.e. the minimum over honest participants of .
Assume the weakly synchronous gossip network model and that each vote has at most Byzantine voters. Then if , we have that
for any honest participant ,
no honest voter prevotes before time ,
any honest voter precommits at the latest at time ,
for any honest , .
Let be one of the first honest participants to enter round i.e. with . By our network assumption, all messages received by before they ended are received by all honest participants before time . In particular at time , sees that all previous rounds are completable and so by Corollary 4.3, so does every other honest participant by time . Also since for , at some time , again by Lemma 4, for all honest , . Looking at the conditions for voting, this means that any honest voter does not need to wait before voting in any round . Thus they cast any remaining votes and enter round by time . This shows (i).
For (ii), note that the only reason why an honest voter would not wait until time is when voters have already prevoted. But since some of those votes are honest, this is impossible before
Now an honest voter prevotes at time and by our network assumptions all honest participants receive this vote by time . An honest voter for the precommit has also received all messages that received before they prevoted by then. Thus the block they prevoted has , since this holds for every honest voter , . Thus they will precommit by time which shows (iii).
By the network assumption an honest voter ’s precommit will be received by all honest participants by time . Since will also have received all prevotes say when they precommitted by this time, their vote will have . Thus contains precommits from voters with and thus it is impossible for to have a supermajority for any children of . Thus sees that round is completable at time . Since they have already prevoted and precommitted if they were a voter, they will move to round by at latest . This is (iv). ∎
Suppose and very vote has at most Byzantine voters. Let be the set of prevotes ever cast by honest voters in round . Then
any honest voter precommits to a block ,
every honest participant finalises by time .
For (a), we separate into cases based on which of the conditions (i)-(iii) that we wait for to precommit hold.
For (i), all honest voters prevote in round by time . So any honest voter who precommits at or after time has received all votes in and by Lemma 2.5, precommits to a block .
For (ii), we argue that no honest voter commits a block first. The result will then follow by an easy induction once the other cases are dealt with. Suppose that no honest voter has precommitted a block so far and that a voter votes early because of (ii).
Note that, since we assume that all precommits by honest voters so far were , it is possible for to have a supermajority for . For (ii) to hold for a voter i.e for round to be completable, it must be the case that either it is impossible for to have a supermajority for or else be impossible for to have a supermajority for any children of . By Lemma 2.6 cannot have . But by Lemma 2.5, these are on the same chain and so . Since this is the block precommits to, we are done in case (ii)
For (iii), let be the voter in question. Note that since honest voters prevoted , it is possible for to have a supermajority for . By Lemma 2.5, is on the same chain as . For (iii), it is impossible for to have a supermajority for any children of . If we had , by Lemma 2.6, this would mean that it would be impossible for to have a supermajority for as well. So it must be that as required.
For (b), combining (a) and Lemma 4.6 (iii), we have that any honest voter precommits by time . By our network assumption, all honest participants receive these precommits by time and so finalise if they have not done so already. ∎
Suppose that , the primary of round is honest and no vote has more than Byzantine voters. Let be the block broadcasts if it is not final. Then every honest prevoter prevotes for the best chain including and all honest voter finalise by time .
By Lemma 4.6 and our network assumptions, no honest voter prevotes before time and so at this time, they will have seen all prevotes and precommits seen by at and the block if broadcast it then. By Lemma 4.4, any honest voter has then.
So if the primary broadcast , then prevotes for the best chain including . If the primary did not broadcast , then they finalise it. By Corollary 4.3, it must be that and so and so in this case also prevotes for the best chain including .
Since all honest voters prevote , and so by Lemma 4.7, all honest participants finalise by time ∎
Suppose that and the primary of round is honest. Let be the latest block that is ever finalised in rounds (even if no honest participant finalises it until after ). If all honest voters for the prevote in round agree that the best chain containing include the same child of , then they all finalises some child of before .
By Corollary 4.3, any honest participant sees that during round . Let be the primary of round and . If , then by Lemma 4.8, all honest participants finalise by time which means they finalised a child of . If , then by Lemma 4.7, all honest voters prevote for the best chain including . By assumption these chains include and so . By Lemma 4.7, this means that is finalised by time . ∎
4.2.3 Recent Validity
Suppose that , the primary of round is honest and all votes have at most Byzantine voters. Let be a block that less than honest prevoters in round saw as being in the best chain of an ancestor of at the time they prevoted. Then either all honest participants finalise before time or no honest participant ever has or .
For , suppose that an honest participant finalises at time but that no honest voter has seen as in the best chain containing some ancestor of in between times and , then at least rounds in a row had Byzantine primaries.
- Al-Bassam et al.  Mustafa Al-Bassam, Alberto Sonnino, Shehar Bano, Dave Hrycyszyn, and George Danezis. Chainspace: A Sharded Smart Contracts Platform. In 25th Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California, USA, February 18-21, 2018, 2018.
