A Time-Free Assumption for Solving Signature-Free Asynchronous Multivalued Byzantine Consensus

This paper tackles the asynchronous signature-free Byzantine consensus. One way to circumvent the FLP impossibility result consists in adding a Time-free assumption. This assumption is based on the pattern of messages that are exchanged. In the context of authenticated asynchronous Byzantine systems where at most t processes may exhibit a Byzantine behavior, Moumen and Mostéfaoui provide the main result. They assume at least one correct process pi\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$p_i$$\end{document}, called ⋄⟨t+1⟩-winning\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\diamond \langle t+1\rangle \text {-winning}$$\end{document}, and a set Q of t correct processes such that, eventually, for each query issued by pi\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$p_i$$\end{document}, any process pj\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$p_j$$\end{document} of Q receives a response from pi\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$p_i$$\end{document} among the (n-t)\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$(n-t)$$\end{document} first responses to that query. The main contribution of this paper is to show that a deterministic solution for the Signature-free Byzantine consensus problem is possible if the system model satisfies an additional assumption that relies on the pattern of exchanged messages. To solve the Consensus problem, we assume a correct process pi\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$p_i$$\end{document}, called ⋄⟨2t+1⟩-winning\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$\diamond \langle 2t+1\rangle \text {-winning}$$\end{document}, and a set Q of (2t+1)\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$(2t+1)$$\end{document} correct processes (including pi\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$p_i$$\end{document} itself) such that, eventually, for each query issued by pi\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$p_i$$\end{document}, any process pj\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$p_j$$\end{document} of Q receives a response from pi\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$p_i$$\end{document} among the (n-t)\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$(n - t)$$\end{document} first responses to that query. The processes of the set Q may change over time. Based on this assumption, a Signature-free Multivalued Byzantine consensus protocol is proposed. Whereas many time-free protocols have been designed for the consensus problem in the crash model and in the Byzantine Authenticated model, this is, to our knowledge, the first time-free deterministic solution to the Signature-free Byzantine consensus Problem.


Context and Motivation
Since the concept of blockchain technology was introduced by Nakamoto [18], the problem of Byzantine consensus has attracted more attention, because it represents an important element for this technology.For ordering transactions and guaranteeing the consistency of the ledger stored in the node, the use of Byzantine consensus protocols is inevitable and play an important role in the blockchain technology.
The Byzantine consensus problem [19] is certainly one of the most important problems in fault-tolerant distributed systems.However, in the context of asynchronous systems, it is well-known that there is no deterministic consensus algorithm even if one process may crash [8].To make this possible, the basic asynchronous Byzantine system model has to be enriched with additional computational power.Synchrony assumptions [5,7], Common coins [12,20], randomization [3], and unreliable failure detectors [6] are examples of such additions for solving Consensus despite asynchrony and failures.When considering Byzantine processes, the Consensus validity property is stated as: if all correct processes propose the same value v then only v can be decided.Indeed, a Byzantine process may propose a wrong value and hence the former statement of the validity property allows deciding Abderafik Nezzar, Hamouma Moumen, and Chafik Arar have contributed equally to this work.
the value of a Byzantine process even though all correct processes do propose the same value.

