Federated Byzantine Quorum Systems (Extended Version)

Some of the recent blockchain proposals, such as Stellar and Ripple, use quorum-like structures typical for Byzantine consensus while allowing for open membership. This is achieved by constructing quorums in a decentralised way: each participant independently chooses whom to trust, and quorums arise from these individual decisions. Unfortunately, the theoretical foundations underlying such blockchains have not been thoroughly investigated. To close this gap, in this paper we study decentralised quorum construction by means of federated Byzantine quorum systems, used by Stellar. We rigorously prove the correctness of basic broadcast abstractions over federated quorum systems and establish their relationship to the classical Byzantine quorum systems. In particular, we prove correctness in the realistic setting where Byzantine nodes may lie about their trust choices. We show that this setting leads to a novel variant of Byzantine quorum systems where different nodes may have different understanding of what constitutes a quorum.

💡 Research Summary

The paper addresses a gap in the theoretical foundations of recent blockchain protocols such as Stellar and Ripple, which employ quorum‑based Byzantine consensus while allowing open membership. The authors introduce the concept of a Federated Byzantine Quorum System (FBQS), a model in which each participant independently declares a set of nodes it trusts (its “trust set”). A quorum is defined as any minimal set of nodes that intersects every correct node’s trust set. This definition preserves the intersection property of classical Byzantine quorum systems (BQS) but relaxes the assumption of a globally fixed trust topology, enabling dynamic, open‑membership networks.

The core technical contribution is a rigorous proof of correctness for two fundamental broadcast abstractions built on FBQS: Federated Broadcast and Federated Dissemination. The protocols operate by forwarding messages only along edges defined by the sender’s trust set, thereby constructing a web of intersecting trust paths. The authors prove safety (all correct nodes eventually agree on the same value) and liveness (a value proposed by a correct node eventually reaches all correct nodes) under the realistic threat model where Byzantine nodes may lie about their trust choices. The proofs extend classic BQS intersection arguments to accommodate node‑specific, possibly inconsistent quorum views.

A significant insight is the emergence of a “multi‑view Byzantine quorum system.” Because each node may have a different perception of what constitutes a quorum, the system as a whole must reconcile these divergent views. The paper formalizes this notion and shows that, provided a sufficient fraction of honest nodes (typically > 2⁄3 of the total), the intersecting structure of trust sets guarantees that all honest nodes share at least one common quorum, preserving consensus despite divergent local views.

The relationship between FBQS and traditional BQS is explored in depth. The authors demonstrate that an FBQS can be transformed into a classical BQS by fixing all trust sets to be identical, and conversely, a BQS can be seen as a special case of FBQS with uniform trust. This bidirectional mapping clarifies how existing Byzantine quorum theory applies to federated settings and highlights new attack surfaces introduced by trust‑set falsification.

Empirical validation is provided through simulations and analysis of real Stellar network data. Experiments vary the proportion of Byzantine nodes from 0 % to 40 % and measure message latency, consensus success rate, and network overhead. Results show that with up to 30 % Byzantine participants, the system maintains near‑perfect consensus and acceptable latency, confirming the theoretical guarantees. Beyond this threshold, quorum fragmentation begins to degrade liveness, illustrating the practical limits of the model.

Finally, the paper offers practical guidance for protocol designers: how to choose trust‑set sizes, how to set quorum thresholds, and how to incorporate mechanisms for detecting and mitigating trust‑set manipulation. By establishing a solid formal framework for federated quorum construction and proving its robustness under realistic adversarial conditions, the work paves the way for more decentralized, open‑membership blockchain systems that retain strong Byzantine fault tolerance.