Asymmetric Distributed Trust

Quorum systems are a key abstraction in distributed fault-tolerant computing for capturing trust assumptions. They can be found at the core of many algorithms for implementing reliable broadcasts, shared memory, consensus and other problems. This paper introduces asymmetric Byzantine quorum systems that model subjective trust. Every process is free to choose which combinations of other processes it trusts and which ones it considers faulty. Asymmetric quorum systems strictly generalize standard Byzantine quorum systems, which have only one global trust assumption for all processes. This work also presents protocols that implement abstractions of shared memory and broadcast primitives with processes prone to Byzantine faults and asymmetric trust. The model and protocols pave the way for realizing more elaborate algorithms with asymmetric trust.


Introduction
Byzantine quorum systems [21] are a fundamental primitive for building resilient distributed systems from untrusted components. Given a set of nodes, a quorum system captures a trust assumption on the nodes in terms of potentially malicious protocol participants and colluding groups of nodes. Based on quorum systems, many well-known algorithms for reliable broadcast, shared memory, consensus and more have been implemented; these are the main abstractions to synchronize the correct nodes with each other and to achieve consistency despite the actions of the faulty, so-called Byzantine nodes. Traditionally, trust in a Byzantine quorum system for a set of processes P has been symmetric. In other words, a global assumption specifies which processes may fail, such as the simple and prominent threshold quorum assumption, in which any subset of P of a given maximum size may collude and act against the protocol. The most basic threshold Byzantine quorum system, for example, allows all subsets of up to f < n/3 processes to fail. Some classic works also model arbitrary, non-threshold symmetric quorum systems [21,15], but these have not actually been used in practice.

7:2 Asymmetric Distributed Trust
However, trust is inherently subjective. De gustibus non est disputandum. 1 Estimating which processes will function correctly and which ones will misbehave may depend on personal taste. A myriad of local choices influences one process' trust in others, especially because there are so many forms of "malicious" behavior. Some processes might not even be aware of all others, yet a process should not depend on unknown third parties in a distributed collaboration. How can one model asymmetric trust in distributed protocols? Can traditional Byzantine quorum systems be extended to subjective failure assumptions? How do the standard protocols generalize to this model?
In this paper, we answer these questions and introduce models and protocols for asymmetric distributed trust. We formalize asymmetric quorum systems for asynchronous protocols, in which every process can make its own assumptions about Byzantine faults of others. We introduce several protocols with asymmetric trust that strictly generalize the existing algorithms, which require common trust.
Our formalization takes up earlier work by Damgård et al. [10] and starts out with the notion of a fail-prone system that forms the basis of a symmetric Byzantine quorum system. A global fail-prone system for a process set P contains all maximal subsets of P that might jointly fail during an execution. In an asymmetric quorum system, every process specifies its own fail-prone system and a corresponding set of local quorums. These local quorum systems satisfy a consistency condition that ranges across all processes and a local availability condition, and generalize symmetric Byzantine quorum system according to Malkhi and Reiter [21].
Interest in consensus protocols based on Byzantine quorum systems has surged recently because of their application to permissioned blockchain networks [6,1]. Typically run by a consortium, such distributed ledgers often use Byzantine-fault tolerant (BFT) protocols like PBFT [7] for consensus that rely on symmetric threshold quorum systems. The Bitcoin blockchain and many other cryptocurrencies, which triggered this development, started from different assumptions and use so-called permissionless protocols, in which everyone may participate. Those algorithms capture the relative influence of the participants on consensus decisions by an external factor, such as "proof-of-work" or "proof-of-stake." A middle ground between permissionless blockchains and BFT-based ones has been introduced by the blockchain networks of Ripple (https://ripple.com) and Stellar (https: //stellar.org). Their stated model for achieving network-level consensus uses subjective trust in the sense that each process declares a local list of processes that it "trusts" in the protocol.
Consensus in the Ripple blockchain (and for the XRP cryptocurrency on the XRP Ledger) is executed by its validator nodes. Each validator declares a Unique Node List (UNL), which are nodes that a given participant trusts. Questions have been raised about the kind of decentralization offered by the Ripple protocol. Stellar was created as an evolution of Ripple that shares much of the same design philosophy. The Stellar consensus protocol [22] powers the Stellar Lumen (XLM) cryptocurrency and introduces federated Byzantine quorum systems (FBQS); these bear superficial resemblance with our asymmetric quorum systems but differ technically. However, standard Byzantine quorum systems and FBQS are not comparable because (1) an FBQS when instantiated with the same trust assumption for all processes does not reduce to a symmetric quorum system and (2) existing protocols do not generalize to FBQS.
Understanding how such ideas of subjective trust, as manifested in the Ripple and Stellar blockchains, relate to traditional quorum systems is the main motivation for this work. Our protocols for asymmetric trust generalize the well-known, classic algorithms in the literature and therefore look superficially similar. This should be seen as a feature, actually, because simplicity and modularity are important guiding principles in science.
Our contributions are as follows: We introduce asymmetric Byzantine quorum systems formally in Section 4 as an extension of standard Byzantine quorum systems and discuss some of their properties.
In Section 5, we show two implementations of a shared register, with single-writer, multi-reader regular semantics, using asymmetric Byzantine quorum systems. We examine broadcast primitives in the Byzantine model with asymmetric trust in Section 6. In particular, we define and implement Byzantine consistent and reliable broadcast protocols. The latter primitive is related to a "federated voting" protocol used by Stellar consensus [22]. The long version of the paper contains more details and all proofs [5].