Related Works
In the context of Byzantine consensus where t processes can exhibit an arbitrary behavior, several works [7,10,19] have shown that Byzantine consensus cannot be solved when t > n∕3 .For solving the Byzantine consensus problem, three approaches have been investigated.The first, relies on the addition of synchrony [2,7,15], called "Timer-Based".This assumption considers the partially synchronous system model [6] which is a generalization of the models proposed in Ref. [7].The second approach consists in adding a property that is based on the pattern of the messages that are exchanged, called "Time-Free" [11].In this approach, we have the query-response-based winning messages proposed in Ref. [13,14] and the teta-model proposed in Ref. [22].The last one is a combination of the two previous approaches [21].
In Ref. [2], Aguilera et al. propose a "Timer-Based" Signature-free Byzantine consensus protocol with weak synchrony properties.Namely, the model assumes at least one correct process with all its outgoing and incoming links are eventually timely (the other links of the system are asynchronous).Such a process is called an eventual bisource ( ⋄ bisource).This means that the number of eventually timely links could be as low as 2(n − 1) links.
In Ref. [15], Moumen et al. propose a "Timer-Based" Authenticated Byzantine consensus protocol with very few synchronous links.Namely, the model assumes an eventual ⟨t + 1⟩-bisource ( ⋄⟨t + 1⟩-bisource) is a correct process where the number of privileged correct neighbors is t + 1 (including itself) where t is the maximum number of faulty processes.
In Ref. [11], Moumen and Mostefaoui propose a "Time-Free" authenticated Byzantine consensus protocol with very few winning links.This protocol assumes a weak system model that does not rely on physical time but on the pattern of messages that are exchanged.Namely, this model is based on the query-response mechanism and assumes at least a ⋄⟨t + 1⟩-winning process (eventual ⟨t + 1⟩ winning process).A ⋄⟨t + 1⟩-winning is a correct process where the number of correct privileged neighbors is t + 1 (including itself), such that, eventually, for each query broadcasted by any of its privileged neighbors, any of its privileged neighbors receives a response from the ⋄t + 1-winning process among the (n − t) first responses to that query.Hence, it is incom- parable with the Timer-Based ⋄⟨t + 1⟩-bisource assumption.
In Ref. [21], Tioura et al. propose a "Hybrid" authenticated Byzantine consensus protocol.Namely, the model assumes a ⋄⟨t + 1⟩-BW (B for Bisource and W for Win- ning), and a set X of t + 1 correct processes p j (including itself), such that, eventually, either (i) each time it broadcasts a query, p j receives a response from p i among the (n − t) first response to that query, or (ii) the link from p i to p j is timely.Each of the t + 1 links, connecting p i with processes of X, has to satisfy a property independently of the satisfied properties of the other t links (the t + 1 links do not have to satisfy the same assumption).

Contribution
This paper advances the state of the art by proposing the first time-free deterministic protocol to the Signature-free Byzantine consensus problem.The signature-free Byzantine model needs twice more winning links compared to the authenticated Byzantine model whereas in the case of the timer-based approach we need, also, twice more timely links to tolerate t Byzantine faults compared to the t links needed by the time-free authenticated Byzantine model.This can be explained by the query-response mechanism used by the time-free approach.
The proposed protocol assumes at least a ⋄⟨2t + 1⟩-winning.This assumption can be summarized, as follows: there is a correct process p i , called ⋄⟨2t + 1⟩-winning, and a set Xof (2t + 1) correct processes p j (including p i itself), such that, eventually, each time p j broadcasts a query, it receives a response from p i among the (n − t) first response to that query.

Roadmap
This paper is made up of five sections.Section 2 defines the computation model, failure model and the Byzantine consensus problem.Section 3 presents a signature-free Multivalued Byzantine consensus protocol with a ⋄⟨2t + 1⟩-winning and Sect. 4 proves its correctness.Section 5 discusses the cost of protocols and makes a conjecture with the intuition that sustains it.Finally, Sect.6 concludes the paper.

Asynchronous Distributed System with Byzantine Process
We consider a message-passing system consisting of a finite set Π of n (n > 1) processes, namely Π = {p 1 , … , p n } .We assume that processes are partially synchronous as described in Ref. [7].Moreover, up to t processes can exhibit a Byzantine behavior, which means that such process can behave in an arbitrary manner.This is the most severe process failure model: a Byzantine process can crash, fail to send or receive messages, send arbitrary messages, start in an arbitrary state, send different values to different processes, perform arbitrary state transitions, etc.A process that exhibits a Byzantine behavior is called faulty.Otherwise, it is correct.We assume that t < n∕3 as it has been proved in Ref. [5] that this is necessary to solve consensus even in asynchronous system.The communication network is reliable in the sense that a message sent by a correct process to another correct process will be received exactly once within a finite time.Messages are not altered by the link and the receiver knows who the sender is.In other words, we are using authenticated asynchronous links.Such a communication network can be built atop of fair lossy links which is the classical communication model used when dealing with Byzantine processes (in fair lossy links, a message can be lost a finite number of times).As advocated in Ref. [9], advanced techniques like [1] or [4] could be adopted here to offer a reliable communication abstraction.They prove that even a simple retransmission until acknowledgment protocol suffices to implement a reliable link between correct processes.Using these techniques, a message that was initially lossy will eventually be received by its receiver if the sender and the receiver are correct.Note that the simulation preserves the timeliness of the messages sent on timely fair-lossy links.Processes communicate and synchronize with each other by sending and receiving messages over a network.The link from process p i to process p j is denoted p i → p j .Every pair of processes is connected by two links p i → p j and p j → p i .There is no assumption about the message transfer delays.

