Good-case Early-Stopping Latency of Synchronous Byzantine Reliable Broadcast: The Deterministic Case

This paper considers the good-case latency of Byzantine Reliable Broadcast (BRB), i


Introduction
Introduced in the eighties [14,20], Byzantine reliable broadcast (BRB) and Byzantine Broadcast (BB) are two fundamental abstractions of distributed computing [5,7,9,10,19,22,23,26,25]. BRB assumes that one particular process, the sender, broadcasts a message to the rest of the system and that correct (a.k.a. honest) processes all deliver the value initially broadcast if the sender is correct or that, if it is not, either all agree on some value or none delivers any value. BB further requires that all correct processes always deliver some

Background and Related Work
The Synchronous Byzantine Reliable Broadcast problem was first introduced in [24] by Lamport, Shostak, and Pease, who proposed in [20] a deterministic solution based on signature chains that requires t + 1 rounds (both in good and bad cases), where t < n is an upper bound on the number of Byzantine processes present in the system. This worst-case round complexity was shown by Dolev and Strong [14] to be optimal for deterministic algorithms. This result was later refined by Dolev, Reischuk, and Strong who showed that min(n−1, n−c+2, t+1) rounds are necessary to realize Synchronous Byzantine Broadcast [13], where c ≥ n − t is the effective number of correct processes in a given run. They also present in the same paper a deterministic signature-free algorithm that achieves this bound provided that n > max(4t, 2t 2 − 2t + 2). The salient properties of this algorithm are summarized in the first column of Table 1 and compared to more recent works and to this paper (last column). In recent years, substantial progress has been achieved to circumvent the hard bound of t + 1 rounds for deterministic BRB and BB algorithm by exploiting randomization, and generally assuming a weakly adaptive adversary, i.e., an adversary that can adaptively corrupt processes, but cannot remove messages sent in the round when a process becomes Byzantine.
In 2020, Wan, Xiao, Shi, and Devadas presented a randomized algorithm that achieves BB in O ( n n−t ) 2 expected synchronous rounds [27]. Last year, in an in-depth study of the good-case latency of BB and BRB algorithms [3] (extended version in [4]), Abraham, Nayak, Ren, and Xiang proved a lower bound of ⌊n/(n − t)⌋ − 1 rounds for the good-case latency of synchronous BRB. They then explained how the solution presented in [27] can be optimized to deliver a good-case latency of ⌈n/(n − t)⌉ + ⌊n/(n − t)⌋ rounds (about 2n/(n − t) ± 1) assuming a weakly adaptive adversary. 4 The properties of these earlier works are summarized in Table 1, together with those of the algorithm we propose. Among these works, only [13] is deterministic and therefore tolerates a strongly adaptive adversary. It imposes, however, a strong constraint on n (n > max(4t, 2t 2 −2t+2)) and does not tolerate a majority of Byzantine processes, which the other algorithms do. Conversely, the algorithms of [3, 16, 27] all tolerate an arbitrary number of Byzantine processes, but contrary to the solution we present, they rely on randomization under a weakly adaptive adversary and do not exploit executions in which the number of Byzantine processes is less than the upper bound t. (They are not early stopping.)

Byzantine Reliable Broadcast
Following [3, 16, 27], we consider a one-shot Byzantine-tolerant reliable broadcast (BRB for short) in which the sending process p sender is known beforehand. The BRB abstraction provides two operations, brb_broadcast and brb_deliver. brb_broadcast(m) is invoked by the sending process p sender . When this happens, we say that p sender brb-broadcasts m. When a process p i invokes brb_deliver(m) we say that p i brb-delivers m. The BRB abstraction is specified by the following five properties.

Safety:
BRB-Validity: If a correct process p i brb-delivers a message m and p sender is correct, then p sender has brb-broadcast m.
BRB-No-duplication: A correct process p i brb-delivers at most one message. BRB-No-duplicity: No two different correct processes brb-deliver different messages. Liveliness: BRB-Local-delivery: If p sender is correct and brb-broadcasts a message, then at least one correct process p j eventually brb-delivers some message.
BRB-Global-delivery: If a correct process p i brb-delivers a message, then all correct processes brb-deliver a message.

