In a previous post we introduced strong chain quality (SCQ), which provides a strong form of censorship resistance: honest parties’ transactions are included in proportion to their share of the validator set in every block. This post considers three additional properties needed for efficient on-chain markets: hiding, simultaneous binding (SB), and accountable last look (ALL).
Hiding
Hiding: No information about the contents of honest parties’ inputs is revealed to the adversary before the block is committed.
Hiding can be implemented in different ways depending on what is already available. For general encrypted mempools, batched threshold encryption is the leading approach (see also Boneh et al. 2026 and TrX and the secret sharing based approach in MCP). With censorship resistance and strong chain quality, one can simply use identity-based encryption. For a rigorous formal definition of hiding in the context of consensus, see Definition 11 here. We defer a more complete treatment of hiding at the BFT layer to future posts.
Together, hiding and censorship resistance ensure that honest inputs are included and stay private until commit. But the adversary may still gain a timing advantage: it can observe more recent public information before deciding its own. Simultaneous binding addresses this.
Simultaneous Binding (SB)
Simultaneous Binding (SB): for every block $B$ there is a public binding time $t_B$ such that all parties must fix their inputs for $B$ at time $t_B$. Concretely, a sender $i$ binds to value $x$ once at least one honest party has acknowledged $x$ from $i$ before $t_B$. Since honest parties acknowledge at most one value per sender per block and only before $t_B$, this pins the sender’s input. If two honest parties acknowledge different values from the same sender, then the sender is Byzantine and is bound to $\bot$.
Implementing SB requires synchronized clocks. Moreover, to get strict simultaneous binding one needs to assume all network delays are equal (lockstep).
The natural implementation is a two-round protocol. In round 1, input holders broadcast their signed values. In round 2, honest parties send a signed acknowledgment for the first valid value they receive from each sender no later than the deadline $t_B$. A sender that collects $f+1$ acknowledgments holds a certificate, which is public evidence that at least one honest party has bound it, since at most $f$ parties can be Byzantine. These certificates, along with equivocation evidence, are then carried into inclusion lists and checked as part of the block’s validity rule.
Accountable Last Look (ALL)
Even with simultaneous binding, a malicious party colluding with a malicious proposer can arrange for its own bound transaction to be excluded from the block after the deadline $t_B$. Note that even with hiding, new external market information may arrive after $t_B$, giving the adversary conditions it could not have anticipated at binding time. This is the last look advantage: the adversary can condition the inclusion of its own bound transaction on market conditions observed at finalization, strictly later than the common deadline at which all honest parties were forced to bind. Last look is a well known asymmetry challenge in markets (also see leaderless auctions).
By the inherent bivalence of consensus, some degree of last look is unavoidable: an adversarial proposer always retains the ability to steer which transactions enter the block. We will formally prove this in later posts.
Instead, we make last look accountable. Accountable last look is formalized by two properties:
Slashable Bind-Then-Abort (SBTA): if party $i$ binds to input $x_i$ for block $B$ but $B$ does not include $x_i$, honest parties can produce a publicly verifiable slashing proof against $i$.
Note that the slashing proof is against the sender, not the proposer.
No Honest Slashing (NHS): the adversary cannot produce a valid slashing proof against an honest party.
The implementation builds on the $f+1$ certificates from the Bind phase. Because a certificate carries $f+1$ acknowledgments and at most $f$ parties are Byzantine, it contains at least one honest acknowledgment, which is evidence that the value is bound. If the committed block omits a certified value, that honest acknowledgment together with the block’s commit certificate is a publicly verifiable slashing proof, satisfying SBTA. NHS guarantees the adversary cannot fabricate such a proof against an honest sender; without it, parties would be reluctant to bind at all.
Note: NHS requires synchrony. Under weaker assumptions, an honest sender’s value might be acknowledged by an honest party (creating a binding) yet still fail to reach enough parties in time, leaving the honest sender exposed to a valid slashing proof. Under synchrony, an honest sender’s value is guaranteed to reach all honest parties before the deadline, which forces it into the block and rules out any false slashing.
Putting it all together:
Theorem: For $n \geq 3f+1$ parties under synchrony, any BFT protocol can be augmented to satisfy CR, SCQ, SB, and ALL by adding two extra rounds.
Notes
-
This post focused on what to include in the block, but not on the order of transactions within it. Transaction ordering will be the topic of future posts.
-
Obtaining the same properties under partial synchrony seems impossible. Whether a formal impossibility can be established, and what weaker guarantees are achievable, will also be explored in future posts.
-
We define properties that an ideal efficient market should have and how a real implementation can obtain some of them. Conceptually, we are using the lens of secure multi-party computation (MPC) to model market implementation, highlighting that just low-latency high-throughput state machine replication is not enough. This connection to MPC opens new research opportunities.
Your thoughts on X.