We've heard for a long time that it's possible to achieve consensus with 50% fault tolerance in a synchronous network where messages broadcasted by any honest node are guaranteed to be received by all other honest nodes within some known time period. If an attacker has than 50%, they can perform a "51% attack", and there's an analogue of this for any algorithm of this type. more We've also heard for a long time that if you want to relax the synchrony assumption, and have an algorithm that's "safe under asynchrony", the maximum achievable fault tolerance drops to 33% ( , , etc all fall into this category). PBFT Casper FFG But did you know that if you add assumptions (specifically, you require , ie. users that are not actively participating in the consensus but care about its output, to also be actively watching the consensus, and not just downloading its output after the fact), you can increase fault tolerance all the way to 99%? even more observers This has in fact been known for a long time; Leslie Lamport's famous 1982 paper "The Byzantine Generals Problem" (link ) contains a description of the algorithm. The following will be my attempt to describe and reformulate the algorithm in a simplified form. here Suppose that there are consensus-participating nodes, and everyone agrees who these nodes are ahead of time (depending on context, they could have been selected by a trusted party or, if stronger decentralization is desired, by some proof of work or proof of stake scheme). N We label these nodes . Suppose also that there is a known bound on network latency plus clock disparity (eg. = 8 seconds). Each node has the ability to publish a value at time (a malicious node can of course propose values earlier or later than ). 0 . . . N -1 D D T T All nodes wait seconds, running the following process. Define as "the value signed by node ", as "the value signed by , and that value and signature together signed by ", etc. The proposals published in the first stage will be of the form for some and , containing the signature of the node that proposed it. (N - 1) ∙ D x : i x i x : i : j x i j v : i v i If a validator receives some message , where is a list of indices that have (sequentially) signed the message already (just by itself would count as , and as ), then the validator checks that (i) the time is less than , and (ii) they have not yet seen a valid message containing ; if both checks pass, they publish . i v : i[1] : . . . : i[k] i[1] : . . . : i[k] v k = 0 v : i k = 1 T + k ∙ D v : i[1] : . . . : i[k] : i At time , nodes stop listening. At this point, there is a guarantee that honest nodes have all "validly seen" the same set of values. T + (N - 1) ∙ D If the problem demands choosing one value, they can use some "choice" function to pick a single value out of the values they have seen (eg. they take the one with the lowest hash). The nodes can then agree on this value. Now, let's explore why this works. What we need to prove is that if one honest node has seen a particular value (validly), then every other honest node has also seen that value (and if we prove this, then we know that all honest nodes have seen the same set of values, and so if all honest nodes are running the same choice function, they will choose the same value). Suppose that any honest node receives a message that they perceive to be valid (ie. it arrives before time ). Suppose is the index of a single other honest node. Either is part of or it is not. v : i[1] : . . . i[k] T + k ∙ D x x i[1] : . . . i[k] In the first case (say for this message), we know that the honest node had already broadcasted that message, and they did so in response to a message with signatures that they received before time , so they broadcast their message at that time, and so the message must have been received by all honest nodes before time . x = i[j] x j - 1 T + (j - 1) ∙ D T + j ∙ D In the second case, since the honest node sees the message before time , then they will broadcast the message with their signature and guarantee that everyone, including , will see it before time . T + k ∙ D x T + (k + 1) ∙ D Notice that the algorithm uses the act of adding one's own signature as a kind of "bump" on the timeout of a message. It's this ability that guarantees that if one honest node saw a message on time, they can ensure that everyone else sees the message on time as well, as the definition of "on time" increments by more than network latency with every added signature. In the case where one node is honest, can we guarantee that passive (ie. non-consensus-participating nodes that care about knowing the outcome) can also see the outcome, even if we require them to be watching the process the whole time? observers With the scheme as written, there's a problem. Suppose that a commander and some subset of (malicious) validators produce a message , and broadcast it directly to some "victims" just before time . The victims see the message as being "on time", but when they rebroadcast it, it only reaches all honest consensus-participating nodes after , and so all honest consensus-participating nodes reject it. k v : i[1] : . . . i[k] T + k ∙ D T + k ∙ D But we can plug this hole. We require to be a bound on network latency plus clock disparity. We then put a different timeout on observers: an observer accepts before time . D two times