Related work
Damgård et al. [10] introduce some basics of asymmetric trust in the context of synchronous protocols for secure distributed computation by modeling process-specific fail-prone systems. They state the consistency property of asymmetric Byzantine quorums but do not prove that the B 3 property is required. The Ripple consensus protocol is run by an open set of validator nodes. The protocol uses votes, similar to standard consensus protocols, whereby each validator only communicates with the validators in its UNL. Each validator chooses its own UNL, which makes it possible for anyone to participate, in principle, similar to proof-of-work blockchains. Early investigations suggested that the intersection of the UNLs of every two validators should be at least 20% of each list [25], assuming that also less than one fifth of the validators in the UNL of every node might be faulty. An independent analysis by Armknecht et al. [2] later argued that this bound must be more than 40%. A recent technical report of Chase and MacBrough [9,Thm. 8] concludes, under the same assumption of f < n/5 faulty nodes in every UNL of size n, that the UNL overlap should actually be at least 90%.
The Stellar consensus protocol (SCP) also features open membership and lets every node express its own set of trusted nodes [22]. Generalizing from Ripple's flat lists of unique nodes, every node declares a collection of trusted sets called quorum slices, whereby a slice is "the subset of a quorum convincing one particular node of agreement." A quorum in Stellar is a set of nodes "sufficient to reach agreement," defined as a set of nodes that contains one slice for each member node. The quorum choices of all nodes together yield a federated Byzantine quorum systems (FBQS). The Stellar white paper states properties of FBQS and protocols that build on them. A recent paper of García-Pérez and Gotsman [12] elaborates on FBQS. Recent papers further describe Stellar's FBQS [18] and a closely related notion called personal Byzantine quorum systems [19].
However, these concepts and protocols do not map to known primitives in distributed computing. The FBQS notion is at odds with the usual notion of a Byzantine quorum system in the sense that it does not reduce to a symmetric quorum system for symmetric trust choices.
In contrast to Ripple's and Stellar's attempts to formalize subjective trust, our asymmetric quorum formulation extends the well-established quorum systems that underlie classic O P O D I S 2 0 1 9 7:4

Asymmetric Distributed Trust
Byzantine consensus. We also introduce several protocols with asymmetric trust that strictly generalize existing standard algorithms, which have so far required common trust and knowledge of all nodes.

System model
We consider a system of n processes P = {p 1 , . . . , p n } that communicate with each other. The processes interact asynchronously with each other through exchanging messages. The system itself is asynchronous, i.e., the delivery of messages among processes may be delayed arbitrarily and the processes have no synchronized clocks. Every process is identified by a name, but such identifiers are not made explicit. We use standard notions of protocols, events, functionalities, and fair executions from the literature [20,4]. All processes are linked by reliable and authenticated point-to-point FIFO channels [14,4]. A process that follows its protocol during an execution is called correct. On the other hand, a faulty process may crash or even deviate arbitrarily from its specification, e.g., when corrupted by an adversary; such processes are also called Byzantine. We consider only Byzantine faults here and assume for simplicity that the faulty processes fail right at the start of an execution.
Some protocols use digital signatures, for which we adopt an idealized implementation with two operations, sign i and verify i . It follows the standard semantics; details appear in the long version [5].

