consensus/pdf/disc.tex


\documentclass[a4paper,UKenglish,cleveref, autoref, thm-restate, anonymous]{lipics-v2019}
%This is a template for producing LIPIcs articles.
%See lipics-manual.pdf for further information.
%for A4 paper format use option "a4paper", for US-letter use option "letterpaper"
%for british hyphenation rules use option "UKenglish", for american hyphenation rules use option "USenglish"
%for section-numbered lemmas etc., use "numberwithinsect"
%for enabling cleveref support, use "cleveref"
%for enabling autoref support, use "autoref"
%for anonymousing the authors (e.g. for double-blind review), add "anonymous"
%for enabling thm-restate support, use "thm-restate"

%\graphicspath{{./graphics/}}%helpful if your graphic files are in another directory
\bibliographystyle{plainurl}% the mandatory bibstyle

\title{Byzantine Finality Gadgets}

\titlerunning{Byzantine Finality Gadgets} %TODO optional, please use if title is longer than one line

\author{John Q. Public}{Dummy University Computing Laboratory, [optional: Address], Country \and My second affiliation, Country \and \url{http://www.myhomepage.edu} }{johnqpublic@dummyuni.org}{https://orcid.org/0000-0002-1825-0097}{(Optional) author-specific funding acknowledgements}%TODO mandatory, please use full name; only 1 author per \author macro; first two parameters are mandatory, other parameters can be empty. Please provide at least the name of the affiliation and the country. The full address is optional

\author{Joan R. Public\footnote{Optional footnote, e.g. to mark corresponding author}}{Department of Informatics, Dummy College, [optional: Address], Country}{joanrpublic@dummycollege.org}{[orcid]}{[funding]}

\authorrunning{J.\,Q. Public and J.\,R. Public} %TODO mandatory. First: Use abbreviated first/middle names. Second (only in severe cases): Use first author plus 'et al.'

\Copyright{John Q. Public and Joan R. Public} %TODO mandatory, please use full first names. LIPIcs license is "CC-BY";  http://creativecommons.org/licenses/by/3.0/

\begin{CCSXML}
<ccs2012>
<concept>
<concept_id>10003752.10003809.10010172</concept_id>
<concept_desc>Theory of computation~Distributed algorithms</concept_desc>
<concept_significance>500</concept_significance>
</concept>
<concept>
<concept_id>10002978</concept_id>
<concept_desc>Security and privacy</concept_desc>
<concept_significance>500</concept_significance>
</concept>
</ccs2012>
\end{CCSXML}

\ccsdesc[500]{Theory of computation~Distributed algorithms}
\ccsdesc[500]{Security and privacy}
\keywords{Blockchain, distributed consensus, finality gadget, network asynchrony} %TODO mandatory; please add comma-separated list of keywords

\category{} %optional, e.g. invited paper

\relatedversion{} %optional, e.g. full version hosted on arXiv, HAL, or other repository/website
%\relatedversion{A full version of the paper is available at \url{...}.}

\supplement{}%optional, e.g. related research data, source code, ... hosted on a repository like zenodo, figshare, GitHub, ...

%\funding{(Optional) general funding statement \dots}%optional, to capture a funding statement, which applies to all authors. Please enter author specific funding statements as fifth argument of the \author macro.


\def\GST{\mathrm{GST}}

\long\def\com#1{}

\long\def\xxx#1{{\color{red} {\bf XXX }{\small [#1]}}}

%\nolinenumbers %uncomment to disable line numbering

%\hideLIPIcs  %uncomment to remove references to LIPIcs series (logo, DOI, ...), e.g. when preparing a pre-final version to be uploaded to arXiv or another public repository

%Editor-only macros:: begin (do not touch as author)%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\EventEditors{John Q. Open and Joan R. Access}
\EventNoEds{2}
\EventLongTitle{3 International Symposium on Distributed Computing}
\EventShortTitle{DISC 2020}
\EventAcronym{DISC}
\EventYear{2020}
\EventDate{October 12--16, 2020}
\EventLocation{Freiburg, Germany}
\EventLogo{}
\SeriesVolume{42}
\ArticleNo{23}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

\begin{document}

\maketitle

%TODO mandatory: add short abstract of the document
\begin{abstract}
Classic Byzantine fault-tolerant consensus protocols forfeit liveness in the face of asynchrony in order to preserve safety, whereas most deployed blockchain protocols forfeit safety in order to remain live.
In this work, we achieve the best of both worlds by proposing a novel abstractions called the \emph{finality gadget}.
A finality gadget allows for transactions to always optimistically commit but informs the clients that these transactions might be unsafe. As a result, a blockchain can execute transactions optimistically and only commit them after they have been sufficiently and provably audited.
In this work, we formally model the finality gadget abstraction, prove that it is impossible to solve it deterministically in full asynchrony (even though it is stronger than consensus) and provide a partially synchronous protocol which is currently securing a major blockchain. This way we show that the protocol designer can decouple safety and liveness in order to speed up recovery from failures. We believe that there can be other types of finality gadgets that provide weaker safety (e.g., probabilistic) in order to gain more efficiency and this can depend on the probability that the network is not in synchrony.
\end{abstract}
\section{Introduction}


Bitcoin~\cite{nakamoto08bitcoin} and its descendants~\cite{wood14ethereum,sasson2014zerocash} are cryptocurrencies that provide
secure automated value exchange without the need for a central managing authority.
In order to achieve this, they build on peer-to-peer networks where special nodes (usually called miners)
collect transactions from users and run a consensus protocol in order to maintain a distributed public ledger
known as the \textit{blockchain}.
One of the challenges of the consensus protocols run by these systems is that they only have the property of eventual consensus - that an ever-growing prefix of the chain will be agreed upon by all participants forever onward. But this eventual consensus process generally takes tens of minutes and only gives probabilistic guarantees - if we see a few blocks building on a given chain, we can estimate the probability that it is final.
Unfortunately, these guarantees only hold if the underlying network is well-connected and the client able to find an uncensored source of information, two assumptions that
do not hold in adversarial environments~\cite{apostolaki16hijacking, gervais15tampering, heilman15eclipse,pass16analysis}.
A second challenge is that of consistently verifying transactions that might be optimistically appended on-chain (e.g., optimistic rollups~\cite{al19lazyledger}). Currently, only valid transactions are appended on-chain, making the expectation of rolling back the chain almost equivalent to an attack.

The underlying problem of these challenges is that first-generation blockchain protocols~\cite{nakamoto08bitcoin,garay15bitcoin} do not consider finality (i.e., when will a block never be reverted) as a first-class property, prioritizing liveness instead.
On the opposite side of the spectrum, new generation protocols~\cite{kokoris16enhancing,decker16bitcoin,pass16hybrid} (which actually build on the old quorum-based ideas) propose the complete opposite, to forfeit liveness when finality is not readily achievable.
To deploy these novel protocols we need to change the existing infrastructure and have multiple additional shortcomings.
First, these ``safety-first'' consensus protocols are exclusive. The protocol needs to put a limit on the number of participating miners in order to achieve good performance, which might lead to centralization.
Second, tying consensus with liveness of the chain means that there is no optimism, and blocks are committed only when all verification information are available. As a result, they lose the ability to make some (unsafe) progress when the network is unstable, which can (a) help speed up the recovery process when the network heals and (b) provide a broadcast channel to the parties in order to post optimistic proposals that can later be verified by all parties (since the blockchain provides a single-view) and ultimately committed.

In this work, we show that the middle ground also merits exploration. We introduce the idea of lazy finality which is encapsulated in the abstraction of a \emph{finality gadget.}
Separating the liveness of the consensus protocol from the finality of the blocks can have four concrete benefits for the overlying blockchain protocol. First, not every node that is competing to mine a block needs to be part of the finality gadget, hence we can get the \textit{best of both worlds} (i.e., full inclusive decentralization and scalable fast finality). Second, we can reorganize the chain for blocks that have not yet been finalized, which allows for probabilistic protocols such as optimistic rollups~\cite{al19lazyledger}. Third, a finality gadget can be deployed gradually and light clients can choose to consult it or follow the longest chain rule and ignore it, enabling light client heterogeneity.
The light clients that trust the gadget do not need to have the full chain or actively listen to the network.
This can, in turn, enable scalability~\cite{avarikioti19divide} in an ecosystem of multiple chains (weather sharding~\cite{kokoris17omniledger,al18chainspace,androulaki18channels} or heterogeneous~\cite{zamyatin19sok}), where no single party receives or stores all the data in the system.
Finally, the finality gadget protocol is simpler than consensus protocols since they do not require a complex and costly view change phase, thanks to the use of  an underlying blockchain that provides unsafe liveness and a consistent view when a leader blocks.


More specifically, this work introduces the abstraction of a \emph{finality gadget} that runs along with any block production mechanism (e.g., Nakamoto consensus) and
provides provable finality guarantees instead of probabilistic.
To this end, we formalize the finality gadget problem and show that it is impossible to satisfy its properties with a deterministic asynchronous protocol.
To circumvent this impossibility result, we introduce the GRANDPA finality gadget that works in a partially synchronous network model, in the presence of up to $1/3$ Byzantine actors.
The combination of GRANDPA with a classic block production mechanism like GHOST~\cite{lewenberg15inclusive} results in the existing deployment of the Polkadot network\footnote{https://polkadot.network/} which provides fast finality under good network conditions and protects the clients without compromising the liveness when under attack. The implementation of GRANDPA will be made available on github.
\com{

In summary, we make the following contributions:
\begin{itemize}

\item Introduce the idea of lazy finality and instantiate it through a finality gadget abstraction

\item Prove that BFG is impossible in asynchrony and present GRANDPA

\end{itemize}
}

%The approach that we will take is similar to the approach that Ethereum plans to take with Casper the Friendly Finality Gadget (Casper FFG)\cite{CasperFFG}, which combines these approaches.
%We will use a block production mechanism and chain selection rule that give eventual consensus and then add a finality gadget, a protocol that finalizes blocks that the participants already agree on, to get provable finality.

%We present a finality gadget that works in a partially synchronous network model, GRANDPA, that works in the presence f up to $1/3$ Byzantine actors as well as an asynchronous finality gadget, that can cope with $1/5$ Byzantine actors.


\section{Model, Definitions, and Impossibilities}


We want to formalize the notion of finality gadget to be a sub-protocol that can be deployed along with any protocol with
eventual consensus and probabilistic finality and enhancing such protocol with provable finality.
To achieve this, we need to incorporate into the classic definition of Byzantine agreement
the fact that we additionally have access to a protocol that would achieve eventual consensus if we did not affect it.