Underlying intuition
Signature chains. The original BRB algorithm of Lamport, Shostak, and Pease uses signature chains to propagate what each process knows of the system's state [20]. A signature chain (or chain for short) starts by a message m signed by the sending process, e.g. (m, i sender , σ p sender ), where i sender is the identify of the sending process, and σ p sender is a signature of (m, i sender ) with p sender 's private key. Such a chain is of length 1, as it contains one signature. A chain of length ℓ is extended by appending the identity i ℓ+1 of a process p i ℓ+1 not present in the chain, followed by p i ℓ+1 's signature of the resulting sequence: As in [14, 20], we use the compact notation m : p sender : p i2 : .. : p i ℓ+1 to represent such a chain.
D I S C 2 0 2 2 4:6 Good-Case Early-Stopping Latency of Synchronous BRB Valid chains. In Lamport, Shostak, and Pease's original algorithm [20], further formalized in [14], and algorithms based on the same idea [16], correct processes only accept valid signature chains, i.e., signature chains that are acyclic and whose length matches the current round. These conditions constrain the disruption power of Byzantine processes by limiting how long they can hide a message from correct processes. In [14, 20], a message is considered for delivery when backed by at least one chain containing t + 1 signatures: the length of the chain (t + 1) ensures that Byzantine processes cannot reveal some message m to only a subset of correct processes, while hiding it from others, and thus guarantees that all correct processes use the same set of messages to decide which message should be delivered (using a deterministic choice function).
From chains to certificates. The protocol we propose generalizes this intuition in a simple, albeit non-trivial, way. Instead of single chains, our algorithm uses sets of chains forming a particular pattern to trigger delivery. We call these chain patterns certificates. We constrain how a certificate might be propagated to limit how long Byzantine processes can hide a valid certificate from correct processes. A given certificate for a message m has a "weight" representing how many processes are "backing" m. To back a message m, a process must have witnessed it at the latest by the end of round 2. The heavier a certificate, the more quickly a correct process can make a delivery decision in the absence of any contradictory information. This approach is beneficial when the initial sender is correct , allowing correct processes to terminate in this case in max(2, t + 3 − c) rounds 5 .

Notations
We use the following notations: m : p i1 : p i2 : · · · : p i ℓ is a chain of signatures (or chain for short) as in [14,16,20]. We say that the length of the chain is ℓ. A valid chain must start with p sender (i.e. p sender = p i1 ), only contain valid signatures, and be acyclic (a process' signature can only appear once in a given chain). As in [14], we assume a filter function removes any invalid chain from the reception queue of correct processes, so that correct processes only receive valid chains. In particular, correct processes will only accept chains of length R during round R. As a shortcut, we might therefore say that a process p i has signed a chain π in round R to mean that p i 's signature is the R th signature in π. π being a chain of signatures, message(π) denotes the message at the start of the chain. We therefore have message(m : p sender : p i2 : · · · : p i ℓ ) = m. By extension, if E is a set of chains, message(E) is the direct image of E by message(). M being a set of messages, choice(M ) deterministically returns one of the messages, i.e., the same message m is returned by all correct processes for the same input set M . The function choice() can be implemented in various ways: e.g., the message with the smallest value or smallest time-stamp. If M is empty, choice(M ) returns ⊥. γ = (p i k,γ ) k∈ [1..ℓ] ∈ Π ℓ being a sequence of ℓ processes, for simplicity, we will use the notation : γ : as a shorthand for the fragment of signature chain : p i1,γ : · · · : p i ℓ,γ : . For instance, m : p sender : γ : p i thus means m : p sender : p i1,γ : · · · : p i ℓ,γ : p i . We will similarly equate the sequence γ with its supporting set set(γ) = {p i k,γ } k∈ [1..ℓ] when unambiguous.

