1 Introduction

1.1 Context and Motivation

Since the concept of blockchain technology was introduced by Nakamoto [18], the problem of Byzantine consensus has attracted more attention, because it represents an important element for this technology. For ordering transactions and guaranteeing the consistency of the ledger stored in the node, the use of Byzantine consensus protocols is inevitable and play an important role in the blockchain technology.

The Byzantine consensus problem [19] is certainly one of the most important problems in fault-tolerant distributed systems. However, in the context of asynchronous systems, it is well-known that there is no deterministic consensus algorithm even if one process may crash [8]. To make this possible, the basic asynchronous Byzantine system model has to be enriched with additional computational power. Synchrony assumptions [5, 7], Common coins [12, 20], randomization [3], and unreliable failure detectors [6] are examples of such additions for solving Consensus despite asynchrony and failures. When considering Byzantine processes, the Consensus validity property is stated as: if all correct processes propose the same value v then only v can be decided. Indeed, a Byzantine process may propose a wrong value and hence the former statement of the validity property allows deciding the value of a Byzantine process even though all correct processes do propose the same value.

1.2 Related Works

In the context of Byzantine consensus where t processes can exhibit an arbitrary behavior, several works [7, 10, 19] have shown that Byzantine consensus cannot be solved when \(t > n/3\). For solving the Byzantine consensus problem, three approaches have been investigated. The first, relies on the addition of synchrony [2, 7, 15], called “Timer-Based”. This assumption considers the partially synchronous system model [6] which is a generalization of the models proposed in Ref. [7]. The second approach consists in adding a property that is based on the pattern of the messages that are exchanged, called “Time-Free” [11]. In this approach, we have the query-response-based winning messages proposed in Ref. [13, 14] and the teta-model proposed in Ref. [22]. The last one is a combination of the two previous approaches [21].

In Ref. [2], Aguilera et al. propose a “Timer-Based” Signature-free Byzantine consensus protocol with weak synchrony properties. Namely, the model assumes at least one correct process with all its outgoing and incoming links are eventually timely (the other links of the system are asynchronous). Such a process is called an eventual bisource (\(\diamond\) bisource). This means that the number of eventually timely links could be as low as \(2(n-1)\) links.

In Ref. [15], Moumen et al. propose a “Timer-Based” Authenticated Byzantine consensus protocol with very few synchronous links. Namely, the model assumes an eventual \(\langle t+1 \rangle\)-bisource (\(\diamond \langle t+1 \rangle\)-bisource) is a correct process where the number of privileged correct neighbors is \(t+1\) (including itself) where t is the maximum number of faulty processes.

In Ref. [11], Moumen and Mostefaoui propose a “Time-Free” authenticated Byzantine consensus protocol with very few winning links. This protocol assumes a weak system model that does not rely on physical time but on the pattern of messages that are exchanged. Namely, this model is based on the query-response mechanism and assumes at least a \(\diamond \langle t+1\rangle\)-winning process (eventual \(\langle t+1\rangle\) winning process). A \(\diamond \langle t+1 \rangle\)-winning is a correct process where the number of correct privileged neighbors is \(t+1\) (including itself), such that, eventually, for each query broadcasted by any of its privileged neighbors, any of its privileged neighbors receives a response from the \(\diamond t+1\)-winning process among the \((n - t)\) first responses to that query. Hence, it is incomparable with the Timer-Based \(\diamond \langle t+1 \rangle\)-bisource assumption.

In Ref. [21], Tioura et al. propose a “Hybrid” authenticated Byzantine consensus protocol. Namely, the model assumes a \(\diamond \langle t+1 \rangle\)-BW (B for Bisource and W for Winning), and a set X of \(t+1\) correct processes \(p_j\) (including itself), such that, eventually, either (i) each time it broadcasts a query, \(p_j\) receives a response from \(p_i\) among the \((n-t)\) first response to that query, or (ii) the link from \(p_i\) to \(p_j\) is timely. Each of the \(t+1\) links, connecting \(p_i\) with processes of X, has to satisfy a property independently of the satisfied properties of the other t links (the \(t+1\) links do not have to satisfy the same assumption).

1.3 Contribution

This paper advances the state of the art by proposing the first time-free deterministic protocol to the Signature-free Byzantine consensus problem. The signature-free Byzantine model needs twice more winning links compared to the authenticated Byzantine model whereas in the case of the timer-based approach we need, also, twice more timely links to tolerate t Byzantine faults compared to the t links needed by the time-free authenticated Byzantine model. This can be explained by the query-response mechanism used by the time-free approach.

The proposed protocol assumes at least a \(\diamond \langle 2t+1\rangle\)-winning. This assumption can be summarized, as follows: there is a correct process \(p_i\), called \(\diamond \langle 2t +1\rangle\)-winning, and a set Xof \((2t + 1)\) correct processes \(p_j\) (including \(p_i\) itself), such that, eventually, each time \(p_j\) broadcasts a query, it receives a response from \(p_i\) among the \((n - t)\) first response to that query.