\subsection{Byzantine Agreement with a Consistency Oracle}
Consider a typical definition of a multi-values Byzantine agreement:
We have a set of participants $V$, the majority of whom obey the protocol, but a constant fraction may be Byzantine, meaning they behave arbitrarily, e.g. provide false or inconsistent information or randomly go offline when they ought to be online.

\begin{definition} A protocol for {\em multi-valued Byzantine agreement} has a set of values $S$ and a set of voters $V$, a constant fraction of which may be Byzantine, for which each voter $v \in V$ starts with an initial value $s_v \in S$ and, in the end, decides a final value $f_v \in S$ such that the following holds:

\begin{itemize}
\item {\bf Agreement}: All honest voters decide the same value for $f_v$
\item {\bf Termination}: All honest voters eventually decide a value
\item {\bf Validity}: If all honest voters have the same initial value, then they all decide that value
\end{itemize}

\end{definition}

We can change this definition to assume that instead of having an initial value, all voters have access to an external protocol, an oracle for values, that achieves eventual consensus in that it returns the same value to all voters when called after some unknown time.

\begin{definition}
We say an oracle $A$ in a protocol is {\em eventually consistent} if it returns the same value to all participants after some unspecified time.
\end{definition}


\begin{definition} A protocol for the {\em multi-valued Byzantine finality gadget problem} has a set of values $S$, a set of voters $V$, a constant fraction of which may be Byzantine, for which each voter $v \in V$ has access to an eventually consistent oracle $A$ and, in the end, each voter decides a final value $f_v \in S$ such that the following holds:

\begin{itemize}
\item {\bf Agreement:} All honest voters decide the same value for $f_v$
\item {\bf Termination:} All honest voters eventually decide a value
\item {\bf Validity:} All honest voters decide a value that $A$ returned to some honest voter sometimes.
\end{itemize}

\end{definition}

\subsubsection{Impossibility of Deterministic Agreement with an Oracle.}\label{ssec:impossibility}

For the binary case, i.e. when $|S|=2$, the Byzantine finality gadget problem is reducible to Byzantine agreement. This does not hold for $|S| > 2$, because the definition of validity is stronger in our protocol. The multi-valued Byzantine agreement cannot provide the validity condition of deciding on the initial value of some honest voter and tolerating more than a $1/|S|$ fraction of faults, since we may have a $1/|S|$ fraction of voters reporting each initial value and Byzantine voters can act honestly enough not to be detectable. For finality gadgets, this stronger validity condition is possible. A natural question is then whether the celebrated FLP~\cite{fischer85impossibility} impossibility holds for our stronger requirements.
Next, we show that an asynchronous, deterministic binary finality gadget is impossible, even with one fault.
This means that the extra information voters have here, that $A$ will eventually agree for all voters, is not enough to make this possible.


\subsubsection{Proof Sketch:}

The asynchronous binary fault-tolerant agreement problem is as follows:

We have a number of voters which each has an initial $v_i$ in $\{0,1\}$
We may have one or more faulty nodes, which here means going offline at some point. Nodes have asynchronous communication - so any message arrives but we have no guarantee when it will.
The goal is to have all non-faulty nodes output the same $v$, which must be $0$ if all inputs $v_i$ are $0$ and $1$ if all are $1$.

Fischer, Lynch, and Paterson\cite{fischer85impossibility} showed that this is impossible if there is one faulty node.
The binary fault-safe finality gadget problem is similar, except now there is an oracle $A$ that any node can call at any time with the following properties.
First, either $A$ always outputs $x$ in $\{0,1\}$ to all nodes at all times
or else there is an $x$ in $\{0,1\}$ and, second,
for each node $i$, there is a $T_i$ such that when $i$ calls $A$ before $T_i$. it gives $x$but if it calls $A$ after $T_i$, it returns not $x$ .

We want that if A never switches, then all non-faulty nodes output x. If A does switch then all non-faulty nodes should output the same thing, but it can be 0 or 1. But, now we basically instantiated a binary agreement problem without an oracle.
As a result, deciding after the oracle switches value is as hard as not having an oracle at all.\com{ is also impossible, even for one faulty node, which just goes offline. Note that this generalizes Byzantine agreement, since if we could show that each node $i$ could call $A$ once at the start and use the output as $v_i$.(For the multi-valued case, we will define the problem so that this reduction does not hold.)}


\begin{proof}[Proof sketch] We follow the notation of  \cite{fischer85impossibility} and assume for a contradiction that we use a correct protocol.
Let $r$ be a run of the protocol where $A$ gives $0$ all the time.
Then by correctness, $r$ decides $0$. Now we consider what can happen when $A$ switches to $1$ after each configuration in $r$. If it switches to $1$ at the start, then the protocol decides $1$.
If it switches to $1$ when all nodes have already decided $0$, then it decides $0$.

We claim that some configuration in the run $r$, where there are two runs from it where $A$ is always $1$ that decide $0$ and $1$. We call such states $1$-bivalent.
To see this, assume for a contradiction that $r$ contains no such configurations. Then there are successive configurations $C$,$C'$ such that if $A$ return $1$ in the future from $C$ then we always decide $0$ but from $C'$, we always decide $1$.
Let events be $(p,m,x)$ where node (processor/voter) $p$ receives message $m$ (which may be null) and executes some code where any calls to A return $x$ in $\{0,1\}$, then sends some messages.
Then there is some event $(p,m,0)$ that when applied to $C$ gives $C'$. Now suppose that $p$ goes offline at $C$, then if $A$ always returns $1$ afterwards, then we still decide $1$. Thus there is a run $r'$ that starts at $C$ where $p$ takes no steps, $A$ always returns $1$, and all other nodes still output $1$.
But since $p$ takes no steps in $r'$, we can apply $r'$ after $(p, m, 0)$ and so we have that $C'$ has a run where $A$ always returns $1$ but decides $1$, which is a contradiction.

Now let $C$ be a $1$-bivalent configuration. We can follow the FLP proof to show that there is a run from $C$ for which $A$ always returns $1$, all messages are delivered but all configurations are 1-bivalent and so the protocol never decides. This completes the proof by contradiction that there is no correct protocol.
\end{proof}


\subsection{Definition of a Finality Gadget}

In this section, we show how to extend the one-shot agreement to agree on a chain of blocks. One difficulty in formalizing the problem is that the block production mechanism cannot be entirely separate from the finality gadget. In order to finalize new blocks, we must first build on the chain we have already finalized. So at a minimum, the block production mechanism needs to recognize which blocks the finality gadget has finalized. We will also allow the block production mechanism to interact with the state of the finality gadget in other ways.

We want the finality gadget to work with the most general block production mechanisms as possible. Thus we need a condition that combines the property of eventual consensus and this requirement to build on the last finalized block, but is otherwise not too restrictive.
We assume a kind of conditional eventual consensus.
If we keep building on our last finalized block $B$ and do not finalize any new blocks, then eventually we have consensus on a longer chain than just $B$, which the finality gadget can use to finalize another block.
We also want a protocol that does not terminate, but instead keeps on finalizing more blocks.

We assume that there is a block production protocol $P$ that runs at the same time as the finality gadget protocol $G$. Actors who are participants in both protocols may behave differently in $P$ depending on what happened in $G$.
However in the reverse direction, the only way that an honest voter $v$'s behavior in $G$ is affected by $P$ is through a voting rule, a function $A(v,s_v, B)$ that depends on $v$ and its state $s_v$ and takes a block $B$ and returns a block $B'$ at the head of a chain including $B$.

We say that the system $G$, $P$, and $A$ achieves {\em conditional eventual consensus}, if $G$ has finalized a block $B$, then eventually, either $G$ will finalize some descendant of $B$ or else all the chains with head $A_{v,s_v}(B)$ for all voters $v$ at all future states $s_v$ will contain the same descendant $B'$ of $B$.

\begin{definition} \label{def:finality-gadget}
Let $F$ be a protocol with a set of voters $V$, a constant fraction of which may be Byzantine.
We say that $F$ solves {\em blockchain Byzantine finality gadget problem} if for every block production protocol $P$ and voting rule $A$ we have the following

%A protocol for the blockchain Byzantine finality gadget problem has, each of whom has access to an oracle $A$ for the best chain given the last finalized block with the property that, as long as no new block is finalized, it achieves eventual consensus on some child of the last finalized block such that the following holds:

\begin{itemize}
\item{\bf Safety:} All honest voters finalize the same block at each block number.
\item{\bf Liveness:} If the system $F, G, A$ achieves conditional eventual consensus, then all honest voters keep finalizing blocks.
\item{\bf Validity:} If an honest voter finalizes a block $B$ then that block was seen in the best chain observed by some honest voter containing some previously finalized ancestor of $B$,
\end{itemize}

\end{definition}

As an example, we could assume $F$ uses proof of work to build on the longest chain and includes the last block $G$ finalized. Then we take $A(v,s_v,B)$ as being the longest chain which includes $B$ and which $v$ sees in state $s_v$. It is well-known \cite{nakamoto08bitcoin} that the longest chain with proof of work achieves eventual consensus under the right assumptions and similar arguments show that in this case, we have conditional eventual consensus.
As long as we do not change the chain we are building on by finalizing another block, we will eventually agree on some prefix longer than the last finalized block.
Thus, any finality gadget that satisfies Definition \ref{def:finality-gadget} will work in this system so that all honest voters finalize an increasingly long common chain.
Thanks to the abstraction above, we can switch $F$ for one of many possible alternative consensus algorithms and $G$ will still work.


\com{

\subsection{Our results}


\subsection{Related Work}

\subsubsection{Comparison with Casper}

The concept of finality gadget was introduced in Casper the friendly finality gadget and this remains the finality gadget that is most similar to ours. So it makes sense to compare these. However, first, we should mention the other protocols that are also called Casper.

The first Casper was Casper TFG. Casper CBC\cite{CasperCBC} gives a recent and clearly specified version of this protocol. Its fork choice rule uses the GHOST selection rule on votes.
In Casper TFG, votes are blocks, but they are counted by participants (proposers and validators) like votes, which differs from how GHOST would be used with proof of work. It also has a flexible way of subjectively finalizing blocks based on graphs of votes.

In Casper FFG\cite{CasperFFG}, validators vote on links between checkpoints, which occur at block numbers that are multiples of, say, 50. If there are 2/3 votes for one block at consecutive checkpoints, then we can finalize a chain of blocks up to the first checkpoint.

Epochless Casper,

Casper...

There are two main differences between Casper FFG and GRANDPA. One is that in GRANDPA, different voters can cast votes simultaneously for blocks at different heights. This is achieved by borrowing the concept of GHOST on votes from Casper TFG and applying it in a more traditional Byzantine agreement protocol.