Time-Free Assumption
In this paper, we consider that each process is provided with a query-response mechanism defined as follows: Query-response mechanism: any process p i can broad- cast a query() message and then wait for the corresponding response() messages from (n − t) processes.Each of these response() messages is a winning response for that query, and the corresponding sender processes are the winning processes for that query.The other responses received after the (n − t) response() messages are the losing responses for that query and are automatically discarded.A process issues a new query only when the previous one has terminated (the first (n − t) responses have been received).Finally, the response from a process to its own queries is assumed to always arrive among the first (n − t) responses that it is waiting for.
Henceforth, we reuse the definitions of Refs.[13,14,16,17] to formally define a winning link; an x-winning.Definition 1 (Eventually winning link) Let p i and p j be two processes.The link p i → p j is eventually winning (denoted ⋄WL ) if there is a time such that the response from p j to each query issued by p i after is a winning response ( is finite but unknown).
Definition 2 (x-winning) A process p i is an x-winning at time if p i is correct and there exists a set X of correct processes (including p i itself) of size x, such that, for any process p j ∈ X , the link p i → p j is winning.The processes of X are said to be privileged neighbors of p i .Definition 3 (⋄x-winning) A process p i is a ⋄x-winning if there is a time such that for all ′ ≥ , p is an x-winning at ′ .

The Consensus Problem
This paper considers multivalued Consensus (no bound on the cardinality of the set of proposable values): every process p i proposes a value v i and all correct processes have to eventually decide on some value v in relation with the set of proposed values.Let us observe that, in a Byzantine failure context, the consensus definition should not be too strong.For example, it is not possible to force a faulty process to decide the same value as the correct processes, since a Byzantine process can decide whatever it wants.Similarly, it is not reasonable to decide any proposed value since a faulty process can initially propose different values to distinct processes and consequently the notion of "proposed value" may not be defined for Byzantine processes.Thus, in such a context, the consensus problem is defined by the following three properties: • Termination: Every correct process eventually decides.This section presents a protocol (Fig. 2) that solves the Multivalued Byzantine Consensus problem in a signaturefree system (without message authentication).The proposed protocol assumes a ⋄⟨2t + 1⟩-winning and it uses as primitive Reliable-Broadcast, which is very similar to consistent unique broadcast [2] and consistent broadcast [5].

A Simple Reliable-Broadcast Algorithm
Figure 1 presents a simple algorithm that implements reliable broadcast in an asynchronous Byzantine system where t < n∕3 .This algorithm, inspired from Ref. [5], uses three message types (init(), echo() and ready()) and two operations _ () and _ () .When a process p i invokes _ (v i ) , it broadcasts the mes- sage init(v i , i) .When a process p i has delivered a mes- sage init(v, j) from p j , echo(v, j) message from ((n + t)∕2) distinct processes, or ready(v, j) message from ((n − 2t) distinct processes (Lines 1, 2, 3), it broadcasts echo(v, j) (Line 3).When p i has delivered a message echo(v, j) from ((n + t)∕2) distinct processes or ready(v, j) from ((n − 2t) distinct processes (Line 4), it broadcasts ready(v, j) (Line 5).then p i waits until it has delivered the same message ready(v, j) from (n − t) distinct processes.When this occurs, it _ value (v) as the value R_broadcast by p j (Lines 6, 7).Reliable-broadcast ensures the following properties: • No-duplicity property: no two correct processes R_ deliver different messages from any p j • Termination property: if the sender is correct, all correct processes eventually R_deliver its message.
• Uniformity property: if a correct process R_delivers a message from p j (possibly faulty), then all correct pro- cesses R_deliver a message from p j .