1.4 Roadmap

This paper is made up of five sections. Section 2 defines the computation model, failure model and the Byzantine consensus problem. Section 3 presents a signature-free Multivalued Byzantine consensus protocol with a \(\diamond \langle 2t +1\rangle\)-winning and Sect. 4 proves its correctness. Section 5 discusses the cost of protocols and makes a conjecture with the intuition that sustains it. Finally, Sect. 6 concludes the paper.

2 Computation Model and the Consensus Problem

2.1 Asynchronous Distributed System with Byzantine Process

We consider a message-passing system consisting of a finite set \(\Pi\) of n \((n > 1)\) processes, namely \(\Pi ~=~\{p_1, \ \ldots , \ p_{n}\}\). We assume that processes are partially synchronous as described in Ref. [7]. Moreover, up to t processes can exhibit a Byzantine behavior, which means that such process can behave in an arbitrary manner. This is the most severe process failure model: a Byzantine process can crash, fail to send or receive messages, send arbitrary messages, start in an arbitrary state, send different values to different processes, perform arbitrary state transitions, etc. A process that exhibits a Byzantine behavior is called faulty. Otherwise, it is correct. We assume that \(t<n/3\) as it has been proved in Ref. [5] that this is necessary to solve consensus even in asynchronous system.

The communication network is reliable in the sense that a message sent by a correct process to another correct process will be received exactly once within a finite time. Messages are not altered by the link and the receiver knows who the sender is. In other words, we are using authenticated asynchronous links. Such a communication network can be built atop of fair lossy links which is the classical communication model used when dealing with Byzantine processes (in fair lossy links, a message can be lost a finite number of times). As advocated in Ref. [9], advanced techniques like [1] or [4] could be adopted here to offer a reliable communication abstraction. They prove that even a simple retransmission until acknowledgment protocol suffices to implement a reliable link between correct processes. Using these techniques, a message that was initially lossy will eventually be received by its receiver if the sender and the receiver are correct. Note that the simulation preserves the timeliness of the messages sent on timely fair-lossy links. Processes communicate and synchronize with each other by sending and receiving messages over a network. The link from process \(p_i\) to process \(p_j\) is denoted \(p_i \rightarrow p_j\). Every pair of processes is connected by two links \(p_i \rightarrow p_j\) and \(p_j \rightarrow p_i\). There is no assumption about the message transfer delays.

2.2 Time-Free Assumption

In this paper, we consider that each process is provided with a query–response mechanism defined as follows:

Query–response mechanism: any process \(p_i\) can broadcast a query() message and then wait for the corresponding response() messages from \((n - t)\) processes. Each of these response() messages is a winning response for that query, and the corresponding sender processes are the winning processes for that query. The other responses received after the \((n - t)\) response() messages are the losing responses for that query and are automatically discarded. A process issues a new query only when the previous one has terminated (the first \((n - t)\) responses have been received). Finally, the response from a process to its own queries is assumed to always arrive among the first \((n - t)\) responses that it is waiting for.

Henceforth, we reuse the definitions of Refs. [13, 14, 16, 17] to formally define a winning link; an x-winning.

Definition 1

(Eventually winning link) Let \(p_i\) and \(p_j\) be two processes. The link \(p_i \rightarrow p_j\) is eventually winning (denoted \(\diamond WL\)) if there is a time \(\tau\) such that the response from \(p_j\) to each query issued by \(p_i\) after \(\tau\) is a winning response (\(\tau\) is finite but unknown).

Definition 2

(x-winning) A process \(p_i\) is an x-winning at time \(\tau\) if \(p_i\) is correct and there exists a set X of correct processes (including \(p_i\) itself) of size x, such that, for any process \(p_j \in X\), the link \(p_i \rightarrow p_j\) is winning. The processes of X are said to be privileged neighbors of \(p_i\).

Definition 3

(\(\diamond x\)-winning) A process \(p_i\) is a \(\diamond x\)-winning if there is a time \(\tau\) such that for all \(\tau ' \ge \tau\), p is an x-winning at \(\tau '\).

2.3 The Consensus Problem

This paper considers multivalued Consensus (no bound on the cardinality of the set of proposable values): every process \(p_i\) proposes a value \(v_i\) and all correct processes have to eventually decide on some value v in relation with the set of proposed values. Let us observe that, in a Byzantine failure context, the consensus definition should not be too strong. For example, it is not possible to force a faulty process to decide the same value as the correct processes, since a Byzantine process can decide whatever it wants. Similarly, it is not reasonable to decide any proposed value since a faulty process can initially propose different values to distinct processes and consequently the notion of “proposed value” may not be defined for Byzantine processes. Thus, in such a context, the consensus problem is defined by the following three properties:

  • Termination: Every correct process eventually decides.

  • Agreement: No two correct processes decide different values.

  • Validity: If all the correct processes propose the same value v, then only the value v can be decided.