4
Asymmetric Byzantine quorum systems

Symmetric trust
Quorum systems are well-known in settings with symmetric trust. As demonstrated by many applications to distributed systems, ordinary quorum systems [23] and Byzantine quorum systems [21] play a crucial role in formulating resilient protocols that tolerate faults through replication [8]. A quorum system typically ensures a consistency property among the processes in an execution, despite the presence of some faulty processes. For the model with Byzantine faults, Byzantine quorum systems have been introduced by Malkhi and Reiter [21]. This notion is defined with respect to a fail-prone system F ⊆ 2 P , a collection of subsets of P, none of which is contained in another, such that some F ∈ F with F ⊆ P is called a fail-prone set and contains all processes that may at most fail together in some execution [21]. A fail-prone system is the same as the basis of an adversary structure, which was introduced independently by Hirt and Maurer [15].
A fail-prone system captures an assumption on the possible failure patterns that may occur. It specifies all maximal sets of faulty processes that a protocol should tolerate in an execution; this means that a protocol designed for F achieves its properties as long as the set F of actually faulty processes satisfies F ∈ F * . Here and from now on, the notation A * for a system A ⊆ 2 P , denotes the collection of all subsets of the sets in A, that is, Definition 1 (Byzantine quorum system [21]). A Byzantine quorum system for F is a collection of sets of processes Q ⊆ 2 P , where each Q ∈ Q is called a quorum, such that the following properties hold: Consistency: The intersection of any two quorums contains at least one process that is not faulty, i.e.,

7:5
Availability: For any set of processes that may fail together, there exists a disjoint quorum in Q, i.e., The above notion is also known as a Byzantine dissemination quorum system [21] and allows a protocol to be designed despite arbitrary behavior of the potentially faulty processes. The notion generalizes the usual threshold failure assumption for Byzantine faults [24], which considers that any set of f processes are equally likely to fail. We say that a set system T dominates another set system S if for each S ∈ S there is some T ∈ T such that S ⊆ T [11]. In this sense, a quorum system for F is minimal whenever it does not dominate any other quorum system for F.
Similarly to the threshold case, where n > 3f processes overall are needed to tolerate f faulty ones in many Byzantine protocols, Byzantine quorum systems can only exist if not "too many" processes fail.
In other words, Q 3 (F) means that no three fail-prone sets together cover the whole system of processes. A Q k -condition can be defined like this for any k ≥ 2 [15].
The following lemma considers the bijective complement of a process set S ⊆ 2 P , which is defined as S = {P \ S|S ∈ S}, and turns F into a Byzantine quorum system.

Lemma 3 ([21, Theorem 5.4]). Given a fail-prone system F, a Byzantine quorum system for F exists if and only if Q 3 (F).
In particular, if Q 3 (F) holds, then F, the bijective complement of F, is a Byzantine quorum system.
The quorum system Q = F is called the canonical quorum system of F. According to the duality between Q and F, properties of F are often ascribed to Q as well; for instance, we say Q 3 (Q) holds if and only if Q 3 (F). However, note that the canonical quorum system is not always minimal. For instance, if F consists of all sets of f n/3 processes, then each quorum in the canonical quorum system has n − f members, but also the family of all subsets of P with n+f +1 2 < n − f processes forms a quorum system.

Core sets.
A core set C for F is a minimal set of processes that contains at least one correct process in every execution. More precisely, C ⊆ P is a core set whenever (1) for all F ∈ F, it holds P \ F ∩ C = ∅ (and, equivalently, C ⊆ F ) and (2) for all C C, there exists F ∈ F such that P \ F ∩ C = ∅ (and, equivalently, C ⊆ F ). With the threshold failure assumption, every set of f + 1 processes is a core set. A core set system C is the minimal collection of all core sets, in the sense that no set in C is contained in another. Core sets can be complemented by survivor sets, as shown by Junqueira et al. [16]. This yields a dual characterization of resilient distributed protocols, which parallels ours using fail-prone sets and quorums.