Correctness of the Algorithm
Lemma 1 (No-duplicity) No two correct processes R_deliver different messages from any p j .
Proof Consider a run where a process p j issues R_broad- cast().Let p i and p k be two correct processes that R_deliv- ers from p k values v and v ′ , respectively.It follows from the algorithm that p i has delivered (n − t) messages ready(v, j) and p k has delivered Proof The proof follows directly from Lemmas 1, 2 and 3. ◻
Each process in the system executes consecutive asynchronous rounds and each round r is coordinated by a predetermined process p c .Each round is composed of five phases.
First phase of a round r(lines 1-6): This phase aims to certify values carried by messages.Each process p i manages a local variable est i which contains its current estimate of the decision value.In this phase, a process p i uses Reliable- Broadcast operations (R_broadcast() and R_deliver()) to R_ brodacst cert(r i , est i ) message.If p i R_delivers cert(r i , est) message from at least (n − t) distinct processes then it stores values carried by those messages in a set rec1 i .A process p i considers a value v to be certified if it R_delivers v from at least (n − 2t) distinct processes (at least one is correct).A process p i considers also the value (⊥) as certified if there exist a set A ⊂ rec1 i with |A| ≥ (n − t) and ∄v ∈ A such that {# v (rec1 i ) ≥ (n − 2t)} .This means that p i certifies the value ⊥ if no value v has appeared at least (n − 2t) times in rec1 i .A process p i stores the certified values in a set valid1(rec1 i ) and sets its variable aux i to any value of valid1(rec1 i ).
Second phase of a round r (lines 7-12): This phase guarantees that at its end, at most one non ⊥ value can be kept in the aux variables.In other words, if p i and p j are cor- rect processes and if aux i ≠ ⊥ and aux j ≠ ⊥ then necessar- ily aux i = aux j , whatever is the behavior of the Byzantine processes.
In this phase, each process p i R_broadcasts filt(r i , aux i ) message and waits to R_deliver filt(r i , aux) message, with (aux ∈ valid1(rec1 i )) from at least (n − t) distinct processes.When p i R_delivers these messages, the values of which are stored in a set rec2 i .A process p i considers v as a valid value, If rec2 i contains a least (n − t) values for v.If no value v has appeared at least (n − t) times in rec2 i , a process p i consid- ers ⊥ as a valid value.Process p i stores the valid values in a set valid2(rec2 i ) .At the end of this phase, p i updates its aux i variable to any value of valid2(rec2 i ) and sends a message query(r i , aux i ) to all.
Third phase of a round r (lines 13-22): This phase is the decision phase.In this phase, a process p i R_broadcasts dec(r i , aux i ) .When p i R_delivers dec(r i , aux) message with (aux ∈ valid2(rec2 i )) from at least (n − t) then it stores the values carried by these messages in a set rec3 i .If the set rec3 i contains at least (n − t) values for v ≠ ⊥ then p i decides v and sets its est i variable to v. If rec3 i contains at least one value v ≠ ⊥ then p i changes its estimation to v. Otherwise, the help of the coordinator is needed by p i .This phase guarantees that the Agreement property will never be violated, because if any correct process decides v during the current round and if some processes do not decide in the same round, then v is the only certified value for the next round.Note that not all processes decide necessarily during the same round.
Forth phase of a round r (lines 23-26): This phase is the coordination phase.This phase has no particular effect if the set rec3 i of a correct process p i contains more than one non ⊥ value v.This means that p i has decided on v in the previous phase or its set rec3 i contains at least one value v ≠ ⊥ .Its aim is to help processes that having their sets rec3 containing less than one non ⊥ value v to change their estimation to the coordinator value if they receive it.In this phase, The coordinator p c waits to R_deliver filt(r i , aux) messages, that are R_broadcasted by all processes at line 7, with (aux ∈ valid1(rec1 i ) from at least (n − t) distinct processes.When it R_delivers the values carried by these messages, then it stores them in a set rec2 i .After this, based on the Query-response mechanism, each process sends a query(r i , aux) message to all processes.In a separate task (line 26), each time a process receives a query() message (perhaps from itself) containing an estimate value, it sends a response() message to the sender.If the process that responds to a query message is the coordinator of the round to which is associated the query message, the value it sends in the response() message is the coordination value.If the process that responds is not the coordinator, it responds with any value as the role of such a message is only to define winning links.As we can see in lines 23-26, the value sent by the coordinator is the value contained in the set rec2 i and that has appeared at least (t + 1) times.
The response(r i , coord) message is sent from another parallel task, because the coordinator of round r could be stuck in previous rounds and if it does not respond quickly, the processes waiting this message may receive the (n − t) first responses before the coordinator response.Moreover, this prevents p i from blocking while waiting for the response of a faulty coordinator.If the current coordinator is a ⋄⟨2t + 1⟩-winning then it has at least (2t + 1) cor- rect processes (including itself) with which is connected by eventually winning links.Consequently, at least (2t + 1) correct processes get the value v of the coordinator, carried by response(r i , coord) message, and thus set their variable coord i to the value of the coordinator coord.The processes that do not receive the coord(r i , coord) message set their variable coord i to ⊥.
Fifth phase of a round r (lines 27-29): This phase is the relaying phase.This phase has no particular effect if the coordinator is not a ⋄⟨2t + 1⟩-winning or is a Byzantine.Certainly, if the current coordinator is a ⋄⟨2t + 1⟩-winning then at least (2t + 1) correct processes set their variable coord i to the same value v ≠ ⊥ .During this phase, all pro- cesses broadcast relay(r i , coord i ) message.This means that they relay the value v they got from the coordinator or ⊥ if they receive response(r i , coord) message from (n − t) distinct processes except the coordinator p c .Each process p i deliv- ers relay(r i , coord i ) message from at least (n − t) distinct processes (the values carried by these messages are stored into a set rec4 i ).If the coordinator is a ⋄⟨2t + 1⟩-winning then any correct process will get (t + 1) messages (at least one from a correct process) from the set of (2t + 1) correct processes that have got the value of the coordinator because (n − t) + (2t + 1) > n .If the coordinator is not a ⋄⟨2t + 1⟩ -winning or if it is Byzantine, some processes can receive only ⊥ values, others may receive more than one value and some others can receive a unique value.
At the end of this phase, each process p i asking for the help of the coordinator sets its variable est i to the value v ≠ ⊥ , if v appears at least t + 1 times in the set rec4 i .