Notation


The notation \(\mathcal{{BAMP}}_{n,t}[\emptyset ]\) (BAMP stands for Byzantine Asynchronous Message Passing) is used to denote the previous basic Byzantine asynchronous message-passing computation model. In the following, this model is both restricted with a constraint on t and enriched with additional assumption about synchrony. More precisely, \(\mathcal{{BAMP}}_{n,t}[n>3t]\) denotes the model \(\mathcal{{BAMP}}_{n,t}[\emptyset ]\), where the number of faulty processes is smaller than n/3, and \(\mathcal{{BAMP}}_{n,t}[n>3t,\langle 2t+1\rangle \text {-winning}]\) denotes the model \(\mathcal{{BAMP}}_{n,t}[n>3t]\) enriched with a Time-Free assumption satisfied by a \(\diamond \langle 2t+1\rangle\)-winning.

3 Signature-Free Asynchronous Byzantine Multivalued Consensus with a \(\Diamond 2t+1\)-Winning

This section presents a protocol (Fig. 2) that solves the Multivalued Byzantine Consensus problem in a signature-free system (without message authentication). The proposed protocol assumes a \(\diamond \langle 2t+1\rangle \text {-winning}\) and it uses as primitive Reliable-Broadcast, which is very similar to consistent unique broadcast [2] and consistent broadcast [5].

3.1 A Simple Reliable-Broadcast Algorithm

Figure 1 presents a simple algorithm that implements reliable broadcast in an asynchronous Byzantine system where \(t < n/3\). This algorithm, inspired from Ref. [5], uses three message types (init(), echo() and ready()) and two operations \(\mathsf{R\_broadcast()}\) and \(\mathsf{R\_deliver()}\). When a process \(p_i\) invokes \(\mathsf{R\_broadcast}(v_i)\), it broadcasts the message init\((v_i,i)\). When a process \(p_i\) has delivered a message init(vj) from \(p_j\), echo(vj) message from \(((n+t)/2)\) distinct processes, or ready(vj) message from \(((n-2t)\) distinct processes (Lines 1, 2, 3), it broadcasts echo(vj) (Line 3). When \(p_i\) has delivered a message echo(vj) from \(((n+t)/2)\) distinct processes or ready(vj) from \(((n-2t)\) distinct processes (Line 4), it broadcasts ready(vj) (Line 5). then \(p_i\) waits until it has delivered the same message ready(vj) from \((n-t)\) distinct processes. When this occurs, it \(\mathsf{R\_delivers}\) value (v) as the value R_broadcast by \(p_j\) (Lines 6, 7). Reliable-broadcast ensures the following properties:

  • No-duplicity property: no two correct processes R_deliver different messages from any \(p_j\)

  • Termination property: if the sender is correct, all correct processes eventually R_deliver its message.

  • Uniformity property: if a correct process R_delivers a message from \(p_j\) (possibly faulty), then all correct processes R_deliver a message from \(p_j\).

Fig. 1
figure 1

A simple reliable-broadcast algorithm

Full size image

3.2 Correctness of the Algorithm

Lemma 1

(No-duplicity) No two correct processes R_deliver different messages from any \(p_j\).

Proof

Consider a run where a process \(p_j\) issues R_broadcast(). Let \(p_i\) and \(p_k\) be two correct processes that R_delivers from \(p_k\) values v and \(v'\), respectively. It follows from the algorithm that \(p_i\) has delivered \((n-t)\) messages ready(vj) and \(p_k\) has delivered \((n-t)\) messages ready\((v',j)\)(line 6). As \((n - t)> (n -2t) > t\), it follows that there is at least one correct process that has sent ready(vj) to \(p_i\) and ready\((v',j)\) to \(p_k\) (line 5. As it is correct, this process has sent the same value \(v = v'\) to both \(p_i\) and \(p_k\), which proves the Lemma.

\(\square\)

Lemma 2

(Termination) If the sender is correct, all correct processes eventually R_deliver its message.

Proof

Consider a run where a process \(p_i\) issues R_broadcast\((v_i)\). If \(p_i\) is correct, all correct processes eventually deliver init(vi) message from \(p_i\) at line 2. Consequently, they all broadcast echo(vi). After this, all correct processes eventually deliver echo(vi) message from at least \((n -t)\) distinct processes and they all broadcast ready(vi) message. Hence, any correct process eventually delivers ready(vi) from at least \((n- t)\) distinct processes and R_delivers v.

\(\square\)

Lemma 3

(Uniformity) If a correct process R_delivers a message m from \(p_j\) (possibly faulty), then all correct processes R_deliver the same message m from \(p_j\).

Proof

Let \(p_i\) be a correct process that R_delivers v from \(p_j\). It follows from line 6 that \(p_i\) has delivered ready(vj) message from \((n-t)\) distinct processes. As \(n > 3t\), at least \((n-2t) \ge t + 1\) of them are correct processes, which means that any correct process has delivered ready(vj) message from at least \((n-2t)\) distinct processes. It then follows from line 4 that any correct process has delivered ready(vj) message from at least \((n-2t)\) distinct processes and broadcasts ready(vj) at line 5. Finally, as all correct processes broadcast ready(vj) message, it follows that any correct process delivers ready(vj) message from \((n-t)\) distinct processes and consequently R_delivers v as the value R_broadcasted by \(p_j\).