The other main difference is how the finality gadget affects the fork-choice rule of the underlying block production mechanism. In GRANDPA, by default, we will assume that this is only affected by having to include any finalized blocks.
Casper FFG \cite{CasperFFG} does not specify a fork-choice rule, but it requires that we build on justified blocks for liveness. Later specifications of Casper use the GHOST rule on votes for fork-choice.

Only depending on finalized blocks gives a clearer separation between the block production mechanism and finality gadget. It may, therefore, be easier to adapt to other types of protocol that achieve eventual consensus—and there have been many diverse protocols that do this developed in the last few years.
It also makes it far easier to prove liveness properties.
If the finality gadget has not finalized anything and so does not interfere, then the underlying mechanism should reach eventual consensus, which should be enough for the finality gadget to finalize whatever we have consensus on.

On the other hand, while building on the longest chain in the absence of a finality gadget to maximize block rewards may be rational if everyone else does, this is not always the case for building on the longest chain including the last finalized block.
This is because it may be likely that a different chain is going to be finalized, in which case the rational thing to do might be to build on that. The GHOST on votes fork choice rule of ? and ? may be more rational.
It is not clear that it is, nor is it clear how to prove liveness for such a rule. Further research may be needed to show that there is a fork choice rule which is rational and leads to liveness for the finality gadget.


}
\subsection{Preliminaries} \label{sec:prelims}

\subsubsection{Network model}: We will be using a partially synchronous network model.
We assume that any message sent or received by an honest participant reaches all honest participants within time $T$, but possibly only after some Global Synchronization Time $\GST$.
Concretely, any message sent or received by some honest participant at time $t$ is received by all honest participants by time $\GST+T$ at the latest.


\subsubsection{Voters:} \com{We will want to change the set of participants who actively agree sometimes.
To model this, we have a large set of participants who follow messages.}
For each voting step, there is a set of $n$ voters.
We will frequently need to assume that for each such step, at most  $f < n/3$ voters are Byzantine.
We need $n-f$ of voters to agree on finality. Whether or not block producers ever vote, they will need to be participants who track the state of the protocol.

\subsubsection{Votes:}A vote is a block hash, together with some metadata such as round number and the type of vote, such as {\em prevote} or {\em precommit}, all signed with a voter's private key.

\subsubsection{Rounds:}Each participant has their own idea of what is the current round number. Every prevote and precommit has an associated round number. Honest voters only vote once (for each type of vote) in each round and do not vote in earlier rounds after later ones.
Participants need to keep track of which block they see as currently being the latest finalized block and an estimate of which block could have been finalized in the last round.


For block $B$, we write $\mathrm{chain}(B)$ for the chain whose head is $B$. The block number, $n(B)$ of a block $B$ is the length of $\mathrm{chain}(B)$.
For blocks $B'$ and $B$, we say $B$ is later than $B'$ if it has a higher block number.
We write $B > B'$ or that $B$ is descendant of $B'$ for $B$, $B'$ appearing in the same blockchain with $B'$ later i.e. $B' \in \mathrm{chain}(B)$ with $n(B) > n(B')$.
$B \geq B'$ and $B \leq B'$ are similar except allowing $B = B'$.
We write $B \sim B'$ or $B$ and $B'$ are on the same chain if $B<B'$, $B=B'$ or $B> B'$; and $B \nsim B'$ or $B$ and $B'$ are not on the same chain if there is no such chain.

Blocks are ordered as a tree with the genesis block as root. So any two blocks have a common ancestor but two blocks not on the same chain do not have a common descendant.
A vote $v$ for a block $B$ by a voter $V$ is a message signed by $V$ containing the blockhash of $B$ and meta-information like the round numbers and the type of vote.

A voter equivocates in a set of votes $S$ if they have cast multiple different votes in $S$. We call a set $S$ of votes safe if the number of voters who equivocate in $S$ is at most $f$. We say that $S$ has a supermajority for a block $B$ if the set of voters who either have a vote for blocks $\geq B$ or equivocate in $S$ has size at least $(n+f+1)/2$.  We count equivocations as votes for everything so that observing a vote is monotonic, meaning that if $S \subset T$ then if $S$ has a supermajority for $B$ so does $T$, while being able to ignore yet more equivocating votes from an equivocating voter.

For our finality gadget (GRANDPA) we use the ghost~\cite{lewenberg15inclusive} eventual consensus algorithm as $F$.
The $2/3$-GHOST function $g(S)$ takes a set $S$ of votes and returns the block $B$ with highest block number such that $S$ has a supermajority for $B$.
If there is no such block, then it returns `nil`. \com{(if $f \neq \lfloor (n-1)/3 \rfloor$, then this is a misnomer and we may change the name of the function accordingly.)}
Note that, if $S$ is safe, then we can compute $g(S)$ by starting at the genesis block and iteratively looking for a child of our current block with a supermajority, which must be unique if it exists. Thus we have:
\begin{lemma} \label{lem:ghost-monotonicity}
Let $T$ be a safe set of votes. Then
\begin{enumerate}
\item The above definition uniquely defines $g(T)$
\item If $S \subseteq T$ has $g(S) \neq$ nil, then $g(S) \leq g(T)$.
\item If $S_i \subseteq T$ for $1 \leq i \leq n$ then all non-nil $g(S_i)$ are on a single chain with head $g(T)$.
\end{enumerate}

\end{lemma}

Note that we can easily update $g(S)$ to $g(S \cup \{v\})$, by checking if any child of $g(S)$ now has a supermajority.
The third rule tells us that even if participants see different subsets of the votes cast in a given voting round, this rule may give them different blocks but all such blocks are in the same chain under this assumption.

Next, we define a notion of possibility to have a supermajority which says that if the set of all votes in a vote $T$ is safe and some participant observes a subset $S \subseteq T$ that has a supermajority for a block $B$ then all participants who see some other subset $S' \subseteq T$ still see that it is possible for $S$ to have a supermajority for $B$. We need a definition that extends to unsafe sets.
We say that it is {\em impossible} for a set $S$ to have a supermajority for $B$ if at least $(n+f+1)/2$ voters either vote for a block $\not \geq B$ or equivocate in $S$. Otherwise it is {\em possible} for $S$ to have a supermajority for $B$.

Note that if $S$ is safe, it is possible for $S$ to have a supermajority for $B$ if and only if there is a safe $T \supseteq S$ that has a supermajority for $B$, which can be constructed by adding a vote from $B$ for all voters without votes in $S$ and enough voters who already have voted in $S$ to bring the number of equivocations up to $f$.

We say that it is {\em impossible} for any child of $B$ to have a supermajority in $S$ if $S$ has votes from at least $2f+1$ voters and it is impossible for $S$ to have a supermajority for each child of $B$ appearing on the chain of any vote in $S$.
Again, provided $S$ is safe, this holds if and only if for any possible child of $B$, there is no safe $T \subseteq S$ that has a supermajority for that child.
\com{
Note that it is possible for an unsafe $S$ to both have a supermajority for $S$ and for it to be impossible to have such a supermajority under these definitions, as we regard such sets as impossible anyway.
}
\begin{lemma} \label{lem:impossible}
\begin{itemize}
\item[(i)] If $B' \geq B$ and it is impossible for $S$ to have a supermajority for $B$, then it is impossible for $S$ to have a supermajority for $B'$.
\item[(ii)] If $S \subseteq T$ and it is impossible for $S$ to have a supermajority for $B$, then it is impossible for $T$ to have a supermajority for $B$.
\item[(iii)] If $g(S)$ exists and $B \nsim g(S)$ then it is impossible for $S$ to have a supermajority for $B$.
\end{itemize}
\end{lemma}


\section{Finality Gadget Protocols} \label{sec:finality}

\com{
To discover up with a solution to the blockchain Byzantine finality gadget problem, we will typically look at various Byzantine agreement protocols and use those to find protocols for the multi-valued Byzantine finality gadget problem.
Agreement protocols with appropriate properties can be used to find protocols for the blockchain Byzantine finality gadget problem by considering running them in parallel at every block number.
If the one block protocol has the right properties then they will agree on blocks consistently, so if we finalize a block then we also finalize its ancestors and we can come up with a succinct protocol.

For example, suppose we have a one-block protocol that calls for a vote on blocks which requires a participant to observe a supermajority, said votes from  $2/3$ of voters, for some block, or else the participant observes that the vote is undecided. Now imagine running this vote in parallel for every block number and have any honest voter vote for blocks from a particular chain.
Byzantine voters may vote more than once, but if we count a vote for a block as a vote for each ancestor of the block in the vote for the instance of the one block protocol with its number, then Byzantine voters must also vote for chains, though they can vote for multiple chains.
If we do this, then we see that if a block has a supermajority in a vote, then so does all its ancestors in their votes. Thus the blocks with a supermajority form a chain.
Furthermore, if only $1/3$ of voters equivocate then if a participant sees a subset of the votes for chains, then they must see a prefix of the chain of blocks for which all the votes have supermajorities. Intuitively, the protocol can agree on the prefix that $2/3$ of voters agree on using this.

To ensure safety, each participant maintains an estimated $E_r$ of the last block that could have been finalized in a round $r$. This has the property that in future rounds it overestimates the block that could have been finalized so that in round $r$, the chain with head $E_{r-1}$ contains all blocks that could have been finalized.
Any honest voter only votes in round $r$ for chains containing their estimate $E_{r-1}$ and this guarantees that any block that could have been finalized in round $r-1$ will be finalized in round $r$.
}

In order to find a solution to the finality gadget protocol, we look in
consensus protocols that solve the stronger problem as described in the previous section. The key idea for our solution is to inherit the safety properties of a consensus protocol, but use the underlying blockchain as the driving force of liveness. This results in a protocol that does not stop when for example the network is split.
Instead, only the finalization stops, but the blocks keep getting created and propagated to everyone.
This means that when the conditions are safe again, the finality gadget only needs to finalize the head of the chain\footnote{Which the oracle will return quickly to a supermajority of miners.},
instead of having to transmit and run consensus on every block. \com{
In Figure~\ref{fig:finality}, we analyze the differences between classic blockchain protocols~\cite{nakamoto08bitcoin,wood14ethereum}, finality gadget, and hybrid consensus solutions~\cite{kokoris16enhancing,gilad17algorand}}


\subsection{The GRANDPA Protocol}\label{sec:grandpa}
In this section, we give our solution to the Byzantine finality gadget problem, GRANDPA.  Our finality gadget works a partially synchronous setting.