Lemma 4 During a round r, if all correct processes start with the same estimate v then they all decide v in the same round r
Proof Let v be the only proposed value by correct processes at the beginning of the certification phase of a round r.Since all correct processes propose v, v is R_broadcasted at least (n − t) times at line 2. Since processes store at least (n − t) values R_delivred as values R_broadcasted by distinct processes, we can conclude that at line 4 the value v appears at least (n − 2t) times in any set rec1 i of any correct process.Moreover, any value proposed by Byzantine processes will appear at most t times in any set rec1 i of correct processes.Consequently, the only certified value is v.This means that all correct processes set their variable aux to v.At the second phase, every correct process R_broadcasts v. Since all correct processes R_deliver only the values certified in the certification phases, we can conclude that any set rec2 i con- tains only the value v. Consequently, all correct processes set their variable aux, at a line 11, to a same value v.At the third phase, all correct processes v. Since all correct processes R_deliver only the valid values in the second phase and as v ∈ valid2(rec2) is the unique valid value for all correct processes, we can conclude then any set rec3 of any correct process contains only the value v. Consequently, all correct processes decide on v in the same round r. which proves the lemma.◻

Lemma 5 If two correct processes p i and p j decide v and v
Proof The proof is by contradiction.Suppose that p i and p j decide v and v ′ , respectively, such that v ≠ v ′ .This means that v appears at least (n − t) times in rec3 i and v ′ also appears at least (n − t) times in rec3 j .By the no-duplicity property of Reliable-Broadcast ( no two correct processes R_deliver different messages from any p k ), if p i R_delivers a dec(r i , v) message from p k then p j will R_deliver the same message from p k .Consequently, if p i R_delivers dec(r i , v) message from (n − t) distinct processes then p j will R_deliver the same messages and will never R_deliver dec(r i , v � ) from (n − t) distinct processes, such that v ≠ v ′ .This means that v = v � , which is a contradiction.◻ Lemma 6 If a correct process p i decides v ≠ ⊥ during a round r, then all correct processes start the next round with the same estimate v if they have not decided.
Proof Let us first note that if any correct process decides on the value v ≠ ⊥ at the round r then all correct processes, that have not decided, set their estimates to v because each of these processes R_delivers at least one dec(r i , aux) mes- sage carrying the value v.Moreover, In this case correct processes can not change their estimates by the coordinator value at line 21 and start the next round r + 1 with the same estimate v.
The proof is by contradiction.Suppose that a correct process p i decides v at a round r (line 16) and a correct process p j has not decided at this round and sets its own estimate to v ′ ≠ v .This means that the set rec3 j of p j contains only val- ues different from v. By the uniformity property of Reliable-Broadcast, the value v, R_delivred by p i at least (n − t) times because it has been decided, appears at least (n − 2t) times in the set rec3 j .Moreover, p j sets its estimate to v and will never need the help of the coordinator of the round r, which is a contradiction.◻ Corollary 1 If a correct process p i decides a certified value v during a round r, then only v can be decided in the same or in the next round r + 1.
Proof Let us consider that a process p i decides a value v in a round r.If a correct process p j decides at the same round r then, by Lemma 5 it decides the same value v decided by p i .If a correct process p j does not decide at the same round r then, by Lemma 6 all correct processes start the next round r + 1 by the same estimate value v decided by p i at round r.If all correct processes start the round r + 1 with the same estimate v then, by Lemma 4, they all decide v in the same round r + 1. ◻ Theorem 2 (agreement) No two correct processes decide differently.
Proof If a correct process decides at line 16, it decides a certified value decided by another process.Let us consider the first round where a process decides at line 16.By Corollary 1, if a process decides a value during a round, then all correct processes decide the same value in the same round or in the next round.◻ Lemma 7 If a value v is certified at a correct process p i ( v ∈ valid1(rec1 i ) ) then v will be certified by all correct processes.