\(\square\)

Theorem 1

The algorithm of Fig. 1 implements Reliable-Broadcast in asynchronous distributed system prone to Byzantine failures, where \(n\ge 3t+1\).

Proof

The proof follows directly from Lemmas 1, 2 and 3. \(\square\)

3.3 Description of the Proposed Protocol

Figure 2 presents a protocol that solves the Multivalued Byzantine Consensus problem in an asynchronous distributed system. The proposed protocol is a signature-free (does not use authentication) and assumes a \(\diamond \langle 2t+1\rangle \text {-winning}\), it uses Reliable-Broadcast as subroutines and Query-response mechanism.

Each process in the system executes consecutive asynchronous rounds and each round r is coordinated by a predetermined process \(p_c\). Each round is composed of five phases.

First phase of a round r(lines 1–6): This phase aims to certify values carried by messages. Each process \(p_i\) manages a local variable \(est_i\) which contains its current estimate of the decision value. In this phase, a process \(p_i\) uses Reliable-Broadcast operations (R_broadcast() and R_deliver()) to R_brodacst cert\((r_i,est_i)\) message. If \(p_i\) R_delivers cert\((r_i,est)\) message from at least \((n- t)\) distinct processes then it stores values carried by those messages in a set \(rec1_i\). A process \(p_i\) considers a value v to be certified if it R_delivers v from at least \((n-2t)\) distinct processes (at least one is correct). A process \(p_i\) considers also the value \((\bot )\) as certified if there exist a set \(A \subset rec1_i\) with \(|A|\ge (n-t)\) and \(\not \exists v\in A\) such that \(\{\#_v(rec1_i)\ge (n-2t)\}\). This means that \(p_i\) certifies the value \(\bot\) if no value v has appeared at least \((n-2t)\) times in \(rec1_i\). A process \(p_i\) stores the certified values in a set \(valid1(rec1_i)\) and sets its variable \(aux_i\) to any value of \(valid1(rec1_i)\).

Second phase of a round r (lines 7–12): This phase guarantees that at its end, at most one non \(\bot\) value can be kept in the aux variables. In other words, if \(p_i\) and \(p_j\) are correct processes and if \(aux_i \ne \bot\) and \(aux_j \ne \bot\) then necessarily \(aux_i = aux_j\), whatever is the behavior of the Byzantine processes.

In this phase, each process \(p_i\) R_broadcasts filt\((r_i,aux_i)\) message and waits to R_deliver filt\((r_i,aux)\) message, with \((aux \in valid1(rec1_i))\) from at least \((n-t)\) distinct processes. When \(p_i\) R_delivers these messages, the values of which are stored in a set \(rec2_i\). A process \(p_i\) considers v as a valid value, If \(rec2_i\) contains a least \((n-t)\) values for v. If no value v has appeared at least \((n-t)\) times in \(rec2_i\), a process \(p_i\) considers \(\bot\) as a valid value. Process \(p_i\) stores the valid values in a set \(valid2(rec2_i)\). At the end of this phase, \(p_i\) updates its \(aux_i\) variable to any value of \(valid2(rec2_i)\) and sends a message query\((r_i,aux_i)\) to all.

Third phase of a round r (lines 13–22): This phase is the decision phase. In this phase, a process \(p_i\) R_broadcasts dec\((r_i,aux_i)\). When \(p_i\) R_delivers dec\((r_i,aux)\) message with \((aux \in valid2(rec2_i))\) from at least \((n-t)\) then it stores the values carried by these messages in a set \(rec3_i\). If the set \(rec3_i\) contains at least \((n-t)\) values for \(v \ne \bot\) then \(p_i\) decides v and sets its \(est_i\) variable to v. If \(rec3_i\) contains at least one value \(v\ne \bot\) then \(p_i\) changes its estimation to v. Otherwise, the help of the coordinator is needed by \(p_i\). This phase guarantees that the Agreement property will never be violated, because if any correct process decides v during the current round and if some processes do not decide in the same round, then v is the only certified value for the next round. Note that not all processes decide necessarily during the same round.