GRANDPA works in rounds, each round has a set of $3f+1$ eligible voters, $2f+1$ of which are assumed honest. Furthermore, we assume that each round has a participant designated as primary and all participants agree on the voter sets and primary. We will either choose the primary pseudo-randomly from or rotate through the voter set.
On a high-level, each round consists of a double-echo protocol after which every party waits in order to detect whether we can finalize a block in this round (this block does not need to be the immediate ancestor of the last finalized block, it might be far ahead from the last finalized block). If the round is unsuccessful, the parties simply move on to the next round with a new primary. When a good primary is selected, the oracle is consistent (returns the same value to all honest parties),
and the network is in synchrony (after $\GST$), then a new block will be finalized and it will transitively finalize all its ancestors.

More specifically, we let $V_{r,v}$ and $C_{r,v}$ be the sets of prevotes and precommits respectively received by $v$ from round $r$ at the current time.

We define $E_{r,v}$ to be $v$'s estimate of what might have been finalized in round $r$, given by the last block in the chain with head $g(V_{r,v})$ for which it is possible for $C_{r,r}$ to have a supermajority. Next, we define a condition which will allow us to safely conclude that $E_{r,v} \geq B$ for all $B$ that might be finalized in round $r$:
If either $E_{r,v} < g(V_{r,v})$ or it is impossible for $C_{r,v}$ to have a supermajority for any children of $g(V_{r,v})$, then we say that {\em $v$ sees that round $r$ is completable}.  $E_{0,v}$ is the genesis block, assuming we start at $r=1$.

In other words, a round $r$ is completable when our estimate chain $E_{r,v}$ contains everything that could have been finalized in round $r$, which makes it possible to begin the next round $r+1$.

We have a time-bound $T$ that after $\GST$ suffices for all honest participants to communicate with each other.
Inside a round, the properties both of $E_{r,v}$ having a supermajority, meaning $E_{r,v} < g(V_{r,v})$, as well as of it being impossible to have a supermajority for some given block are monotone, so the property of being completable is monotone as well.
We, therefore, expect that, if anyone sees a round is completable, then everyone will see this within time $T$. Leaving a gap of $2T$ between steps is then enough to ensure that every party receives all honest votes before continuing.


\subsubsection{Protocol Description.}
In round $r$ an honest participant $v$ does the following:

\noindent \fbox{\parbox{5.5in}{

\begin{enumerate}
\item A voter $v$ can start round $r > 1$ when round $r-1$ is completable and $v$ has cast votes in all previous rounds where they are a voter. Let $t_{r,v}$ be the time $v$ starts round $r$.

\item At time $t_{r,v}$, if $v$ is the primary of this round and has not finalized $E_{r-1,v}$ then they broadcast $E_{r-1,v}$. If they have finalized it, they can broadcast $E_{r-1,v}$ anyway (but do not need to).

\item If $v$ is a voter for the prevote of round $r$, $v$ waits until either it is at least time $t_{r,v}+2T$ or round $r$ is completable, then broadcasts a prevote.
They prevote for the head of the best chain containing $E_{r-1,v}$ unless we received a block $B$ from the primary and $g(V_{r-1,v}) \geq B > E_{r-1,v}$, in which case they use the best chain containing $B$ instead.

\item If $v$ is a voter for the precommit step in round $r$, then they wait until $g(V_{r,v}) \geq E_{r-1,v}$ and one of the following  conditions holds
\begin{itemize}
\item[(i)] it is at least time $t_{r,v}+4T$,
\item[(ii)] round $r$ is completable or
\item[(iii)] it is impossible for $V_{r,v}$ to have a supermajority for any child of $g(V_{r,v})$,
\end{itemize}
and then broadcasts a precommit for $g(V_{r,v})$ {\em( (iii) is optional, we can get away with just (i) and (ii))}.

\end{enumerate}

}}

Note that $C_{r,v}$ and $V_{r,v}$ may change with time and also that $E_{r-1,v}$, which is a function of $V_{r-1,v}$ and $C_{r-1,v}$, can also change with time if $v$ sees more votes from the previous round.

\subsubsection{Finalization.}

If, for some round $r$, at any point after the precommit step of round $r$, we have that $B=g(C_{r,v})$ is later than our last finalized block and $V_{r,v}$ has a supermajority, then we finalize $B$.
We may also send a commit message for $B$ that consists of $B$ and a set of precommits for blocks $\geq B$.

To avoid spam, we only send commit messages for $B$ if we have not received any valid commit messages for $B$ and its descendants and we wait some time chosen uniformly at random from $[0,1]$ seconds or so before broadcasting.
If we receive a valid commit message for $B$ for round $r$, then it contains enough precommits to finalize $B$ itself if we have not already done so, so we'll finalize $B$ as long as we are past the precommit step of round $r$.


\com{
\subsection{Discussion}

\subsubsection{Wait at the end of a round before precommitting.}

If the network performs badly, then these steps may involve waiting for an arbitrarily long time. When the network is well behaved (after the $\GST$ in our model), we should not be waiting. Indeed there is little point not waiting to receive $2f+1$ of voters' votes as we cannot finalize anything without them.
But if the  network is not perfect and some messages never arrive, then we may need to make voters asking other voters for votes from previous rounds.\com{ in a similar way to the challenge procedure, to avoid deadlock.}

In exchange for our design choice of waiting, we get the property that we do not need to pay attention to votes from before the previous round in order to vote correctly in this one. Without waiting, we could be in a situation where we might have finalized a block in some round r, but the network becomes unreliable for many rounds and gets few votes on time, in which case we need to remember the votes from round r to finalize the block later.

\subsubsection{Using a Primary}

We only need the primary for liveness.
We need some form of coordination to defeat the repeated vote-splitting attack. The idea behind that attack is that if we are in a situation where almost 2/3 of voters vote for something and the rest vote for another, then the Byzantine voters can control when we see a supermajority for something. If they can carefully time this, they may be able to split the next vote.
Without the primary, they could do this for prevotes, getting a supermajority for a block $B$ late, then split precommiher from being finalized like this even if the (unknown) fraction of Byzantine players is small.

When the network is well-behaved, an honest primary can defeat this attack by deciding how much we should agree on. We could also use a common coin for the same thing, where people would prevote for either the best chain containing $E_{r-1,v}$ or $g(V_{r-1,v})$ depending on the common coin.
With on-chain voting, it is possible that we could use probabilistic finality of the block production mechanism - that if we do not finalize a block and always build on the best chain containing the last finalized block then not only will the best chain eventually converge, but if a block is behind the head of the best chain, then with positive probability, it will eventually be in the best chain everyone sees.

In our setup, having a primary is the simplest option for this.
ts so we do not see that it is impossible for there to be a supermajority for $B$ until late.
If $B$ is not the best block given the last finalized block but $B'$  with the same block number, they could stop it

}


\section{ Analysis }


To analyze the performance of our finality gadget, we will need versions of our properties that appropriately depend on time:

\begin{itemize}
\item{\bf Fast termination:} {\em If the last finalized block has number $n$ and, until another block is finalized, the best chain observed by all participants will include the same block with block number $n+1$, then a block with number $n+1$ will be finalized within time $T$.}
\item{\bf Recent validity:} {\em If an honest voter finalizes a block $B$ then that block was seen in the best chain observed by some honest voter containing some previously finalized ancestor of $B$ more recently than time $T$ ago.}
\end{itemize}

Intuitively, fast termination implies that we finalize blocks fast as long as the block production mechanism achieves consensus fast whereas recent validity bounds the cost of starting to agree on something the block production mechanism's consensus later decides is not the best. In this case, we may waste time building on a chain that is never finalized so it is important to bound how long we do that.

These properties will typically only hold with high probability. In the asynchronous case, we would need to measure time in rounds of the protocol rather than seconds to make sense of these properties.  We are also interested in being able to remove and punish Byzantine voters, for which we will need:

\begin{itemize}
    \item{\bf Accountable Safety:} {\em If blocks on different chains are finalized, then we can identify at least $f+1$ Byzantine voters.}
\end{itemize}


\subsection{ Accountable Safety}

The first thing we want to show is asynchronous safety, assuming we have at most $f$ Byzantine voters. This follows from the property that if $v$ sees round $r$ as completable then any block $B$ with $E_{r,v} \not\leq B$ has that it is impossible for one of $C_{r,v}$ or $V_{r,v}$ to have a supermajority for $B$ and so $B$ was not finalized in round $r$. This ensures that all honest prevotes and precommits in round $r+1$ are for chains that include any blocks that could have been finalized in round $r$. With an induction, this is what ensures that we cannot finalize blocks on different chains. To show accountable safety, we need to turn this proof around to show the contrapositive, when we finalize different blocks, then there are $f+1$ Byzantine voters. If we make this proof constructive, then it gives us a challenge procedure, that can assign blame to such voters.

\begin{theorem} \label{thm:accountable} If the protocol finalizes any two blocks $B,B'$ for which valid commit messages were sent, but which do not lie on the same chain, then there are at least $f+1$ Byzantine voters who all voted in a particular vote. Furthermore, there is a synchronous procedure to find some such set $X$ of $f+1$ Byzantine voters.
\end{theorem}

The challenge procedure works as follows: If $B$ and $B'$ are committed in the same round, then the union of their precommits must contain at least $f$ equivocations, so we are done.  Otherwise, we may assume by symmetry that $B$ was committed in round $r$ and $B'$ in round $r' > r$.  There are at least $n-f$ voters who precommitted $\geq B'$ or equivocated in round $r$ in their commit messages, so we ask those who precommitted $\geq B'$ why they did so.

Starting with $r''=r' $, we ask queries of the following form:
\begin{itemize}
\item Why was $E_{r''-1} \not\geq B$  when you prevoted for or precommitted to $B'' \not\geq B$ in round $r'' > r$?
\end{itemize}
\noindent Any honest voter should be able to respond to this, as is shown in Lemma \ref{lem:honest-answer} below.

The response is of the following form:
\begin{itemize}
\item A either a set $S$ of prevotes for round $r''-1$, or else a set $S$ of precommits for round $r''-1$, in either case, such that it is impossible for $S$ to have a supermajority for $B$.
\end{itemize}

Any honest voter should respond.  In particular, if no voter responds, then we consider all voters how should have responded but did not as Byzantine and we return this set of voters, along with any equivocators, which will be at least $n-f$ voters total. If any do respond, then if $r'' > r+1$, we can ask the same query for at least $n-f$ voters in round $r''-1$. We note however that if any voters do respond then we will not punish non-responders.

If we ask such queries for a vote in all rounds between $r''=r'$ and $r''=r+1$ and get valid responses, since some voter responds when $r''=r+1$, then we have either a set $S$ of prevotes or precommits in round $r$ that show it is impossible for $S$ to have a supermajority for $B$ in round $r$.