Proof If ( v ∈ valid1(rec1 i ) ) then the value v has been R_ delivred by p i at least (n − 2t) times and carried by cert() messages.By the uniformity property of Reliable-Broadcast (if a correct process R_delivers a message from p j , then all correct processes R_deliver a message from p j ), the value v appears at least (n − 2t) times in each set valid1(rec1) of each correct process.This means that any certified value by a correct process is certified by all correct processes.◻ Lemma 8 After the message exchange at lines 7-9, at most one value v ≠ ⊥ can be into a set valid2[rec2] of any correct process (stored in aux variables at line 11).
Proof If no process collects only messages carrying values v then the Lemma holds.Suppose that two correct processes p i and p j keep, in their variable aux, v and v ′ respectively, such that v ≠ v ′ .The proof is by contradiction.By hypothesis, both sets rec2 i and rec2 j of p i and p j , respectively, contain v and v ′ (v ≠ v � ) , respectively, at least (n − t) times.This means that, we have Moreover, let f be the actual number of Byzantine processes ( f ≤ t ).Since the (n − f ) correct processes send the same filt(r i , aux) message to both processes and the f Byzan- tine processes can send different messages to them, we have We have |S| ≥ 2 × (n − t) and |S| ≤ (n + t) .This leads to (n + t) ≥ 2 × (n − t) i.e. n ≤ 3t , which is a contradiction as we assume n > 3t.
◻ Lemma 9 If no process decides during a round r ′ ≤ r , then all correct processes start the round r + 1.
Proof Suppose that no process has decided a value v during a round r ′ ≤ r , where r is the smallest round number in which a correct process p i blocks forever.The proof is by contradiction.By assumption, p i is blocked at lines 4, 9, 15, 20 or 27.Let us first examine the case where p i blocks at line 4, which is the first statement of round r where a process can block forever.This means that at least (n − t) correct processes eventually execute line 2, because processes are partially synchronous.Consequently, as communication is reliable between correct processes, the messages R_broadcasted by correct processes will eventually be R_delivred (according to the termination property of Reliable-Broadcast) and p i that blocks forever at line 4.The cases where p i blocks at line 20 is very similar to this first case.
Let us consider the case where p i blocks at line 09.This means that p i will never R_deliver (n − t) messages carrying values that are certified (R_deliverd at least from (n − 2t) distinct processes) in the certification phase.By Lemma 7, if any correct process certifies a value v, then this value will be certified by p i ( v ∈ valid1(rec1 i ) ).Consequently, as pro- cesses are partially synchronous and at least (n − t) correct processes execute line 07, p i will R_deliver (n − t) messages carrying values contained in the set valid1(rec1 i ) and p i that blocks forever at line 9. Let us consider the case where p i blocks at line 15.This means that p i will never R_deliver (n − t) messages, such that any value carried by those mes- sages is in the set valid2(rec2 i ) .If any message carries any value not contained in valid2(rec2 i ) then it will be rejected by p i .By Lemma 8, at most one value v is stored in aux vari- ables of all correct processes at line 11 ( v ∈ valid2(rec2 i ) ).Consequently, as processes are partially synchronous and at least (n − t) correct processes R_broadcast the value at line 13, p i will R_deliver (n − t) messages carrying values contained in the set valid2(rec2 i ) and p i that blocks forever at line 15.
Let us now consider the last case where p i blocks at line 27.This means that p i will never receive neither the response of the coordinator of the round r nor the (n − t) responses from distinct processes.Consequently, at least (n − t) pro- cesses eventually execute line 12.Consequently, as communication is reliable between correct processes the messages sent by correct processes will eventually arrive at p i that blocks forever at line 27.
It follows that if p i does not decide, it will proceed to the next round, which is a contradiction.◻ Lemma 10 In a round r, all correct processes fall in cases of line 16 or of line 17, or they all need the help of the coordinator (18).
Proof Consider a round r and two correct processes p i and p j .We show that if p i falls in case of line 16 then p j cannot fall in case of line 18 (need the help of the coordinator).We also show that if p i falls in case of line 17 then p j cannot fall in case of line 18 (need the help of the coordinator).
