In our previous post, we described a 2-round partially synchronous BFT protocol for $n = 5f+1$. In this follow-up post, we push the bound to $n = 5f-1$, achieving optimal 2-round commit in the Simplex style.
We then extend the result to $n=3f+2p-1$ for $0<p\leq f$ that obtains liveness for $p$ Byzantine. This can be used to obtain a concurrent 2 round and 3 round protocol with the optimal fault tolerance.
Intuition
A party commits a value $x$ after receiving $n-f$ votes for $x$.
We consider what must happen so that all other honest parties eventually commit $x$ (safety), even if the committer experiences network asynchrony.
Let $n = 5f-1$ where $f$ is the maximum number of Byzantine faults.
- $n-f = 4f-1$ votes are needed for commit.
- Among these, at least $n-2f = 3f-1$ are honest votes.
- Any other honest party waiting for $n-f$ votes will see at least $n-3f = 2f-1$ votes for $x$.
-
Two cases:
- (No leader equivocation): If the leader does not equivocate, a commit implies that any other honest party receives at least $2f-1$ votes for $x$ and the rest of the votes are for $\bot$.
- Define Special certificate for $x$ as $2f-1$ votes for $x$ and $2f$ votes for $\bot$.
- DEfine Regular certificate for $x$ as $2f$ votes for $x$.
- (With leader equivocation): If a party detects leader equivocation, it ignores the leader’s vote and waits for one more vote. Then it will see at least $n-3f+1 = 2f$ votes for $x$, which form a regular cert for $x$
- There are at most $2f-1$ non-$x$ votes, so the party favors $x$.
- (No leader equivocation): If the leader does not equivocate, a commit implies that any other honest party receives at least $2f-1$ votes for $x$ and the rest of the votes are for $\bot$.
Define a skip certificate as $2f+1$ votes for $\bot$. A commit in a view implies at least $n-2f$ honest votes for some $x$, so a skip certificate cannot form in the same view.
Two-round Simplex protocol for $n=5f-1$
Let Cert(k, x)
denote a collection of votes for $x \neq \bot$ in view $k$ sufficient to certify $x$:
- $2f$ votes for $x$ (regular cert), or
- $2f-1$ votes for $x$ and $2f$ votes for $\bot$ (special cert).
Let Cert(k, bot)
denote a collection of $2f+1$ votes for $\bot$ in view $k$.
Once we define the certs above (with modified thresholds and the special cert), the protocol is actually unchanged from the previous post.
1. Upon entering view k:
Start local timer T_k
Leader sends (Propose, k, x, Cert(k’, x)) for highest k’
2. Upon receiving (Propose, k, x, Cert(k’, x))
and Cert(l, bot) for all k' < l < k and has not sent Vote
Send (Vote, k, x) to all
3. Upon T_k = 2Δ and has not sent Vote:
Send (Vote, k, bot) to all
4. Upon receiving n-f (Vote, k, x):
Decide x
Forward these votes
Terminate
5. Upon receiving n-f (Vote, k, *), but no Cert(k, x):
Send (Vote, k, bot) to all
6. Upon receiving Cert(k, *):
Forward Cert(k, *)
Enter view k+1
Two-round Simplex protocol for $n=3f+2p-1$ where $0<p\leq f$
Lets extend this protocol to get safety for $f$ and liveness for $0<p\leq f$. So a commit requires $3f+p-1$ votes and this means at least $2f+p+1$ honest votes. So waiting for $n-f$ votes gives at least $f+p-1$ honest votes. If there is an equivocation, a party can again wait for one more vote.
This calls for three obvious generalizations to the protocol:
A. Cert(k, x)
is a collection of votes for $x \neq \bot$ in view $k$ sufficient to certify $x$:
- $f+p$ votes for $x$ (regular cert), or
- $f+p-1$ votes for $x$ and $f+p$ votes for $\bot$ (special cert).
B. Cert(k, bot)
is a collection of $f+p+1$ votes for $\bot$ in view $k$.
C. The commit rule requires $n-p$ votes:
4. Upon receiving n-p (Vote, k, x):
Decide x;
Forward these votes;
Terminate
Finally, to obtain a concurrent 2 round and 3 round protocol with $n=3f+2p-1$, the quorum size for the 3-round path needs to be $n-(f+p-1)=2f+p$ (so that $2(2f+p)-n\geq f+1$).
Proof Sketches
Lemma 1 (Safety): If an honest party commits $x$ in view $k$, all honest will have a cert for $x$.
Proof sketch: A commit requires $n-p = 3f+p-1$ votes for $x$, of which at least $2f+p-1$ are honest. Any other honest party gathering $n-f$ votes will see at least $f+p-1$ votes for $x$.
If equivocation is detected, it waits for $n-f+1 = 3f+p$ votes and sees at least $f+p$ for $x$, which dominates any conflicting votes ($\le f+p-1$).
If no equivocation is detected, it sees just $f+p-1$ votes for $x$ then the remaining $f+p$ votes are for $\bot$, so a special cert is formed, or $f+p$ votes or more arrive then a regular cert is formed.
Lemma 2 (No-commit detection):
If no honest party commits in view $k$, all honest parties eventually see either a Cert(k, x)
or a Cert(k, bot)
.
Proof sketch: If a certificate for some $x$ exists, it is forwarded. If no certificate exists, by the fifth Upon
rule all honest parties eventually vote $\bot$, forming a Cert(k, bot)
.
Lemma 3 (Liveness):
If the leader of some view $k$ is honest and GST has occurred, all honest parties commit in view $\le k$.
Proof sketch: If a commit already occurs in a prior view, the commit certificate is forwarded. Otherwise, all honest parties eventually vote for the honest leader in view $k$, producing $n-f$ votes and committing.
Acknowledgments
We want to thank Yuval and Kartik for insightful discussions.
Your thoughts/comments on X.