If $S$ is a set of precommits, then if we take the union of $S$ and the set of precommits in the commit message for $B$, then the resulting set of precommits for round $r$ has a supermajority for $B$ and it is impossible for it to have a supermajority for $B$. This is possible if the set is not safe and so there must be at least $f+1$ voters who equivocate an so are Byzantine.

If we get a set $S$ of prevotes for round $r$ that does not have a supermajority for $B$, then we need to ask a query of the form

\begin{itemize}
\item Which prevotes for round $r$ have you seen?
\end{itemize}
\noindent to all the voters of precommit in the commit message for $B$  who voted for blocks $B'' \geq B$. There must be $n-f$ such voters and a valid response to this query is a set $T$ of prevotes for round $r$ with a supermajority for $B''$ and so a supermajority for $B$.


If any give a valid response, by a similar argument to the above, $S \cup T$ will have $f+1$ equivocations.

So we either discover $f+1$ equivocations in a vote or else $n-f > f+1$ voters either equivocate or fail to validly respond as an honest voter could do to a query.


\begin{lemma} \label{lem:honest-answer}
An honest voter can answer the first type of query.
\end{lemma}
We first show that, if a prevote or precommit in round $r$ is cast by an honest voter $v$ for a block $B''$, then at the time of the vote we had $B'' \geq E_{r-1,v}$.
Prevotes should be for the head of a chain containing either $E_{r-1,v}$ or some $B''' > E_{r-1,v}$ by step 2 or 3.  In either case we have $B'' \geq E_{r-1,v}$. Precommits should be for $g(V_{r,v})$ but $v$ waits until $g(V_{r,v}) \geq E_{r-1,v}$, by step 4, before precommitting, so again this holds.
It follows that, if $B'' \not\geq B$, then we had $E_{r-1,v} \not\geq B$.

We next show that if we had $E_{r-1,v} \not\geq B$ at the time of the vote then we can respond to the query validly, by demonstrating the impossibility of a supermajority for $B$.
If $B$ was not on the same chain with $g(V_{r-1,v})$, then by Lemma \ref{lem:impossible} (iii), it was impossible for $V_{r-1,v}$ to have a supermajority for $B$, as desired.
If $B$ was on the same chain as $g(V_{r-1,v})$, then it was on the same chain as $E_{r-1,v}$ as well.  In this case, we must have $B > E_{r-1,v}$ since $E_{r-1,v} \not\geq B$.
% ??????
% ... Need $E_{r-1,v} \geq g(V_{r-1,v})$ somehow?? ...
% ??????
% As $v$ started the round, we know $v$ sees $r-1$ as completable, so
%  either $E_{r-1,v} < g(V_{r-1,v})$ or it is impossible for $C_{r-1,v}$ to have a supermajority for any children of $g(V_{r-1,v})$,
% ??????
 However, possibly using that round $r-1$ is completable, it was impossible for $C_{r-1,v}$ to have a supermajority for any child of $E_{r-1,v}$ on the same chain with $g(V_{v,r})$ and in particular for the child of $E_{r-1,v}$ on $\textrm{chain}(B)$.
% ??????
By Lemma \ref{lem:impossible} (i), this means $C_{r-1,v}$ did not have a supermajority for $B$, again as desired.

Thus we have that, at the time of the vote, for one of $V_{r-1,v}$, $C_{r-1,v}$, it was impossible to have a supermajority for $B$. The current sets $V_{r-1,v}$ and $C_{r-1,v}$ are supersets of those at the time of the vote, and so by Lemma \ref{lem:impossible} (ii), it is still impossible. Thus $v$ can respond validly.


This is enough to show Theorem \ref{thm:accountable}.  Note that if $v$ sees a commit message for a block $B$ in round $r$ and has that $E_{r',v} \not\geq B$, for some completable round $r' \geq r$, then they should also be able to start a challenge procedure that successfully identifies at least $f+1$ Byzantine voters in some round. Thus we have that:

\begin{corollary} \label{cor:overestimate-final}
If there at most $f$ Byzantine voters in any vote, $B$ was finalized in round $r$, and an honest participant $v$ sees that round $r' \geq r$ is completable, then $E_{r',v} \geq B$.
\end{corollary}

\subsection{Liveness }

We show the protocol is deadlock-free and also that it finalizes new blocks quickly in a weakly synchronous model.
For this section, we will assume that there are at most $f < n/3$ Byzantine voters for each vote, and so that the sets of prevotes and precommits for each round are safe.

We define $V_{r,v,t}$ be the set $V_{r,v}$ at time $t$ and similarly for $C_{r,v,t}$ and the block $E_{r,v,t}$ .

We first show that the completability of a round and the estimate for a completable round are monotone in the votes we see, in the latter case monotonically decreasing:

\begin{lemma} \label{lem:message-monotonicity-completed-estimate}
Let $v,v'$ be (possibly identical) honest participants, $t,t'$ be times, and $r$ be a round.
Then if $V_{r,v,t} \subseteq V_{r,v',t'}$ and $C_{r,v,t} \subseteq C_{r,v',t'}$and $v$ sees that $r$ is completable at time $t$, then $E_{r,v',t'} \leq E_{r,v,t}$ and $v'$ sees that $r$ is completable at time $t'$.
\end{lemma}

\begin{proof}
Since $v$ sees that $r$ is completable at time $t$,
either $E_{r,v} < g(V_{r,v})$ requiring $(n+f+1)/2 > 2f + 1$ votes, or else it is impossible for $C_{r,v}$ to have a supermajority for any children of $g(V_{r,v})$, requiring $2f + 1$ votes.
In either case, both $V_{r,v,t}$ and $C_{r,v,t}$ contain votes from $2f + 1$ voters and so the same holds for $V_{r,v',t'}$ and $C_{r,v',t'}$.
By Lemma \ref{lem:ghost-monotonicity} (ii), $g(V_{r,v',t'}) \geq g(V_{r,v,t})$.
As it is impossible for $C_{r,v,t}$ to have a supermajority for any children of $g(V_{r,v,t})$, it follows from Lemma \ref{lem:impossible} (i \& ii) that it is impossible for $C_{r,v',t'}$ as well, and so both $E_{r,v',t'} \leq g(V_{r,v,t})$ and $v'$ sees $r$ is completable at time $t'$.
But now $E_{r,v,t}$ and $E_{r,v',t'}$ are the last blocks on $\textrm{chain}(g(V_{r,v,t}))$ for which it is possible for $C_{r,v,t}$ and $C_{r,v',t'}$ respectively to have a supermajority,
As it is possible for $C_{r,v',t'}$ to have a supermajority for $E_{r,v',t'}$, then it is possible for $C_{r,v,t}$ to have a supermajority for $E_{r,v',t'}$ as well, by Lemma \ref{lem:impossible} (ii) and tolerance assumptions, so $E_{r,v',t'} \leq E_{r,v,t}$.
\end{proof}

\subsubsection{Deadlock Freeness}

Now we can show deadlock freeness for the asynchronous network model when a message that is sent or received by any honest participant is eventually received by all honest participants. This holds because the oracle encapsulates this eventual delivery guarantee.

\begin{proposition} Suppose that we are in the asynchronous network model and that at most $f$ voters for any vote are Byzantine. Then the protocol is deadlock-free.\end{proposition}

\begin{proof} We need to show that if all honest participants reach some vote, then all of them eventually reach the next.

If all honest voters reach a vote, then they will vote and all honest participants see their votes. We need to deal with the two conditions that might block the algorithm even then.
To reach the prevote of round $r$, a participant may be held up at the condition that round $r-1$ must be completable. To reach the precommit, a voter may be held up by the condition that $g(V_{r,v}) \geq E_{r-1,v}$.

For the first case, the prevote, let $S$ be the set of all prevotes from round $r-1$ that any honest voter saw before they precommitted in round $r-1$.
By Lemma \ref{lem:ghost-monotonicity}, when voter $v'$ precommitted, they do it for block $g(V_{r-1,v'}) \leq g(S)$.
Let $T$ be the set of precommits in round $r$ cast by honest voters.
Then for any block $B \not\leq g(S)$, $T$ does not contain any votes that are $\geq B$ and so it is impossible for $T$ to have a supermajority for $B$.
In particular, it is impossible for $T$ to have a supermajority for any child of $g(S)$.

Now consider a voter $v$. By our network assumption, there is a time $t$ by which they have seen the votes in $S$ and $T$. Consider any $t' \geq t$.
At this point we have $g(V_{r,v,t;}) \geq g(S)$. It is impossible for $C_{r,v,t'}$ to have a supermajority for any child of $g(S)$ and so $E_{r-1,v,t'} \leq g(S)$, whether or not this inequality is strict, we satisfy one of the two conditions for $v$ to see that round $r-1$ is completable at time $t'$.
Thus if all honest voters reach the precommit vote of round $r-1$, all honest voters reach the prevote of round $r$.

Now we consider the second case, reaching the precommit.
Note that any honest prevoter in round $r$ votes for a block $B_v \geq E_{r-1,v,t_v}$ where $t_v$ is the time they vote. Now consider any honest voter for the precommit $v'$. By some time $t'$, they have received all the messages received by each honest voter $v$ at time $t_v$ and $v'$'s prevote.
Then by Corollary \ref{cor:overestimate-final}, $B_v \geq E_{r-1,v,t_v} \geq E_{r-1,v',t'}$. Since $V_{r,v',t'}$ contains these $B_v$, $g(V_{r,v',t'}) \geq  E_{r-1,v',t'}$. Thus if all honest voters prevote in round $r$, eventually all honest voters precommit in round $r$.

An easy induction completes the proof of the proposition.
\end{proof}

\subsubsection{Weakly synchronous liveness}

Now we consider the weakly synchronous network model. The idea that there is some global stabilization time($\GST$) such that any message received or sent by an honest participant at time $t$ is received by all honest participants at time $\max\{t,\GST\}+T$.