Forth phase of a round r (lines 23–26): This phase is the coordination phase. This phase has no particular effect if the set \(rec3_i\) of a correct process \(p_i\) contains more than one non \(\bot\) value v. This means that \(p_i\) has decided on v in the previous phase or its set \(rec3_i\) contains at least one value \(v\ne \bot\). Its aim is to help processes that having their sets rec3 containing less than one non \(\bot\) value v to change their estimation to the coordinator value if they receive it. In this phase, The coordinator \(p_c\) waits to R_deliver filt\((r_i,aux)\) messages, that are R_broadcasted by all processes at line 7, with \((aux \in valid1(rec1_i)\) from at least \((n-t)\) distinct processes. When it R_delivers the values carried by these messages, then it stores them in a set \(rec2_i\). After this, based on the Query-response mechanism, each process sends a query\((r_i,aux)\) message to all processes. In a separate task (line 26), each time a process receives a query() message (perhaps from itself) containing an estimate value, it sends a response() message to the sender. If the process that responds to a query message is the coordinator of the round to which is associated the query message, the value it sends in the response() message is the coordination value. If the process that responds is not the coordinator, it responds with any value as the role of such a message is only to define winning links. As we can see in lines 23–26, the value sent by the coordinator is the value contained in the set \(rec2_i\) and that has appeared at least \((t+1)\) times.

The response\((r_i,coord)\) message is sent from another parallel task, because the coordinator of round r could be stuck in previous rounds and if it does not respond quickly, the processes waiting this message may receive the \((n-t)\) first responses before the coordinator response. Moreover, this prevents \(p_i\) from blocking while waiting for the response of a faulty coordinator. If the current coordinator is a \(\diamond \langle 2t+1\rangle\)-winning then it has at least \((2t+1)\) correct processes (including itself) with which is connected by eventually winning links. Consequently, at least \((2t + 1)\) correct processes get the value v of the coordinator, carried by response\((r_i,coord)\) message, and thus set their variable \(coord_i\) to the value of the coordinator coord. The processes that do not receive the coord\((r_i,coord)\) message set their variable \(coord_i\) to \(\bot\).

Fifth phase of a round r (lines 27–29): This phase is the relaying phase. This phase has no particular effect if the coordinator is not a \(\diamond \langle 2t+1\rangle\)-winning or is a Byzantine. Certainly, if the current coordinator is a \(\diamond \langle 2t+1\rangle\)-winning then at least \((2t + 1)\) correct processes set their variable \(coord_i\) to the same value \(v\ne \bot\). During this phase, all processes broadcast relay\((r_i,coord_i)\) message. This means that they relay the value v they got from the coordinator or \(\bot\) if they receive response\((r_i,coord)\) message from \((n-t)\) distinct processes except the coordinator \(p_c\). Each process \(p_i\) delivers relay\((r_i,coord_i)\) message from at least \((n - t)\) distinct processes (the values carried by these messages are stored into a set \(rec4_i\)). If the coordinator is a \(\diamond \langle 2t+1\rangle\)-winning then any correct process will get \((t+1)\) messages (at least one from a correct process) from the set of \((2t+1)\) correct processes that have got the value of the coordinator because \((n-t)+(2t+1) > n\). If the coordinator is not a \(\diamond \langle 2t+1\rangle\)-winning or if it is Byzantine, some processes can receive only \(\bot\) values, others may receive more than one value and some others can receive a unique value.

At the end of this phase, each process \(p_i\) asking for the help of the coordinator sets its variable \(est_i\) to the value \(v\ne \bot\), if v appears at least \(t+1\) times in the set \(rec4_i\).

Fig. 2
figure 2

A signature-free multivalued consensus protocol In \(\mathcal{{BAMP}}_{n,t}[n>3t,\langle 2t+1\rangle \text {-winning}]\)

Full size image

4 Correctness of the Proposed Protocol

Lemma 4

During a round r, if all correct processes start with the same estimate v then they all decide v in the same round r

Proof

Let v be the only proposed value by correct processes at the beginning of the certification phase of a round r. Since all correct processes propose v, v is R_broadcasted at least \((n-t)\) times at line 2. Since processes store at least \((n-t)\) values R_delivred as values R_broadcasted by distinct processes, we can conclude that at line 4 the value v appears at least \((n-2t)\) times in any set \(rec1_i\) of any correct process. Moreover, any value proposed by Byzantine processes will appear at most t times in any set \(rec1_i\) of correct processes. Consequently, the only certified value is v. This means that all correct processes set their variable aux to v. At the second phase, every correct process R_broadcasts v. Since all correct processes R_deliver only the values certified in the certification phases, we can conclude that any set \(rec2_i\) contains only the value v. Consequently, all correct processes set their variable aux, at a line 11, to a same value v. At the third phase, all correct processes R_broadcast v. Since all correct processes R_deliver only the valid values in the second phase and as \(v \in valid2(rec2)\) is the unique valid value for all correct processes, we can conclude then any set rec3 of any correct process contains only the value v. Consequently, all correct processes decide on v in the same round r. which proves the lemma.

\(\square\)

Lemma 5

If two correct processes \(p_i\) and \(p_j\) decide v and \(v'\), respectively, then \(v = v'\).