5
Description of the algorithm

Overview
Certificates and revealing chains. The algorithm revolves around the notion of certificate, which can be informally described as a set of signature chains for a given message m that fits a particular pattern. The weight of a certificate is defined as the number of processes whose signature appears within the first two positions of some chains of the certificate. These processes are said to be backing m in the certificate. Just counting and propagating the round-2 signatures that correct processes observe is, however, not enough, as it does not prevent Byzantine processes from hiding part of a certificate from correct processes until the very last moment (round t + 1 in our case). The certificates we use therefore add an additional constrain that limits the disruption power of Byzantine processes: a certificate of weight w must contain a "revealing chain" m : p sender : γ i (shown in red in Figure 1) whose makeup must "differ sufficiently" from the backing processes documented by the certificate. "Differ sufficiently" means that besides the processes in position 1 (p sender in all cases) and position 2 (p γ in Figure 1), the processes from position 3 until position t + 3 − w of this revealing chain should not be backing processes.
This constraint limits what Byzantine processes can do when the sender is Byzantine and allows correct processes to use an early delivery condition that is safe both in good and bad cases. When p sender is Byzantine (bad case), Byzantine processes may collude to forge competing certificates for different messages. When doing so, however, Byzantine processes can only use up to t signatures and must decide whether to invest these t signatures in the backing part of each certificate (thus increasing the certificate's weight) or in the revealing chain of the certificate (thus delaying the time at which the message of a forged certificate must be revealed to correct processes, but reducing the certificate's weight).
Certificate conspicuity. The position t + 3 − w of the revealing chain enforces this constraint. The signatures from positions 3 to t + 3 − w correspond to (t + 3 − w) − 3 + 1 = t + 1 − w processes. Added to the w processes backing the certificate (E i,R ∪ {p sender , p γ } in Figure 1), this represents t + 1 − w + w = t + 1 processes. These t + 1 processes must contain a correct process; therefore, Byzantine processes that seek to forge a certificate must include the signature of a correct process at the latest in round t + 3 − w. This correct process ensures 4:8

Good-Case Early-Stopping Latency of Synchronous BRB
that the message of a forged certificate must be revealed to all correct processes at the latest by round t + 3 − w. We call the round R w = t + 3 − w the conspicuity round for weight w, and this property Certificate Conspicuity.
By contrapositive, certificate conspicuity allows correct processes to ascertain the nonexistence of a certificate of a given weight for a message. This ability to be sure that a given certificate does not exist, and the ability to propagate certificates that do, are the key ingredients that allow our algorithm to terminate (much) faster than other chain-based deterministic algorithms [14,16,20] in good cases, more precisely in max(2, t + 3 − c) rounds, where c = n − f is the number of effective correct processes.
An example of certificate. Figure 1 shows a certificate of weight w = 6 for a message m observed by p i at round R: each horizontal line represents a chain of signatures that starts with m : p sender , the green and red dots represent processes that have witnessed m : p sender in round 2 (and are therefore backing m), and m : p sender : γ i is the revealing chain, such that the process appearing from position 3 to t + 3 − w (t − 3 here) in m : p sender : γ i (or equivalently from position 2 to t + 2 − w in γ i ) do not appear in position 2 of any of the certificate's chains (equivalently the t + 2 − w truncation of γ i , noted truncate t+2−w (γ i ), does not appear in E i,R , the set of processes in position 2 in chains of the certificate other than m : p sender : γ i ).
The certificate depicted in Figure 1 is of weight w = 6, as it proves that 6 distinct processes are backing m, i.e. they have signed a chain containing m in round 1 (for p sender ) or 2 (for the others). These processes are p sender , p γ (the first process in γ i ), and the four processes of E i,R .
A special case: delivery in round 2. A special case occurs when the weight of a certificate reaches w = t + 1. When this happens, any process p i observing the certificate knows that either p sender , p γ , or one of the processes of E i,R is correct and, therefore, that all correct processes must have received a chain containing m by round 2. Conversely if p i has not received any chain containing a message m ′ by round 2, p i knows that a certificate of weight t + 1 cannot possibly exist for m ′ . As a result, a correct process that observes a certificate a weight t + 1 for m and is not aware of any other message m ′ ̸ = m by round 2 can safely brb-deliver m, as no other message will be able to "beat" m with a heavier certificate, even if the sender p sender is Byzantine.
Weak non-intersecting quorums. The reasoning for w = t + 1 mirrors the mechanism of intersecting quorums used in asynchronous systems and requires a majority of correct processes (or n > 2t) to be guaranteed to occur when the sender is correct. The proposed certificate mechanism leverages the additional guarantees that a synchronous system brings to generalize this idea to weaker non-intersecting "quorums", whose ability to trigger a brb-delivery decision requires additional temporal information (waiting until the conspicuity round R w = t + 3 − w).