Let $t_r$ be the first time any honest participant enters round $r$ i.e. the minimum over honest participants $v$ of $t_{r,v}$.

\begin{lemma} \label{lem:timings}
Assume the weakly synchronous network model and that each vote has at most $f$ Byzantine voters. Then if $t_r \geq \GST$, we have that
\begin{itemize}
\item[(i)] $t_r \leq t_{r,v} \leq t_r+T$ for any honest participant $v$,
\item[(ii)] no honest voter prevotes before time $t_r+2T$,
\item[(iii)] any honest voter $v$ precommits at the latest at time $t_{r,v}+4T$,
\item[(iv)] for any honest $v$, $t_{r+1,v} \leq t_r + 6T$.
\end{itemize}
\end{lemma}


\begin{proof} Let $v'$ be one of the first honest participants to enter round $r$ i.e. with $t_{r,v'}=t_r$.
By our network assumption, all messages received by $v'$ before they ended are received by all honest participants before time $t_r+T$.
In particular at time $t_r$, $v'$ sees that all previous rounds are completable and so by Corollary \ref{cor:overestimate-final}, so does every other honest participant by time $t_r+T$.
Also since for $r' < r$, at some time $s_{r'} \leq t_r$ $g(V_{r',v',s_r'}) \geq E_{r',v',s_r'}$, again by Lemma 4, for all honest $v$, $g(V_{r',v,t_r+T}) \geq E_{r',v,t_r+T}$. Looking at the conditions for voting, this means that any honest voter does not need to wait before voting in any round $r' \leq r$.
Thus they cast any remaining votes and enter round $r$ by time $t_r + T$. This shows (i).

For (ii), note that the only reason why an honest voter would not wait until time $t_{r,v}+2T \geq t_r+ 2T$ is when $n-f$ voters have already prevoted. But since some of those $n-f$ votes are honest, this is impossible before $t_r+2T$

Now an honest voter $v''$ prevotes at time $t_{r,v''}+2T \leq t_r +3T$ and by our network assumptions all honest participants receive this vote by time $t_r+4T$. An honest voter for the precommit $v$ has also received all messages that $v''$ received before they prevoted by then.
Thus the block they prevoted has $B_{v''} \geq E_{r-1,v''} \geq E_{r-1,v,t_r+4T}$, since this holds for every honest voter $v''$, $g(V_{r,v,t_r+4T}) \geq E_{r-1,v,t_r+4T}$. Thus they will precommit by time $t_{r,v}+4T$ which shows (iii).

By the network assumption an honest voter $v'$'s precommit will be received by all honest participants $v$ by time $t_{r,v'}+ 5T \leq t_r+6T$.
Since $v$ will also have received all prevotes $v$ say when they precommitted by this time, their vote $B_{v'}$ will have $B_{v'}=g(V_{r,v'}) \leq g(V_{r,v,t_r+6T})$.
Thus $C_{r, v, t_r+6T}$ contains precommits from $n-f$ voters $v'$ with $B_{v'} \leq g(V_{r,v,t_r+6T})$ and thus it is impossible for $C_{r,v,t_r+6T}$ to have a supermajority for any children of $g(V_{r,v, t_r+6T})$.
Thus $v$ sees that round $r$ is completable at time $t_r+6T$. Since they have already prevoted and precommitted if they were a voter, they will move to round $r+1$ by at the latest $t_t+6T$. This is (iv).
\end{proof}

\begin{lemma} \label{lem:honest-prevote-timings}
Suppose $t_r \geq \GST$ and every vote has at most $f$ Byzantine voters. Let $H_r$ be the set of prevotes ever cast by honest voters in round $r$. Then
\begin{itemize}
\item[(a)] any honest voter precommits to a block $\geq  g(H_r)$,

\item[(b)] every honest participant finalizes $g(H_r)$ by time $t_r+6T$.
\end{itemize}
\end{lemma}

\begin{proof} For (a), we separate into cases based on which of the conditions (i)-(iii) that we wait for to precommit hold.

For (i), all honest voters prevote in round $r$ by time $t_r+3T$. So any honest voter $v$ who precommits at or after time $t_{r,v}+4T \geq t_r+4T$ has received all votes in $H_r$ and by Lemma \ref{lem:ghost-monotonicity}, precommits to a block $\geq g(H_r)$.

For (ii), we argue that no honest voter commits a block $\not\geq g(H_r)$ first. The result will then follow by an easy induction once the other cases are dealt with. Suppose that no honest voter has precommitted a block $\not \geq g(H_r)$ so far and that a voter $v$ votes early because of (ii).

Note that, since we assume that all precommits by honest voters so far were $\geq g(H_r)$, it is possible for $C_{r,v}$ to have a supermajority for $g(H_r)$.
For (ii) to hold for a voter $v$ i.e for round $r$ to be completable, it must be the case that either it is impossible for $C_{r,v}$ to have a supermajority for $g(V_{r,v})$ or else be impossible for $C_{r,v}$ to have a supermajority for any children of $g(V_{r,v})$. By Lemma \ref{lem:impossible} cannot have $g(V_{r,v}) < g(H_r)$.
But by Lemma \ref{lem:ghost-monotonicity}, these are on the same chain and so $g(V_{r,v}) \geq g(H_r)$. Since this is the block $v$ precommits to, we are done in case (ii)

For (iii), let $v$ be the voter in question. Note that since $n-f$ honest voters prevoted $\geq g(H_r)$, it is possible for $V_{r,v}$ to have a supermajority for $g(H_r)$. By Lemma \ref{lem:ghost-monotonicity}, $g(V_{r,v})$ is on the same chain as $g(H_r)$.
For (iii), it is impossible for $V_{r,v}$ to have a supermajority for any children of $g(V_{r,v})$. If we had $g(V_{r,v}) < g(H_r)$, by Lemma \ref{lem:impossible}, this would mean that it would be impossible for $V_{r,v}$ to have a supermajority for $g(H_r)$ as well. So it must be that $g(V_{r,v} )\geq g(H_r)$ as required.

For (b), combining (a) and Lemma \ref{lem:timings} (iii), we have that any honest voter $v$ precommits $\geq g(H_r)$ by time $t_{r,v}+4T$. By our network assumption, all honest participants receive these precommits by time $t_r+6T$ and so finalize $g(H_r)$ if they have not done so already.
\end{proof}

\begin{lemma} \label{lem:primary-finalizes}
 Suppose that $t_r \geq \GST$, the primary $v$ of round $r$ is honest and no vote has more than $f$ Byzantine voters. Let $B=E_{r-1,v,t_{v,r}}$ be the block $v$ broadcasts if it is not final. Then every honest prevoter prevotes for the best chain including $B$ and all honest voter finalize $B$ by time $t_r+6T$.
 \end{lemma}

\begin{proof} By Lemma \ref{lem:timings} and our network assumptions, no honest voter  prevotes before time $t_r+2T \geq t_{r,v}+2T$ and so at this time, they will have seen all prevotes and precommits seen by $v$ at $t_{r,v}$ and the block $B$ if $v$ broadcast it then. By Lemma \ref{lem:message-monotonicity-completed-estimate}, any honest voter $v'$ has $E_{r-1,v'} \leq B \leq g(V_{r-1,v})$ then.

So if the primary broadcast $B$, then $v'$ prevotes for the best chain including $B$. If the primary did not broadcast $B$, then they finalize it. By Corollary \ref{cor:overestimate-final}, it must be that $E_{r-1,v'} \geq B$ and so $E_{r-1,v'}=B$ and so in this case $v'$ also prevotes for the best chain including $B$.

Since all honest voters prevote $\geq B$, $g(H_r) \geq B$ and so by Lemma \ref{lem:honest-prevote-timings}, all honest participants finalize $B$ by time $t_r+6T$
\end{proof}


\begin{lemma}
 Suppose that $t_r \geq \GST+T$ and the primary of round $r$ is honest.
Let $B$ be the latest block that is ever finalized in rounds  $<r$ (even if no honest participant finalizes it until after $t_r$). If all honest voters for the prevote in round $r$ agree that the best chain containing $B$ includes the same child $B'$ of $B$, then they all finalize some child of $B$ before $t_r+6T$.
\end{lemma}

\begin{proof} By Corollary \ref{cor:overestimate-final}, any honest participant sees that $E_{r-1} \geq B$ during round $r$. Let $v$ be the primary of round $r$ and $B''=E_{r-1,v,t_{r,v}}$. If $B'' > B$, then by Lemma \ref{lem:primary-finalizes}, all honest participants finalize $B''$ by time $t_r+6T$ which means they finalized a child of $B$. If $B''=B$, then by Lemma \ref{lem:honest-prevote-timings}, all honest voters prevote for the best chain including $B$.
By assumption these chains include $B'$ and so $g(H_r) \geq B$. By Lemma \ref{lem:honest-prevote-timings}, this means that $B'$ is finalized by time $t_r+6T$.
\end{proof}


\subsubsection{Recent Validity}

\begin{lemma} \label{lem:honest-recent-validity}
Suppose that $t_r \geq \GST$, the primary of round $r$ is honest and all votes have at most $f$ Byzantine voters.
Let $B$ be a block that less than $f+1$ honest prevoters in round $r$ saw as being in the best chain of an ancestor of $B$ at the time they prevoted.
Then either all honest participants finalize $B$ before time $t_r+6T$ or no honest participant ever has $g(V_{r,v}) \geq B$ or $E_{r,v} \geq B$.
\end{lemma}

\begin{proof} Let $v'$ be the primary of round $r$ and let $B'=E_{r-1,v',t_{r,v'}}$. If $B' \geq B$, then by Lemma \ref{lem:primary-finalizes}, all honest participants finalize $B$ by time $t_r+6T$. If $B' \not\geq B$, then by Lemma \ref{lem:primary-finalizes}, at most $f$ honest voters prevotes $\geq B$. In this case, less than $2f+1 \leq (n+f+1)/2$ prevoters vote $\geq B$ or equivocate and so no honest participant ever has $g(V_{r,v}) \geq B$.
\end{proof}


\begin{corollary} For $t - 6T > t' \geq \GST$, suppose that an honest participant finalizes $B$ at time $t$ but that no honest voter has seen $B$ as in the best chain containing some ancestor of $B$ in between times $t'$ and $t$, then at least $(t-t')/6T - 1$ rounds in a row had Byzantine primaries. \end{corollary}


\section{Optimized version of GRANDPA}

 There are a few ways we can optimize the GRANDPA protocol.
 Firstly, a participant that is offline for many rounds should be able to catch up to the latest round by only seeing recent messages.
 Secondly, we should not need to actively use many rounds worth of votes for challenges for accountable safety instead of finalizing blocks.
 Thirdly, We should wait for $2T$ as rarely as possible. Conversely, if communication is faster than block production, we should not be running many rounds before a new block arrives.

 To achieve this, we need to have more complicated conditions for when to perform each step of the protocol. Here is the resulting protocol:

 To enter a round $r$, $v$ needs that round $r-1$ is completable and that $E_{r-2,v}$ is finalized.
 If $v$ sees messages that give this for a future round $r$, even if $v$ are not in round $r-1$, $v$ jumps straight to round $r$.
 (when checking this condition, for the finalization, we need to relax not finalizing using precommits from future rounds to all rounds $< r$).