Asymmetric trust
In our model with asymmetric trust, every process is free to make its own trust assumption and to express this with a fail-prone system. Hence, an asymmetric fail-prone system consists of an array of fail-prone systems, where F i denotes the trust assumption of p i . One often assumes p i ∈ F i for practical reasons, but this is not necessary. This notion has earlier been formalized by Damgård et al. [10].
The set Q i ⊆ 2 P is called the quorum system of p i and any set Q i ∈ Q i is called a quorum (set) for p i . It satisfies: Consistency: The intersection of two quorums for any two processes contains at least one process for which either process assumes that it is not faulty, i.e., Availability: For any process p i and any set of processes that may fail together according to The existence of asymmetric quorum systems can be characterized with a property that generalizes the Q 3 -condition for the underlying asymmetric fail-prone systems as follows.
The following result is the generalization of Lemma 3 for asymmetric quorum systems; it was stated by Damgård et al. [10] without proof. As for symmetric quorum systems, we use this result and say that B 3 (Q) holds whenever the asymmetric Q consists of the canonical quorum systems for F and B 3 (F) holds. A proof of the following result appears in the long version [5]. Theorem 6. An asymmetric fail-prone system F satisfies B 3 (F) if and only if there exists an asymmetric quorum system for F.

Kernels.
Given a symmetric Byzantine quorum system Q, we define a kernel K as a set of processes that overlaps with every quorum and that is minimal in this respect. Formally, K ⊆ P is a kernel of Q if and only if ∀Q ∈ Q : K ∩ Q = ∅ and ∀K K : ∃Q ∈ Q : K ∩ Q = ∅.
The kernel system K of Q is the set of all kernels of Q.
For example, under a threshold failure assumption where any f processes may fail and the quorums are all sets of n+f +1 2 processes, every set of n−f +1 2 processes is a kernel. The definition of a kernel is related to that of a core set in the following sense. For a given maximal fail-prone system F, consider its canonical quorum system Q = F; if Q is minimal, then the kernel system of Q is the same as the core-set system for F. Asymmetric core sets and kernels. Let F = [F 1 , . . . , F n ] be an asymmetric fail-prone system. An asymmetric core set system C is an array of collections of sets [C 1 , . . . , C n ] such that each C i is a core set system for the fail-prone system F i . We call a set C i ∈ C i a core set for p i .
Given an asymmetric quorum system Q for F, an asymmetric kernel system for Q is defined analogously as the array K = [K 1 , . . . , K n ] that consists of the kernel systems for all processes in P with respect to Q; a set K i ∈ K i is called a kernel for p i .
Naïve and wise processes. The faults or corruptions occurring in a protocol execution with an underlying quorum system imply a set F of actually faulty processes. However, no process knows F and this information is only available to an observer outside the system. With a traditional quorum system Q designed for a fail-prone set F, the guarantees of a protocol usually hold as long as F ∈ F. Recall that such protocol properties apply to correct processes only but not to faulty ones.
With asymmetric quorums, we further distinguish between two kinds of correct processes, depending on whether they considered F in their trust assumption or not. Given a protocol execution, the processes are therefore partitioned into three types: Faulty: A process p i ∈ F is faulty. Naïve: A correct process p i for which F ∈ F i * is called naïve.
Wise: A correct process p i for which F ∈ F i * is called wise.
The naïve processes are new for the asymmetric case, as all processes are wise under a symmetric trust assumption. Protocols for asymmetric quorums cannot guarantee the same properties for naïve processes as for wise ones, since the naïve processes may have the "wrong friends." Guilds. If too many processes are naïve or even fail during a protocol run with asymmetric quorums, then protocol properties cannot be ensured. A guild is a set of wise processes that contains at least one quorum for each member; by definition this quorum consists only of wise processes. A guild ensures liveness and consistency for typical protocols. This generalizes from protocols for symmetric quorum systems, where the correct processes in every execution form a quorum by definition. (A guild represents a group of influential and well-connected wise processes, like in the real world.) Definition 7 (Guild). Given a fail-prone system F, an asymmetric quorum system Q for F, and a protocol execution with faulty processes F , a guild G for F satisfies two properties: Wisdom: G is a set of wise processes: Closure: G contains a quorum for each of its members: Superficially a guild seems similar to a "quorum" in the Stellar consensus protocol [22], but the two notions actually differ because a guild contains only wise processes and Stellar's quorums do not distinguish between naïve and wise processes.
Observe that for a specific execution, the union of two guilds is again a guild, since the union consists only of wise processes and contains again a quorum for each member. Hence, every execution with a guild contains a unique maximal guild G max .
Example. We define an example asymmetric fail-prone system F A on P = {p 1 , p 2 , p 3 , p 4 , p 5 }. The notation Θ n k (S) for a set S with n elements denotes the "threshold" combination operator and enumerates all subsets of S of cardinality k. W.l.o.g. every process trusts itself. The diagram below shows fail-prone sets as shaded areas and the notation n k in front of a fail-prone set stands for k out of the n processes in the set.
The operator * for two sets satisfies A * B = {A ∪ B|A ∈ A, B ∈ B}. As one can verify in a straightforward way, B 3 (F A ) holds. Let Q A be the canonical asymmetric quorum system for F A . Note that since F A contains the fail-prone systems of p 3 and p 5 that permit two faulty processes each, this fail-prone system cannot be obtained as a special case of Θ 5 1 ({p 1 , p 2 , p 3 , p 4 , p 5 }). When F = {p 2 , p 4 }, for example, then processes p 3 and p 5 are wise and p 1 is naïve.