Proof

The proof is by contradiction. Suppose that \(p_i\) and \(p_j\) decide v and \(v'\), respectively, such that \(v \ne v'\). This means that v appears at least \((n-t)\) times in \(rec3_i\) and \(v'\) also appears at least \((n-t)\) times in \(rec3_j\). By the no-duplicity property of Reliable-Broadcast ( no two correct processes R_deliver different messages from any \(p_k\)), if \(p_i\) R_delivers a dec\((r_i,v)\) message from \(p_k\) then \(p_j\) will R_deliver the same message from \(p_k\). Consequently, if \(p_i\) R_delivers dec\((r_i,v)\) message from \((n-t)\) distinct processes then \(p_j\) will R_deliver the same messages and will never R_deliver dec\((r_i,v')\) from \((n-t)\) distinct processes, such that \(v \ne v'\). This means that \(v=v'\), which is a contradiction. \(\square\)

Lemma 6

If a correct process \(p_i\) decides \(v\ne \bot\) during a round r, then all correct processes start the next round with the same estimate v if they have not decided.

Proof

Let us first note that if any correct process decides on the value \(v\ne \bot\) at the round r then all correct processes, that have not decided, set their estimates to v because each of these processes R_delivers at least one dec\((r_i,aux)\) message carrying the value v. Moreover, In this case correct processes can not change their estimates by the coordinator value at line 21 and start the next round \(r+1\) with the same estimate v.

The proof is by contradiction. Suppose that a correct process \(p_i\) decides v at a round r (line 16) and a correct process \(p_j\) has not decided at this round and sets its own estimate to \(v'\ne v\). This means that the set \(rec3_j\) of \(p_j\) contains only values different from v. By the uniformity property of Reliable-Broadcast, the value v, R_delivred by \(p_i\) at least \((n-t)\) times because it has been decided, appears at least \((n-2t)\) times in the set \(rec3_j\). Moreover, \(p_j\) sets its estimate to v and will never need the help of the coordinator of the round r, which is a contradiction. \(\square\)

Corollary 1

If a correct process \(p_i\) decides a certified value v during a round r, then only v can be decided in the same or in the next round \(r+1\).

Proof

Let us consider that a process \(p_i\) decides a value v in a round r. If a correct process \(p_j\) decides at the same round r then, by Lemma 5 it decides the same value v decided by \(p_i\). If a correct process \(p_j\) does not decide at the same round r then, by Lemma 6 all correct processes start the next round \(r+1\) by the same estimate value v decided by \(p_i\) at round r. If all correct processes start the round \(r+1\) with the same estimate v then, by Lemma 4, they all decide v in the same round \(r+1\).

\(\square\)

Theorem 2

(agreement) No two correct processes decide differently.

Proof

If a correct process decides at line 16, it decides a certified value decided by another process. Let us consider the first round where a process decides at line 16. By Corollary 1, if a process decides a value during a round, then all correct processes decide the same value in the same round or in the next round. \(\square\)

Lemma 7

If a value v is certified at a correct process \(p_i\) (\(v \in valid1(rec1_i)\)) then v will be certified by all correct processes.

Proof

If (\(v \in valid1(rec1_i)\)) then the value v has been R_delivred by \(p_i\) at least \((n-2t)\) times and carried by cert() messages. By the uniformity property of Reliable-Broadcast (if a correct process R_delivers a message from \(p_j\), then all correct processes R_deliver a message from \(p_j\)), the value v appears at least \((n-2t)\) times in each set valid1(rec1) of each correct process. This means that any certified value by a correct process is certified by all correct processes.

\(\square\)

Lemma 8

After the message exchange at lines 7–9, at most one value \(v\ne \bot\) can be into a set valid2[rec2] of any correct process (stored in aux variables at line 11).

Proof

If no process collects only messages carrying values v then the Lemma holds.

Suppose that two correct processes \(p_i\) and \(p_j\) keep, in their variable aux, v and \(v'\) respectively, such that \(v\ne v'\). The proof is by contradiction. By hypothesis, both sets \(rec2_i\) and \(rec2_j\) of \(p_i\) and \(p_j\), respectively, contain v and \(v'\) \((v\ne v')\), respectively, at least \((n-t)\) times. This means that, we have \(\vert rec2_i \vert + \vert rec2_j \vert \ge 2(n-t)\).

Moreover, let f be the actual number of Byzantine processes (\(f \le t\)). Since the \((n-f)\) correct processes send the same filt\((r_i,aux)\) message to both processes and the f Byzantine processes can send different messages to them, we have \(\vert S \vert \le 1 \times (n-f) + 2 \times f = (n + f)\) and hence, \(\vert S \vert \le (n+t)\) as \(f\le t\).

We have \(\vert S \vert \ge 2 \times (n-t)\) and \(\vert S \vert \le (n+t)\). This leads to \((n+t) \ge 2 \times (n-t)\) i.e. \(n\le 3t\), which is a contradiction as we assume \(n>3t\).

\(\square\)

Lemma 9

If no process decides during a round \(r' \le r\), then all correct processes start the round \(r + 1\).

Proof

Suppose that no process has decided a value v during a round \(r' \le r\), where r is the smallest round number in which a correct process \(p_i\) blocks forever. The proof is by contradiction. By assumption, \(p_i\) is blocked at lines 4, 9, 15, 20 or 27.