 \noindent \fbox{\parbox{5.5in}{
 \begin{enumerate}
 \item If $v$ is the primary, it broadcast $E_{r-1,v}$ at the start time $t_{r,v}$

 \item We prevote when one of the following conditions tells us to.
 \begin{itemize}
 %\item[(i)] If it is impossible for $V_{r-1,v}$ to have a supermajority for any children of $E_{r-1,v}$, then $v$ prevotes for the best chain containing $E_{r-1,v}$
 \item[(i)] If $v$ has received $B$ from the primary, $v$ prevotes for the head of the  best chain containing $B$ as soon as one of the following holds:

 \begin{itemize}
 \item[(a)] $g(V_{r-1,v}) \geq B \geq E_{r-1,v}$
 \item[(b)] The best chain containing $B$ is also the best chain containing $E_{r-1,v}$
 (equivalently if we evaluate the best chain containing the earlier of the two blocks, then it contains the other)
 \end{itemize}
 \item[(ii)] If round $r$ is completable and $E_{r,v} \geq E_{r-1,v}$, then we prevote for $E_{r,v}$.
 \item[(iii)] if we have reached time $t_{r,v}+2T$ then if we have not received a message from the primary or (i) (a) does not hold, then $v$ prevotes for the head of best chain containing $E_{r-1,v}$ anyway.
 \end{itemize}

 \item After prevoting, we wait until $g(V_{r,v}) \geq E_{r-1,v}$,  then when one of the following holds, we precommit $g(V_{r,v})$
 \begin{itemize}
 \item[(i)] if round $r$ is completable
 \item[(ii)] if $v$ has seen a child of the last finalized block and it is impossible for $V_{r,v}$ to have a supermajority for any child of $g(V_{r,v})$ .
 \item[(iii)] If $v$ has seen a child of the last finalized block and we have reached time $t_{r,v}+4T$.
 \end{itemize}
 \end{enumerate}
 }}

 We claim that all results we proved about the protocol described in Section \ref{sec:grandpa} apply to this protocol. the stronger properties this satisfies are that $v$ does not need to store votes from before round $r-1$ (except to answer challenges for accountable safety, which should be rare) and that if we have seen no descendants of the last finalized block, we pause until we do.


\section{Conclusion}

In this paper, we formalized the abstraction of a finality gadget, showed that it is impossible in asynchrony and proposed GRANDPA, a partially synchronous protocol.
Finality gadgets strike a balance between the classic BFT consensus protocols that aggressively commit transactions and the Bitcoin-style consensus protocols that probabilistically commit transactions with a direct dependency on the underlying network's synchrony.

Using a finality gadget on top of a blockchain (which is used as an oracle) has multiple benefits.
First, it remains live during network instability and is able to commit a lot of transactions quickly when the network stabilizes. Second, it allows for optimistic commitment and efficient roll-back of transactions, using the blockchain as an unsafe-but-probably-correct broadcast channel. Finally, it provides flexibility to the light-clients on verifying only small parts of the blockchain.

In the future, we envision using finality gadgets in order to federate multiple insecure blockchains (i.e., sharding state) to a global secure one and enabling them to communicate. The main chain will provide optimistic commitment of the state of the sub-chains and after verification, the finality gadget will either commit or roll-back the transactions efficiently.


\com{

\section{Practicalities}

\subsection{Changing the voter set on-chain in an asynchronously safe way}

\subsubsection{Changing the voter set in an asynchronously safe way}

Suppose we have an on-chain protocol that decides we need a different voter set. Once everyone finalizes the block, they know that we need to change the set. The protocol can cope with changing the voter set from some round $r$.
The main difficulty is that the chain has no idea what the current round number is and even if we have a block that instructs us to change the voter set at round $r$, we might only finalize the block after round $r$.
So instead we will not take advantage of the ability to change set from one round to the next.

A block $B$ can contain an instruction that we should change to the voter set to some other set after some integer $m \geq 0$ blocks. If our best chain for a prevote contains such a block $B$, then we do not prevote for more than $m$ blocks after $B$, even if our best chain is longer.
Thus if the current voter set has $n-f$ honest voters, they will only finalize $m$ blocks after such a $B$. We only accept votes and commit messages up top $m$ blocks after $B$ from the current set of voters.

When some block $B'$ that is $m$ blocks after $B$ has been finalized, then the new voter set starts again at round $1$ with $E_{0}=B'$. Votes will need to contain additional metadata that indicates the voter set somehow.

\subsubsection{Unsafe fallback for changing the voter set after stalling}

In extreme circumstances, we may need to deal with $1/3$ of voters being offline.
There is no asynchronously safe way of doing this. It also breaks the chain of signed statements by the existing set of voters saying who the future set of voters should be. And it means we may be vulnerable to being cut of by Byzantine participants.
However if we are in a state when many voters go offline but the network is not partitioned, then we want a way to agree on a set of new voters to restart the finality gadget.

Every 100 blocks or so, we should put a valid commit message on chain. Honest block producers should put the most recent message on the chain, provided that there is one for a more recent block than 100 blocks ago.
Then if a participant sees that their best chain has not had such a message for 1000 blocks and are not aware of any more recent blocks being finalized, then they set a new voter set to be one determined by the 900th block since the last commit message on chain.

The protocol for selecting voters should require recent messages on chain signed by those voters so that this is likely to give a set of voters very few of whom are offline.

We should consider having to manually approve finality agreed upon by this new set to alleviate the security concerns above. But this still gives a way to canonically agree on a new set, in the event of WW3 or bad initialization of a new chain.

If we do not want to put commit messages on chain, then we can alternatively do the following. Every block producer puts the highest block number that they see as finalized in their block.

Then any participant sees that if there is an $n$ such that
\begin{itemize}
\item[(i)] their best chain is at least length $n+100$
\item[(ii)] the indicators the last finalized block height of blocks $n-100$ to $n$ in their best chain have median at most $n-1050$ and
\item[(iii]) $n$ is the minimum that satisifies (i) and (ii)
\end{itemize}
then they switch to the best voter set given by block $n$. If the same block at height $n$ is on everyone's best chain, which can be shown to occur with high probability given (i) for many block production mechanisms, then everyone will eventually agree that we should switch to the voter set given by that block. If any $100$ consecutive blocks of the best chain are produced by honest and synchronised block producers then this will only happen if GRANDPA fails to finalize any block in the time it took to produce $1000$ blocks.

\subsection{Alternatives to the last block hash}

The danger with voting for the last blockhash in the best chain is that maybe no one else will have seen and processed the next block. It would also be nice to make the most of BLS multisig/aggregation, which allows a single signature for many messages/signers than can be checked in time proportional to the number of different messages signed.

To get round the first alone, it might be better to vote for a block 3/4 along (rounding further) the unfinalized chain , rather than for th head.

But the second suggests that maybe we should be including signatures for several of the latest blocks in a chain. We could include that last 2 or 3. We could also do e.g. the the blocks with block numbers with the last 2 multiples of each power of two since the last finalized block, which gives log unfinalized chain length messages but should have many blocks in common.

When presented with a vote that includes many blocks, we should interpret them as being for the last block we've seen if any. Then we need to be able to update that vote to a later block when that is seen. This retains monotonicity of a supermajority for/ it is impossible to have a supermajority for over time.

It does not matter if some of the votes are for a block that does not exist as everyone will ignore that part of the vote. But including votes for block that are seen but are not on a chain is an equivocation and is slashable. We need to count such votes as votes for the had of every chain in the vote (as someone might interpret them as for any one of them).

Then if we need to BLS aggregate votes that are $\geq B$ for a commit message or query response, it is OK to use any vote that is $\geq B$, not necessarily the vote for the head. This should reduce the number of blockhashs sign, in the optimistic case down to 1.

\subsection{  Block production rule}

If we adopt that rule that block producers should build on the best chain including the last finalized block, then if we do not finalize another block this will eventually include some prefix  beyond the last finalized block, and therefore the protocol is live by Lemma \ref{lem:honest-recent-validity}.

But the issue is that if agreement is much slower than block production, then we might have a prevote for a short chain on the last finalized block, then the best chain does not include that block and we build a long chain that is eventually never finalized. This could be fixed by building on $E_{r-1}$ or $E_r$. But if we do that, and these change very quickly, then we may never come to agreement on the best chain.

So we have two possible chain selection rules for block producers:

\begin{enumerate}
\item Build on the best chain including the last finalize block B.
\item Build on best chain including whichever of $\{E_r,E_{r-1},B\}$ is latest and $\geq B$.
\end{enumerate}

1 is better if finalization is happening quickly compared to block production and 2 is best if block production is much faster. We could also consider hybrid rules like adopt 1 unless we see that the protocol is stuck or slow, then we switch to 2.}
\com{
\section{The asynchronous finality gadget problem}

Here we give an extension of the \cite{flp} result that shows the impossibility of having an asynchronous and deterministic finality gadget protocol and give an asynchronous protocol that uses a common coin primitive.

\subsection{1/5 BFT finality gadget using a common coin}

In this section, we will assume the asynchronous  network model. By the previous impossibility result, we will need to use randomness to get a finality gadget in this model. We assume that we have access to a common coin protocol.

For every vote, We have $n$ voters , at most $f$ of which are Byzantine and $n = 5f+1$.  For a voter $v$, Let $V_{r,v}$, $C_{r,v}$ be the set of prevotes and precommits from round $r$ that $v$ has seen.

\begin{enumerate}
\item Everyone prevotes for the best chain including the block they were locked to last round.
\item Wait until $V_{v,r}$ contains prevotes from $n-f$ voters.
\item Precommit $g_{3/5}(V_{r,v})$
\item Call a precommit for $B$ justified if $B \leq g_{3/5}(V_{r,v})$ and if $B < g_{3/5}(V_{r,v})$ then the child $B'$ of $B$ on the chain of $g_{3/5}(V_{r,v})$ has that there are votes from $f+1$ voters in $V_{r,v}$ that are not $\geq B'$.
Wait until $C_{r,v}$ has justified precommits from $n-f$ voters.
\item Call the common coin, $s_r$
\item If $s_r=1$, finalize $g_{4/5}(C_r)$
\item lock to $g_{(4-3s_r)/5}(C_r)$ for next round.
\end{enumerate}

The common coin is a (secure cryptographic implementation of) the following protocol. It does not return a coin until more than $4f+1$ voters (for the prevote vote in the next round in case of ambiguity) call it. It returns at the latest shortly after all honest voters call it.
 When it does, it returns an $s_r$ sampled uniformly from $\{0,1\}$, identical for all who called it, and before $4f+1$ called it, no-one has any information about the result.