Shared memory
This section illustrates a first application of asymmetric quorum systems: how to emulate shared memory, represented by a register. Maintaining a shared register reliably in a distributed system subject to faults is perhaps the most fundamental task for which ordinary, symmetric quorum systems have been introduced, in the models with crashes [13] and with Byzantine faults [21]. We present definitions and one protocol for implementing a register with asymmetric quorums in this section. The long version [5] also presents a second protocol without digital signatures and explains why federated Byzantine quorum systems according to Stellar [22] fail to directly emulate shared memory. This protocol also illustrates the role of an asymmetric core set system that generalizes the notion of an (f + 1)-process subset in the threshold model.

Definitions
We use the standard notions for operations and their precedence to formalize a register as a shared object. More precisely, a register with domain X provides two operations: write(x), which is parameterized by a value x ∈ X and outputs a token ack when it completes; and read, which takes no parameter for invocation but outputs a value x ∈ X upon completion.
We consider a single-writer (or SW ) register, where only a designated process p w may invoke write, and permit multiple readers (or MR), that is, every process may execute a read operation. The register is initialized with a special value x 0 , which is written by an imaginary write operation that occurs before any process invokes operations. We consider regular semantics under concurrent access [17]; the extension to other forms of concurrent memory, including an atomic register, proceeds analogously.
It is customary in the literature to assume that the writer and reader processes are correct; with asymmetric quorums we assume explicitly that readers and writers are wise. We illustrate below why one cannot extend the guarantees of the register to naïve processes. Safety: Every read operation of a wise process that is not concurrent with a write returns the value written by the most recent, preceding write of a wise process; furthermore, a read operation of a wise process concurrent with a write of a wise process may also return the value that is written concurrently.

Protocol with authenticated data
In Algorithm 1, we describe a protocol for emulating a regular SWMR register with an asymmetric Byzantine quorum system, for a designated writer p w and a reader p r ∈ P.
The protocol uses data authentication implemented with digital signatures. This protocol is the same as the classic one of Malkhi and Reiter [21] that uses a Byzantine dissemination quorum system and where processes send messages to each other over point-to-point links.
The difference lies in the individual choices of quorums by the processes and that it ensures safety and liveness for wise processes.
In the register emulation, the writer p w obtains ack messages from all processes in a quorum Q w ∈ Q w ; likewise, the reader p r waits for a value message carrying a value/timestamp pair from every process in a quorum Q r ∈ Q r of the reader. The function highestval(S) takes a set of timestamp/value pairs S as input and outputs the value in the pair with the largest timestamp, i.e., v such that (ts, v) ∈ S and ∀(ts , v ) ∈ S : ts < ts ∨ (ts , v ) = (ts, v). Note that this v is unique in Algorithm 1 because p w is correct. The protocol uses digital signatures, modeled by operations sign i and verify i , as introduced earlier. Example. We show why the guarantees of this protocol with asymmetric quorums hold only for wise readers and writers. Consider Q A from the last section and an execution in which p 2 and p 4 are faulty, and therefore p 1 is naïve and p 3 and p 5 are wise. A quorum for p 1 consists of p 1 and three processes in {p 2 , . . . , p 5 }; moreover, every process set that contains p 3 , one of {p 1 , p 2 } and one of {p 4 , p 5 } is a quorum for p 3 .