If p i falls in case of line 16, then there exists a value v ≠ ⊥ such that v appears at least (n − t) times in the set rec3 i of p i .Since |rec j | ≥ (n − t) , there are at most t values R_delivred from Byzantine processes.By the No-duplicity property or Reliable-Broadcast, the process p j R_delivers the value v from at least (|rec j | − t) = (n − 2t) .From this, we can conclude that if p i falls in case of line 16, then p j falls in the same case or in the case of line 17.
If p i falls in case of line 16, then there exists a value v ≠ ⊥ such that v appears at least once in the set rec3 i of p i , such that v ∈ valid2(rec2 i ) ( v = aux i at line 11.By Lemma 8, all correct processes store the same value v ≠ ⊥ or they all store the default ⊥ in their aux variables at line 11.Consequently, as p i stores v in its variable aux i at line 11, no correct pro- cesses that have a set rec3 containing only the default value ⊥ .This means that all correct processes keep the value v in their estimate.From this, we can conclude that if p i falls in case of line 17, then p j falls in the same case and cannot change its estimate by the value of the coordinator.◻ Theorem 3 (termination) If there is a ⋄⟨2t + 1⟩-winning in the system, then all correct processes eventually decide.
Proof Note that if all correct processes receive at least one dec(r i , v) message at line 15, such that v ≠ ⊥ and v ∈ valid2(rec2) , then even the coordinator of the cur- rent round is a ⋄⟨2t + 1⟩-winning, then no correct process changes its estimation to the coordinator value.In other words, all correct processes change their estimate according to line 17, and they all never need the help of the coordinator of the current round, even if they receive its value.The proof is by contradiction.Suppose that no process decides.By hypothesis, there is a time after which there is a process p that is a ⟨2t + 1⟩-winning.Let p i be a correct process and one of the (2t + 1) privileged neighbors of p x with which it is connected by a winning link.By Lemma 9, as no correct process decides, all correct processes will execute successive rounds without blocking forever.
All correct processes p i (and possibly some Byzantine processes) start round r and send a query() message to p x (line 12).This query() message contains a value coord which is the estimate of process p i .When the coordinator p x of round r receives the first query() message (line 24) possibly from itself, it sets a local variable coord x to the value contained in the set rec2 i and appeared at least (t + 1) times.Then each time process p x receives a query() mes- sage related to this round (r), it sends a response() message to the sending process.If we consider any correct process p i privileged neighbor of p x , the response() message from the coordinator p x to the query() message of p i will be received by p i among the first (n − t) responses at line 27.
In the worst case, a Byzantine process can either relay the value of p x (thus behaving like a correct process), relay another value v ′ different from the value of p x or relay the default value ⊥ (meaning that it has not received the value of the coordinator).This allows to conclude that the value v broadcasted by p x is relayed (line 29) by at least the (2t + 1) correct processes (2t privileged neighbors of p x and p x itself).Since each process collects at line 20 at least (n − t) relay() messages, we can conclude that all processes will get at least (t + 1) relay() messages containing the value v of p x .It is important to notice that any correct process will never set its estimate to v ′ , because it receives at most t relay() messages carrying v ′ .
Let us consider the case where any set rec3 i of a correct process p i contains only the default value ⊥ .In this case, p i sets its variable est i to the value v of the coordinator p x .This means that all correct processes that are in the same case of p i (this case is not included in the case of line 16 or in the case of line17) set their variable est to v and start the next round with the same estimate.By Lemma 10, all correct processes change their estimate to v and start the next round r + 1 with the same value, and by Lemma 4, they will all decide v in the round r + 1.
Let us consider the case where any set rec3 i of a correct process p i contains at least one value v ≠ ⊥ .By Lemma 10, all correct processes are in the same case as p i (do not need the help of the coordinator) and they all set their estimate to v. Consequently, By Lemma 4, they will all decide v in the round r + 1.
From this, we can conclude that all correct processes will decide, which proves the theorem.◻ Theorem 4 (validity) If all correct processes propose v, then only v could be decided.
Proof Let v be the only proposed value by correct processes.By Lemma 4, all correct processes will decide v ◻