Here $g_{t}(S)$ is the $t$-GHOST function defined as follows. We construct a chain starting with the genesis block and adding the child of the current block such that most voters have votes $\geq$ it until there are $nt$ or less votes for any child of the current block, when we return the current block.

The idea behind the proof of asynchronous liveness is that for a particular block $B'$, some value of the common coin, either all the honest voters who received $4/5$ of precommits before the common coin was decided lock to $B'$ or none do.
If we had a fixed threshold for locking, an adversarial choice of the number of precommits for $B'$ or its descendants could lead to some voters locking to it and some not (and indeed there would be runs that do this indefinitely as this is how the impossibility result works for this type of algorithm.)

Firstly we note that much of the machinery of section $\ref{sec:prelims}$ carries over to the $1/5$ byzantine case.

\begin{lemma} \label{lem:ghost-monotonicity-general}
Let $T$ be a set of votes such that at most $f$ voters have multiple votes in $T$. Let $t \geq (n+f)/2n$ Then
\begin{enumerate}
\item The above definition uniquely defines $g_t(T)$.
\item If $S \subseteq T$ has $g_t(S) \neq$ nil, then $g_t(S) \leq g_t(T)$ for $t \geq (n+f)/2n$.
\item If $S_i \subseteq T$ for $1 \leq i \leq n$ then all non-nil $g_t(S_i)$ are on a single chain with head $g(T)$.
\item If $r \leq s$, then $g_r(T) \geq g_s(T)$.
\end{enumerate}
\end{lemma}
So with $n=5f+1$, $g_{3/5}$ is sufficient for uniqueness.

First we need to show that the protocol is deadlock free.
As long as all honest voters prevote and precommit, any participant eventually sees prevotes and precomits from $n-f$ voters. We just need to show that honest prevotes are eventually seen as justified.
\begin{lemma} Suppose that an honest voter $v$ precommits $B$ in round $r$. If $V'_{r,v}$ is the set of prevotes they saw at the time they precommited and another participant $v'$ sees all these prevotes i.e. $V_{r,v'} \supseteq V'_{r,v}$, then $v'$ sees $v$'s precommit for $B$ as justified. \end{lemma}
\begin{proof} $v$ precommits $B = g_{3/5}(V'_{r,v})$. Since $V_{r,v'} \supseteq V'_{r,v}$, $B \leq g_{3/5}(V_{r,v'})$ by Lemma \ref{lem:ghost-monotonicity-general} 2.
So we just need to show that if  $B < g_{3/5}(V_{r,v'})$, $V_{r,v'}$ contains votes from $f+1$ voters that are not $\geq B'$ where $B'$ is the child of $B$ in the chain of $g_{3/5}(V_{r,v'})$.
Since $B = g_{3/5}(V'_{r,v})$, from the definition of $g$, $B'$, like any child of $B$, does not have votes from $3f+1$ voters $\geq B'$ in $V'_{r,v}$.
Since $V'_{r,v}$ contains votes from $4f+1$ voters, there are votes from at least $f+1$ voters that are $\not \geq B'$ in $V'_{r,v}$ and so also in $V_{r,v'}$.
\end{proof}

Our network assumption and a simple induction shows that we do not deadlock.
\begin{corollary} All honest voters eventually prevote and precommit in every round and all honest participants reach every round.\end{corollary}

\begin{lemma} \label{lem:possibly-final-implies-permanent-lock}
If there are enough precommits to finalize a block $B$ in round $r$, then all honest voters who prevote in future rounds will be locked to $B$ or its descendants when they do. At the end of the next round $r' > r$ with $s_{r'}=1$, all participants will have finalized $B$.
\end{lemma}
\begin{proof}
For $B$ to be finalized in round $r$, there need to be votes from more than $n-f$ voters that are $\geq B$ and $s_r=1$. Any honest participant $v$ also sees that $s_r=1$ and so they lock $g_{1/5}(C_{r,v})$. $C_{r,v}$ contains votes from at least $4f+1$ voters. At most $f$  voters can have votes  $\not\geq B$ in $C_{r,v}$ if they also voted $\geq B$ and at most $f$ voters do not have votes in $C_{r,v}$.
 Thus at least $2f+1$ voters have votes $\geq B$ in $C_{r,v}$. Because $g_{1/5}$ is not unique in general, to show that $g_{1/5}(C_{r,v}) \geq B$, we also need to show that no block $B' \nsim B$ has $f+1$ voters have votes $\geq B'$ in $C_{r,v}$. If this holds then the procedure to calculate $g_{1/5}$ will not follow chain that does not include $B$ and so it will return a block $\geq B$.
 Letting $V_r$ be the set of prevotes ever cast, note that any honest voter $v'$ prevotes for a block $g_{3/5}(V_{r,v'}) \leq g_{3/5}{V_r}$ and so as before honest voters precommit to blocks in one chain.
 Since many honest voters precommit $\geq B$, all precommit $\sim B$, and so if $f+1$ voters have votes $\geq B'$ in $B$ then since at least one of those are honest $B' \sim B$. Thus we have $g_{1/5}(C_{r,v}) \geq B$.

Since all honest voters prevote $\geq B$ in round $r+1$, any participant who waits for votes from $4f+1$ voters will see $g_{3/5}(V_{r+1}) \geq B$ and so all honest voters precommit $\geq B$ in round $r+1$. Since only at most $f$ voters vote $\not \geq B$, only precommits $\geq B$ are ever seen as justified by honest participants. Therefore all honest participants will see $g_{345}(C_{r+1}) \geq
B$.
If $s_r=1$, this is enough to finalize $B$.Since $g_{1/5}(C_{r+1}) \geq g_{4/5}(C_{r+1}) \geq
B$, whatever the common coin, all honest participants lock $\geq B$. By induction, this holds for all future rounds.

\end{proof}

We want to show that this is asynchronously live:

\begin{proposition} Suppose that block $B$ is finalized before round $r$. With probability at least $1/2$ over the common coin in round $r$, if all voters agree that the best chain including the last finalized block $B$ includes a decedent $B''$, at the prevote step of rounds $r+1$ and $r+2$, then a descendant of $B$ is finalized the next time $s_r=1$ after round $r+2$ or earlier.
\end{proposition}

\begin{proof} By the Lemma \ref{lem:possibly-final-implies-permanent-lock}, all honest voters prevote in round $r$ for $B$ or its descendants and so all honest voters precommit to $B$ or its descendants.

Let $V_r$ be the set of prevotes of all voters.  Using Lemma \ref{lem:ghost-monotonicity-general}, all honest voters precommit $g_{3/5}(V_r)$ or its ancestors. Since some must precommit $\geq B$ for it to be finalized,  $g_{3/5}(V_r) \geq B$.

For the case $g_{3/5}(V_r)=B$, all honest voters precommit $B$ and so any honest participant sees that
$B = g_{1/5}(C_r) = g_{4/5}(C_r)$. Thus all honest participants
lock $B$ and so are free to prevote for $B''$ or its descendants in round $r+1$. Thus we finalize $B''$ in round $r+1$ or the next round when $s_r=1$ after that.

Otherwise, let $B'$ be the child of $B$ in the chain of $g_{3/5}(V_r)$. We seek to show that we finalize either $B'$ or $B''$.

Let $S$ be the set of honest voters who precommit in round $r$ before $4f+1$ voters call the common coin. Let $S'$ be the set of honest voters who call the common coin before it is decided. % Note that $S' \subset S$.
Since $4f+1$  voters call the coin before it decided and honest voters who do so saw precommits from $4f+1$ voters, $S'$ and $S$ each contain at least $3f+1$ voters.

Let $h$ be the number of voters in $S$ that precommit $B'$ or its descendants. Note that the other $|S|-h$ voters just precommit $B$.

Now consider a particular voter $v$ and the set $C_{r,v}$ of precommits they received in step 4. the number of voters with precommits in  $C_{r,v}$ is at least $4f+1$.
If $v \in S'$,
All the honest voters
with precommits in $C_{r,v}$ are in $S$. In this case we have that the number of votes for $B'$ or its descendants in $C_{r,v}$, $m_v$ has $h-f \leq m_v < h+f$. For $v \notin S'$, since $f$ honest validators can be outside $S$, we have $h-2f \leq m_v \leq h+2f$

Since any descendant of $B$ that is not $B'$ or its descendants receives less than $f$ precommits for it or its descendants, we have that either $g_{1/5}(C_{r,v})=B$ or $g_{1/5}(C_{r,v})\geq B'$ and similarly for $g_{4/5}(C_{r,v})$. Now note that if $h \geq 3f+1$, $m_v \geq f+1$ and so $g_{1/5}(C_{r,v}) \geq B'$. On the other hand if $h < 3f+1$, for $v \in S'$, $m_v < 4f+1$ and so $g_{4/5}(C_{r,v})=B$.

If $h \geq 3f+1$ and $s_r=1$, then every honest voter locks a block $\geq B'$. Thus is round $r+1$, they all prevote $\geq B'$.
 By similar reasoning to Lemma \ref{lem:possibly-final-implies-permanent-lock}, we finalize $B'$, the next round $r' > r$ that we have $s_{r'}=1$.

If $h < 3f+1$ and $s_r=0$, then every $v \in S'$ locks only $B$. But then all such $v$ will prevote their best chain containing $B$ and so a block $\geq B''$. There are only at most $2f$ voters who might not do this, the Byzantine voters and the honest voters outside of $|S|$ who prevote $\geq B$. Thus any honest voter who has seen prevotes from $n-f$ voters either sees $g_{3/5}(V_{r+1,v})=B$ or $g_{3/5}(V_{r+1,v}) \geq B'$. Since all honest precommits are either $B$ or $\geq B''$, every honest voter locks either $B$ or $\geq B''$. Since in round $r+2$, all honest voters see that the best chain including $B$ also includes $B''$, this time they all prevote $\geq B''$.  By similar reasoning to Lemma \ref{lem:possibly-final-implies-permanent-lock}, we finalize $B''$, by the next round $r' > r+1$ that we have $s_{r'}=1$.

Crucially note that $h$ depends only on $S$, which is determined when $4f+1$ voters call the common coin and before it is flipped. Thus $s_r$ is independent of $h$. If $h < 3f+1$ then $s_r=0$ with probability $1/2$ and if $h \geq 3f+1$ then $s_r=1$ with probability $1/2$. So with probability $1/2$, we have either both $h < 3f+1$ and $s_r=0$ or both $h \geq 3f+1$ and $s_r=1$. Thus with probability at least $1/2$, we finalize $B'$ or $B''$ before the next round after $r+1$ when $s_r=1$.
\end{proof}
}

\bibliography{net,os,sec,soc,theory}

\end{document}