Algorithm 1 Emulation of an asymmetric SWMR regular register (process pi).
We illustrate that if naïve p 1 writes, then a wise reader p 3 may violate safety. Suppose that all correct processes, especially p 3 , store timestamp/value/signature triples from an operation that has terminated and that wrote x. When p 1 invokes write(u), it obtains [ack] messages from all processes except p 3 . This is a quorum for p 1 . Then p 3 runs a read operation and receives the outdated values representing x from itself (p 3 is correct but has not been involved in writing u) and also from the faulty p 2 and p 4 . Hence, p 3 outputs x instead of u.
Analogously, with the same setup of every process initially storing a representation of x but with wise p 3 as writer, suppose p 3 executes write(u). It obtains [ack] messages from p 2 , p 3 , and p 4 and terminates. When p 1 subsequently invokes read and receives values representing x, from correct p 1 and p 5 and from faulty p 2 and p 4 , then p 1 outputs x instead of y and violates safety as a naïve reader.
Since the sample operations are not concurrent, the implication actually holds also for registers with only safe semantics.

Broadcast
This section shows how to implement two broadcast primitives tolerating Byzantine faults with asymmetric quorums. Recall from the standard literature [14,8,4] that reliable broadcasts offer basic forms of reliable message delivery and consistency, but they do not impose a total order on delivered messages (as this is equivalent to consensus). The Byzantine broadcast primitives described here, consistent broadcast and reliable broadcast, are prominent building blocks for many more advanced protocols. With both primitives, the sender process may broadcast a message m by invoking broadcast(m); the broadcast abstraction outputs m to the local application on the process through a deliver(m) event. Moreover, the notions of broadcast considered in this section are intended to deliver only one message per instance. Every instance has a distinct (implicit) label and a designated sender p s . With standard multiplexing techniques one can extend this to a protocol in which all processes may broadcast messages repeatedly [4].
Byzantine consistent broadcast. The simplest such primitive, which has been called (Byzantine) consistent broadcast [4], ensures only that those correct processes which deliver a message agree on the content of the message, but they may not agree on termination. In other words, the primitive does not enforce "reliability" such that a correct process outputs a message if and only if all other correct processes produce an output. The events in its interface are denoted by c-broadcast and c-deliver.
The change of the definition towards asymmetric quorums affects most of its guarantees, which hold only for wise processes but not for all correct ones. This is similar to the definition of a register in Section 5.   The following protocol is an extension of "authenticated echo broadcast" [4], which goes back to Srikanth and Toueg [26]. It is a building block found in many Byzantine fault-tolerant protocols with greater complexity. The adaptation for asymmetric quorums is straightforward: Every process considers its own quorums before c-delivering the message.