On the Efficiency of Protocols
The number of rounds executed by the presented protocols is unbounded but finite.Each round is composed of three all-to-all message exchanges, by using Reliable-Broadcast primitives (R_broadacst() and R_deliver), plus three simple all-to-all message exchange.Each all-to-all message exchange, by using Reliable-Broadcast primitives, needs Ω(n 3 ) messages if the links are reliable (we do not include messages sent by the Byzantine processes as they can send any number of messages).
If we consider a run where the first coordinator is a ⋄⟨2t + 1⟩-winning, and no process exhibits a Byzantine behavior, the protocol terminates in 12 communication steps.
Let us now consider winning links and f ≤ t processes exhibiting Byzantine behavior.In the worst case, the first f coordinators are Byzantine.This means that the protocol will terminate at the latest after round f + 1 .The total num- ber of communication steps is thus 12(f + 1).

On the Time-Free Assumption
The proposed signature-free Byzantine protocol needs twice more winning links compared to the authenticated Byzantine protocol presented in Ref. [11].This is justified by the use of certificates and signatures by the protocol proposed in Ref. [11] (public key cryptography such as RSA signatures).Note that, in the case of the signature-free Byzantine model a correct process can verify that the message is correct if and only if it receives t + 1 copies for the same message, whereas in the case of the authenticated Byzantine model, it is sufficient if it receives only one certified message.

Conclusion
In this paper, we have presented a signature-free protocol for solving Multivalued Consensus in distributed systems prone to Byzantine failures.
The protocol assumes a weak additional assumption on message pattern where at least 2t + communication links are eventually winning.These links connect the same correct process, called ⋄⟨2t + 1⟩-winning.In favorable setting, the proposed protocol can reach decision in only 12 communication steps and needs Ω(n 3 ) messages in each step.
The major contribution of this paper is to show that signature-free Byzantine Consensus is possible with a weak additional assumption on the pattern of messages that are exchanged to satisfy the properties required by a ⋄⟨2t + 1⟩ -winning.Compared to the authenticated model, the cost of the proposed protocol is relatively lower when we shift from authenticated Byzantine model to signature-free Byzantine model.

Fig. 2 A
Fig. 2 A signature-free multivalued consensus protocol In BAMP n,t [n > 3t, ⟨2t + 1⟩-winning] it follows that there is at least one correct process that has sent ready(v, j) to p i and ready(v � , j) to p (7)line 5.As it is correct, this process has sent the same value v = v � to both p i and p k , which proves the Lemma.◻Lemma 2 (Termination) If the sender is correct, all correct processes eventually R_deliver its message.Proof Consider a run where a process p i issues R_broad- cast(v i ) .If p i is correct, all correct processes eventually deliver init(v, i) message from p i at line 2. Consequently, they all broadcast echo(v, i).After this, all correct processes eventually deliver echo(v, i) message from at least (n − t) distinct processes and they all broadcast ready(v, i) message.Hence, any correct process eventually delivers ready(v, i) from at least (n − t) distinct processes and R_delivers v. ◻ Lemma 3 (Uniformity) If a correct process R_delivers a message m from p j (possibly faulty), then all correct pro- cesses R_deliver the same message m from p j .waituntilecho(v,j)deliveredfrom((n+t)/2) different processes or ready(v, j) delivered from ((n − 2t) different processes ;(5)broadcast ready(v, j);(6)wait until ready(v, j) delivered from ((n − t) different processes ;(7)R deliver(v) at p i as the value R broadcast by p j Proof Let p i be a correct process that R_delivers v from p j .It follows from line 6 that p i has delivered ready(v, j) message from (n − t) distinct processes.As n > 3t , at least (n − 2t) ≥ t + 1 of them are correct processes, which means that any correct process has delivered ready(v, j) message from at least (n − 2t) distinct processes.It then j) message from (n − t) distinct processes and consequently R_delivers v as the value R_broadcasted by p j .◻Theorem 1 The algorithm of Fig.1implements Reliable-Broadcast in asynchronous distributed system prone to Byzantine failures, where n ≥ 3t + 1.