v : i[1] : . . . i[k] T + (k - 0.5) ∙ D Now, suppose an observer sees a message an accepts it. They will be able to broadcast it to an honest node before time , and the honest node will issue the message with their signature attached, which will reach all other observers before time , the timeout for messages with signatures. T + k ∙ D T + (k + 0.5) ∙ D k +1 Retrofitting onto other consensus algorithms The above could theoretically be used as a standalone consensus algorithm, and could even be used to run a proof-of-stake blockchain. The validator set of round of the consensus could itself be decided during round of the consensus (eg. each round of a consensus could also accept "deposit" and "withdraw" transactions, which if accepted and correctly signed would add or remove validators into the next round). N + 1 N The main additional ingredient that would need to be added is a mechanism for deciding who is allowed to propose blocks (eg. each round could have one designated proposer). It could also be modified to be usable as a proof-of-work blockchain, by allowing consensus-participating nodes to "declare themselves" in real time by publishing a proof of work solution on top of their public key at the same time as signing a message with it. However, the synchrony assumption is very strong, and so we would like to be able to work without it in the case where we don't need more than 33% or 50% fault tolerance. There is a way to accomplish this. Suppose that we have some other consensus algorithm (eg. PBFT, Casper FFG, chain-based PoS) whose output be seen by occasionally-online observers (we'll call this the consensus algorithm, as opposed to the algorithm above, which we'll call the consensus algorithm). can threshold-dependent latency-dependent Suppose that the threshold-dependent consensus algorithm runs continuously, in a mode where it is constantly "finalizing" new blocks onto a chain (ie. each finalized value points to some previous finalized value as a "parent"; if there's a sequence of pointers , we'll call a of ). A → . . . → B A descendant B We can retrofit the latency-dependent algorithm onto this structure, giving always-online observers access to a kind of "strong finality" on checkpoints, with fault tolerance ~95% (you can push this arbitrarily close to 100% by adding more validators and requiring the process to take longer). Every time the time reaches some multiple of 4096 seconds, we run the latency-dependent algorithm, choosing 512 random nodes to participate in the algorithm. A valid proposal is any valid chain of values that were finalized by the threshold-dependent algorithm. If a node sees some finalized value before time ( = 8 seconds) with signatures, it accepts the chain into its set of known chains and rebroadcasts it with its own signature added; observers use a threshold of as before. T + k ∙ D D k T + (k - 0.5) ∙ D The "choice" function used at the end is simple: Finalized values that are not descendants of what was already agreed to be a finalized value in the previous round are ignored Finalized values that are invalid are ignored To choose between two valid finalized values, pick the one with the lower hash If 5% of validators are honest, there is only a roughly 1 in 1 trillion chance that none of the 512 randomly selected nodes will be honest, and so as long as the network latency plus clock disparity is less than the above algorithm will work, correctly coordinating nodes on some single finalized value, even if multiple conflicting finalized values are presented because the fault tolerance of the threshold-dependent algorithm is broken. If the fault tolerance of the threshold-dependent consensus algorithm is met (usually 50% or 67% honest), then the threshold-dependent consensus algorithm will either not finalize any new checkpoints, or it will finalize new checkpoints that are compatible with each other (eg. a series of checkpoints where each points to the previous as a parent), so even if network latency exceeds (or even ), and as a result nodes participating in the latency-dependent algorithm disagree on which value they accept, the values they accept are still guaranteed to be part of the same chain and so there is no actual disagreement. Once latency recovers back to normal in some future round, the latency-dependent consensus will get back "in sync". D If the assumptions of both the threshold-dependent and latency-dependent consensus algorithms are broken (or in consecutive rounds), then the algorithm can break down. at the same time For example, suppose in one round, the threshold-dependent consensus finalizes and the latency-dependent consensus disagrees between and , and in the next round the threshold-dependent consensus finalizes a descendant of which is a descendant of ; in the latency-dependent consensus, the nodes who agreed will not accept , but the nodes that agreed will. However, this is unavoidable; the impossibility of safe-under-asynchrony consensus with more than Z → Y → X Y X W X not Y Y W X fault tolerance is a in Byzantine fault tolerance theory, as is the impossibility of more than well known result fault tolerance even allowing synchrony assumptions but assuming offline observers. Originally published as “ A Guide to 99% Fault Tolerant Consensus ” with the WTFPL license Special thanks to Emin Gun Sirer for review