Theorem 12. Algorithm 2 implements asymmetric Byzantine consistent broadcast.
Example. We illustrate the broadcast protocols using a six-process asymmetric quorum system Q B , defined through its fail-prone system F B . In F B , as shown below, for p 1 , p 2 , and p 3 , each process always trusts itself, some other process of {p 1 , p 2 , p 3 } and one further process in {p 1 , . . . , p 5 }. Process p 4 and p 5 each assumes that at most one other process of {p 1 , . . . , p 5 } may fail (excluding itself). Moreover, none of the processes p 1 , . . . , p 5 ever trusts p 6 . For p 6 itself, the fail-prone set is {p 1 , p 3 }, i.e., it trusts p 2 , p 4 , and p 5 unconditionally. and p * 5 to denote that they are faulty). This means processes p 1 , p 2 , p 3 are wise and form a guild because {p 1 , p 2 , p 3 } is a quorum for all three; furthermore, p 6 is naïve. The protocol execution proceeds as follows. Byzantine reliable broadcast. In the symmetric setting, consistent broadcast has been extended to (Byzantine) reliable broadcast in a well-known way to address the disagreement about termination among the correct processes [4]. This primitive has the same interface as consistent broadcast, except that its events are called r-broadcast and r-deliver instead of c-broadcast and c-deliver, respectively.
A reliable broadcast protocol also has all properties of consistent broadcast, but satisfies the additional totality property stated next. Taken together, consistency and totality imply a notion of agreement, similar to what is also ensured by many crash-tolerant broadcast primitives. Analogously to the earlier primitives with asymmetric trust, our notion of an asymmetric reliable broadcast, defined next, ensures agreement on termination only for the wise processes, and moreover only for executions with a guild. Also the validity of Definition 11 is extended by the assumption of a guild. Intuitively, one needs a guild because the wise processes that make up the guild are self-sufficient, in the sense that the guild contains a quorum of wise processes for each of its members; without that, there may not be enough wise processes.
Definition 13 (Asymmetric Byzantine reliable broadcast). A protocol for asymmetric (Byzantine) reliable broadcast is a protocol for asymmetric Byzantine consistent broadcast with the revised validity condition and the additional totality condition stated next: Validity: In all executions with a guild, if a correct process p s c-broadcasts a message m, then all processes in the maximal guild eventually c-deliver m. Totality: In all executions with a guild, if a wise process r-delivers some message, then all processes in the maximal guild eventually r-deliver a message.
The protocol of Bracha [3] implements reliable broadcast subject to Byzantine faults with symmetric trust. It augments the authenticated echo broadcast from Algorithm 2 with a second all-to-all exchange, where each process is supposed to send ready with the payload message that will be r-delivered. When a process receives the same m in 2f + 1 ready messages, in the symmetric model with a threshold Byzantine quorum system, then it r-delivers m. Also, a process that receives [ready, m] from f + 1 distinct processes and that has not yet sent a ready chimes in and also sends [ready, m]. These two steps ensure totality.
For asymmetric quorums, the conditions of a process p i receiving f + 1 and 2f + 1 equal ready messages, respectively, generalize to receiving the same message from a kernel for p i and from a quorum for p i . Intuitively, the change in the first condition ensures that when a wise process p i receives the same [ready, m] message from a kernel for itself, then this kernel intersects with some quorum of wise processes. Therefore, at least one wise process has sent [ready, m] and p i can safely adopt m. Furthermore, the change in the second condition relies on the properties of asymmetric quorums to guarantee that whenever some wise process has r-delivered m, then enough correct processes have sent a [ready, m] message such that all wise processes eventually receive a kernel of [ready, m] messages and also send [ready, m].
Applying these changes to Bracha's protocol results in the asymmetric reliable broadcast protocol shown in Algorithm 3. Note that it strictly extends Algorithm 2 by the additional round of ready messages, in the same way as for symmetric trust. For instance, when instantiated with the symmetric threshold quorum system of n = 3f + 1 processes, of which f may fail, then every set of f + 1 processes is a kernel.
In Algorithm 3, there are two conditions that let a correct p i send [ready, m]: either receiving a quorum of [echo, m] messages for itself or obtaining a kernel for itself of [ready, m] messages. For the first case, we say p i sends ready after echo; for the second case, we say p i sends ready after ready.

Lemma 14.
In any execution with a guild, there exists a unique m such that whenever a wise process sends a ready message, it contains m.
This lemma follows from the fact that Algorithm 3 extends Algorithm 2 for consistent broadcast, combined with the consistency property in Definition 11. This shows why the lemma holds for ready messages sent by wise processes after echo. For ready messages sent after ready, a new argument is needed, which relies on the properties of kernels and appears in the long version [5].

Theorem 15. Algorithm 3 implements asymmetric Byzantine reliable broadcast.
Example. Consider again the protocol execution with Q B introduced earlier for illustrating asymmetric consistent broadcast. Recall that F = {p * 4 , p * 5 }, the set {p 1 , p 2 , p 3 } is a guild, and p 6 is naïve. The start of the execution is the same as shown previously and omitted. Instead of c-delivering x and u, respectively, p 1  Another open problem concerns the conditions for reacting to ready messages in the asymmetric reliable broadcast protocol. Already in Bracha's protocol for the threshold model [3], a process (1) sends its own ready message upon receiving f + 1 ready messages and (2) r-delivers an output upon receiving 2f + 1 ready messages. These conditions generalize for arbitrary, non-threshold quorum systems to receiving messages (1) from any set that is guaranteed to contain at least one correct process and (2) from any set that still contains at least one process even when any two fail-prone process sets are subtracted. In Algorithm 3, in contrast, a process delivers the payload only after receiving ready messages from one of its quorums. But such a quorum (e.g., n+f +1 2 processes) may be larger than a set in the second case (e.g., 2f + 1 processes). It remains interesting to find out whether this discrepancy is necessary.