Let us first examine the case where \(p_i\) blocks at line 4, which is the first statement of round r where a process can block forever. This means that at least \((n-t)\) correct processes eventually execute line 2, because processes are partially synchronous. Consequently, as communication is reliable between correct processes, the messages R_broadcasted by correct processes will eventually be R_delivred (according to the termination property of Reliable-Broadcast) and \(p_i\) that blocks forever at line 4. The cases where \(p_i\) blocks at line 20 is very similar to this first case.

Let us consider the case where \(p_i\) blocks at line 09. This means that \(p_i\) will never R_deliver \((n-t)\) messages carrying values that are certified (R_deliverd at least from \((n-2t)\) distinct processes) in the certification phase. By Lemma 7, if any correct process certifies a value v, then this value will be certified by \(p_i\) (\(v\in valid1(rec1_i)\)). Consequently, as processes are partially synchronous and at least \((n-t)\) correct processes execute line 07, \(p_i\) will R_deliver \((n-t)\) messages carrying values contained in the set \(valid1(rec1_i)\) and \(p_i\) that blocks forever at line 9. Let us consider the case where \(p_i\) blocks at line 15. This means that \(p_i\) will never R_deliver \((n-t)\) messages, such that any value carried by those messages is in the set \(valid2(rec2_i)\). If any message carries any value not contained in \(valid2(rec2_i)\) then it will be rejected by \(p_i\). By Lemma 8, at most one value v is stored in aux variables of all correct processes at line 11 (\(v\in valid2(rec2_i)\)). Consequently, as processes are partially synchronous and at least \((n-t)\) correct processes R_broadcast the value at line 13, \(p_i\) will R_deliver \((n-t)\) messages carrying values contained in the set \(valid2(rec2_i)\) and \(p_i\) that blocks forever at line 15.

Let us now consider the last case where \(p_i\) blocks at line 27. This means that \(p_i\) will never receive neither the response of the coordinator of the round r nor the \((n-t)\) responses from distinct processes. Consequently, at least \((n -t)\) processes eventually execute line 12. Consequently, as communication is reliable between correct processes the messages sent by correct processes will eventually arrive at \(p_i\) that blocks forever at line 27.

It follows that if \(p_i\) does not decide, it will proceed to the next round, which is a contradiction.

\(\square\)

Lemma 10

In a round r, all correct processes fall in cases of line 16 or of line 17, or they all need the help of the coordinator (18).

Proof

Consider a round r and two correct processes \(p_i\) and \(p_j\). We show that if \(p_i\) falls in case of line 16 then \(p_j\) cannot fall in case of line 18 (need the help of the coordinator). We also show that if \(p_i\) falls in case of line 17 then \(p_j\) cannot fall in case of line 18 (need the help of the coordinator).

If \(p_i\) falls in case of line 16, then there exists a value \(v \ne \bot\) such that v appears at least \((n-t)\) times in the set \(rec3_i\) of \(p_i\). Since \(|rec_j| \ge (n-t)\), there are at most t values R_delivred from Byzantine processes. By the No-duplicity property or Reliable-Broadcast, the process \(p_j\) R_delivers the value v from at least \((|rec_j|-t)= (n-2t)\). From this, we can conclude that if \(p_i\) falls in case of line 16, then \(p_j\) falls in the same case or in the case of line 17.

If \(p_i\) falls in case of line 16, then there exists a value \(v \ne \bot\) such that v appears at least once in the set \(rec3_i\) of \(p_i\), such that \(v\in valid2(rec2_i)\) (\(v= aux_i\) at line 11. By Lemma 8, all correct processes store the same value \(v\ne \bot\) or they all store the default \(\bot\) in their aux variables at line 11. Consequently, as \(p_i\) stores v in its variable \(aux_i\) at line 11, no correct processes that have a set rec3 containing only the default value \(\bot\). This means that all correct processes keep the value v in their estimate. From this, we can conclude that if \(p_i\) falls in case of line 17, then \(p_j\) falls in the same case and cannot change its estimate by the value of the coordinator.

\(\square\)

Theorem 3

(termination) If there is a \(\diamond \langle 2t+1\rangle\)-winning in the system, then all correct processes eventually decide.

Proof

Note that if all correct processes receive at least one dec\((r_i,v)\) message at line 15, such that \(v\ne \bot\) and \(v\in valid2(rec2)\), then even the coordinator of the current round is a \(\diamond \langle 2t+1\rangle\)-winning, then no correct process changes its estimation to the coordinator value. In other words, all correct processes change their estimate according to line 17, and they all never need the help of the coordinator of the current round, even if they receive its value.

The proof is by contradiction. Suppose that no process decides. By hypothesis, there is a time \(\tau\) after which there is a process \(p_x\) that is a \(\langle 2t+1\rangle\)-winning. Let \(p_i\) be a correct process and one of the \((2t +1)\) privileged neighbors of \(p_x\) with which it is connected by a winning link. By Lemma 9, as no correct process decides, all correct processes will execute successive rounds without blocking forever.