- Androulaki et al.  Elli Androulaki, Christian Cachin, Angelo De Caro, and Eleftherios Kokoris-Kogias. Channels: Horizontal Scaling and Confidentiality on Permissioned Blockchains. In European Symposium on Research in Computer Security, pages 111–131. Springer, 2018.
- Apostolaki et al.  Maria Apostolaki, Aviv Zohar, and Laurent Vanbever. Hijacking Bitcoin: Large-scale Network Attacks on Cryptocurrencies. 38th IEEE Symposium on Security and Privacy, May 2017.
- Avarikioti et al.  Georgia Avarikioti, Eleftherios Kokoris-Kogias, and Roger Wattenhofer. Divide and scale: Formalization of distributed ledger sharding protocols. arXiv preprint arXiv:1910.10434, 2019.
- Buchman et al.  Ethan Buchman, Jae Kwon, and Zarko Milosevic. The latest gossip on bft consensus. arXiv preprint arXiv:1807.04938, 2018. URL https://arxiv.org/abs/1807.04938.
- Decker et al.  Christian Decker, Jochen Seidel, and Roger Wattenhofer. Bitcoin Meets Strong Consistency. In 17th International Conference on Distributed Computing and Networking (ICDCN), Singapore, January 2016. URL http://www.tik.ee.ethz.ch/file/ed3e5da74fbca5584920e434d9976a12/peercensus.pdf.
- Dwork et al.  Cynthia Dwork, Nancy Lynch, and Larry Stockmeyer. Consensus in the presence of partial synchrony. Journal of the ACM (JACM), 35(2):288–323, 1988.
- Fischer et al.  Michael J Fischer, Nancy A Lynch, and Michael S Paterson. Impossibility of distributed consensus with one faulty process. Journal of the ACM (JACM), 32(2):374–382, 1985. URL https://groups.csail.mit.edu/tds/papers/Lynch/jacm85.pdf.
- Gervais et al.  Arthur Gervais, Hubert Ritzdorf, Ghassan O Karame, and Srdjan Capkun. Tampering with the Delivery of Blocks and Transactions in Bitcoin. In 22nd ACM SIGSAC Conference on Computer and Communications Security, pages 692–705. ACM, 2015. URL https://eprint.iacr.org/2015/578.pdf.
- Heilman et al.  Ethan Heilman, Alison Kendler, Aviv Zohar, and Sharon Goldberg. Eclipse Attacks on Bitcoin’s Peer-to-Peer Network. In 24th USENIX Security Symposium, pages 129–144, 2015. URL https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-heilman.pdf.
- Kokoris-Kogias et al.  Eleftherios Kokoris-Kogias, Philipp Jovanovic, Nicolas Gailly, Ismail Khoffi, Linus Gasser, and Bryan Ford. Enhancing Bitcoin Security and Performance with Strong Consistency via Collective Signing. In Proceedings of the 25th USENIX Conference on Security Symposium, 2016.
- Kokoris-Kogias et al.  Eleftherios Kokoris-Kogias, Philipp Jovanovic, Linus Gasser, Nicolas Gailly, Ewa Syta, and Bryan Ford. OmniLedger: A Secure, Scale-Out, Decentralized Ledger via Sharding. In 39th IEEE Symposium on Security and Privacy, pages 19–34. IEEE, 2018.
- Lewenberg et al.  Yoad Lewenberg, Yonatan Sompolinsky, and Aviv Zohar. Inclusive block chain protocols. In International Conference on Financial Cryptography and Data Security, pages 528–547. Springer, 2015.
- Nakamoto  Satoshi Nakamoto. Bitcoin: A Peer-to-Peer Electronic Cash System, 2008.
- Pass and Shi  Rafael Pass and Elaine Shi. Hybrid Consensus: Efficient Consensus in the Permissionless Model. Cryptology ePrint Archive, Report 2016/917, 2016.
- Sasson et al.  Eli Ben Sasson, Alessandro Chiesa, Christina Garman, Matthew Green, Ian Miers, Eran Tromer, and Madars Virza. Zerocash: Decentralized anonymous payments from Bitcoin. In Security and Privacy (SP), 2014 IEEE Symposium on, pages 459–474. IEEE, 2014.
- Wood  Gavin Wood. Ethereum: A Secure Decentralised Generalised Transaction Ledger. Ethereum Project Yellow Paper, 2014.
- Zamyatin et al.  Alexei Zamyatin, Mustafa Al-Bassam, Dionysis Zindros, Eleftherios Kokoris-Kogias, Pedro Moreno-Sanchez, Aggelos Kiayias, and William J Knottenbelt. Sok: Communication across distributed ledgers. Technical report, IACR Cryptology ePrint Archive, 2019: 1128, 2019.