All correct processes \(p_i\) (and possibly some Byzantine processes) start round r and send a query() message to \(p_x\) (line 12). This query() message contains a value coord which is the estimate of process \(p_i\). When the coordinator \(p_x\) of round r receives the first query() message (line 24) possibly from itself, it sets a local variable \(coord_x\) to the value contained in the set \(rec2_i\) and appeared at least \((t+1)\) times. Then each time process \(p_x\) receives a query() message related to this round (r), it sends a response() message to the sending process. If we consider any correct process \(p_i\) privileged neighbor of \(p_x\), the response() message from the coordinator \(p_x\) to the query() message of \(p_i\) will be received by \(p_i\) among the first \((n -t)\) responses at line 27.

In the worst case, a Byzantine process can either relay the value of \(p_x\) (thus behaving like a correct process), relay another value \(v'\) different from the value of \(p_x\) or relay the default value \(\bot\) (meaning that it has not received the value of the coordinator). This allows to conclude that the value v broadcasted by \(p_x\) is relayed (line 29) by at least the \((2t + 1)\) correct processes (2t privileged neighbors of \(p_x\) and \(p_x\) itself). Since each process collects at line 20 at least \((n - t)\) relay() messages, we can conclude that all processes will get at least \((t+1)\) relay() messages containing the value v of \(p_x\). It is important to notice that any correct process will never set its estimate to \(v'\), because it receives at most t relay() messages carrying \(v'\).

Let us consider the case where any set \(rec3_i\) of a correct process \(p_i\) contains only the default value \(\bot\). In this case, \(p_i\) sets its variable \(est_i\) to the value v of the coordinator \(p_x\). This means that all correct processes that are in the same case of \(p_i\) (this case is not included in the case of line 16 or in the case of line17) set their variable est to v and start the next round with the same estimate. By Lemma 10, all correct processes change their estimate to v and start the next round \(r+1\) with the same value, and by Lemma 4, they will all decide v in the round \(r+1\).

Let us consider the case where any set \(rec3_i\) of a correct process \(p_i\) contains at least one value \(v \ne \bot\). By Lemma 10, all correct processes are in the same case as \(p_i\) (do not need the help of the coordinator) and they all set their estimate to v. Consequently, By Lemma 4, they will all decide v in the round \(r+1\).

From this, we can conclude that all correct processes will decide, which proves the theorem.

\(\square\)

Theorem 4

(validity) If all correct processes propose v, then only v could be decided.

Proof

Let v be the only proposed value by correct processes. By Lemma 4, all correct processes will decide v

\(\square\)

5 Discussion

5.1 On the Efficiency of Protocols

The number of rounds executed by the presented protocols is unbounded but finite. Each round is composed of three all-to-all message exchanges, by using Reliable-Broadcast primitives (R_broadacst() and R_deliver), plus three simple all-to-all message exchange. Each all-to-all message exchange, by using Reliable-Broadcast primitives, needs \(\Omega (n^3)\) messages if the links are reliable (we do not include messages sent by the Byzantine processes as they can send any number of messages).

If we consider a run where the first coordinator is a \(\diamond \langle 2t+1\rangle\)-winning, and no process exhibits a Byzantine behavior, the protocol terminates in 12 communication steps.

Let us now consider winning links and \(f \le t\) processes exhibiting Byzantine behavior. In the worst case, the first f coordinators are Byzantine. This means that the protocol will terminate at the latest after round \(f + 1\). The total number of communication steps is thus \(12(f + 1)\).

5.2 On the Time-Free Assumption

The proposed signature-free Byzantine protocol needs twice more winning links compared to the authenticated Byzantine protocol presented in Ref. [11]. This is justified by the use of certificates and signatures by the protocol proposed in Ref. [11] (public key cryptography such as RSA signatures). Note that, in the case of the signature-free Byzantine model a correct process can verify that the message is correct if and only if it receives \(t+1\) copies for the same message, whereas in the case of the authenticated Byzantine model, it is sufficient if it receives only one certified message.

6 Conclusion

In this paper, we have presented a signature-free protocol for solving Multivalued Consensus in distributed systems prone to Byzantine failures.

The protocol assumes a weak additional assumption on message pattern where at least \(2t+1\) communication links are eventually winning. These links connect the same correct process, called \(\diamond \langle 2t+1\rangle\)-winning. In favorable setting, the proposed protocol can reach decision in only 12 communication steps and needs \(\Omega (n^3)\) messages in each step.

The major contribution of this paper is to show that signature-free Byzantine Consensus is possible with a weak additional assumption on the pattern of messages that are exchanged to satisfy the properties required by a \(\diamond \langle 2t+1\rangle\)-winning. Compared to the authenticated model, the cost of the proposed protocol is relatively lower when we shift from authenticated Byzantine model to signature-free Byzantine model.