Algorithms
In the pseudo-code of our algorithm, we use the operation broadcast(m) as a shorthand for for all p j ∈ Π do send m to p j end for.
For readability, the pseudo-code for the sending process p sender is presented separately in Algorithm 1. To brb-broadcast m, p sender simply signs m and produces the signature chain m : p sender and broadcasts a protocol message msg({m : p sender }) containing this chain to all correct processes, before brb-delivering m locally. ▷pi receives its own broadcast Algorithm 2 constitutes the core of the proposed BRB. It uses up to t + 1 synchronous rounds (lines 5-19). Each round is divided into a communication step (lines 6-8), during which processes broadcast and receive messages exchanged during the round, and a computation step (lines 9-18) during which they handle received messages and prepare the messages to be sent during the next round. received i,R represents the messages received by process p i during round R. It is directly updated by the (synchronous) network layer.
R is a global variable containing the sequence number of the current round. to_be_bcast i,R contains the signature chains to be broadcast by p i during round R. In the first round p i ̸ = p sender broadcasts an empty protocol message msg(∅). p i stores in the array view i [R] the signature chains it receives during round R (line 7). Chains that do not already contain p i 's signature are signed by p i and stored for broadcasting in the next round (line 8).
p i 's behavior in the computation step depends on whether p i has reached round t + 1 or not. In earlier rounds, p i used the conspicuity property of certificates to detect if a message m is backed by a certificate "heavy enough" that cannot be beaten by any other message m ′ ̸ = m (condition at line 16). If this is the case, m is brb-delivered at line 17, and the flag ready i is toggled to stop the algorithm in the next round. 6 "Heavy enough" means that p i should observe a certificate of weight at least w R = t + 3 − R for m. The value w R is simply the weight whose conspicuity round turns out to be R, as t + 3 − w R = t + 3 − (t + 3 − R) = R (see Section 5.1). This implies that, by round R, all certificates of weight at least w R = t + 3 − R must have become conspicuous and allows p i to make a safe brb-delivery.
If p i reaches round t + 1 without having delivered any message (line 11), it tallies all messages known to it and keeps only messages backed by a certificate with maximal weight. p i uses a deterministic function choice to break any tie that may appear.
The code for the function certificate i executed by p i is shown in Algorithm 3. certificate i first computes the set of all length-2 prefixes of signature chains known to p i (set S i,R at line 2), and seeks to find a "revealing chain" m : p sender : γ i known to p i so that after removing the t + 2 − w truncation 7 of γ i from S i,R , enough distinct processes 8 remain to ensure w processes have signed m by round 2 (see Figure 1 and Section 5.1.) In terms of vocabulary, we say that p i observes a certificate of weight w for a message m during round R if certificate i (m, w) = true during the computation step of round R at p i (lines 9-18 of Algorithm 2). Note that because view i [R] is initially empty and is only modified once (during round R, line 2 of Algorithm 2), certificate i (m, w) is stable (once true during some round, certificate i (m, w) remains true in all subsequent rounds). For the same reasons, and by definition of certificate i (Algorithm 3), if certificate i (m, w) = true for some weight w, then certificate i (m, w ′ ) = true for any smaller weight w ′ ≤ w.

6
Proof of correctness ▶ Theorem 1. Algorithm 2 implements a Synchronous Byzantine Reliable Broadcast object. If the initial sender p sender is correct, correct processes brb-deliver in at most max(2, t + 3 − c) rounds, where c is the effective number of correct processes. 6 The extra round of communication induced by ready i is needed to ensure all correct processes observe the same certificate as p i . However, by delivering as soon as the condition of line 16 is true, the algorithm does not ensure that crashed processes benefit from the BRB-No-duplicity and BRB-Global-delivery properties. These additional guarantees can be provided at the cost of one extra round by postponing the brb-delivery of m by one round from line 17 to line 9. See footnote 5. 7 The t + 2 − w truncation of γ i equals the subchain of m : p sender : γ i between positions 2 and t + 3 − w. 8 certificate i (m, w) uses the threshold w − 2 at line 3 to take into account that p sender and the first process of γ i (called pγ in Figure 1) are also backing m. See our discussion in Section 5.1.
▶ Remark 2. Note that if n > 2t, then because c ≥ n − t, we have c ≥ t + 1, and max(2, t + 3 − c) = 2, all correct processes deliver in at most 2 rounds when the sender is correct.
▶ Remark 3. Algorithm 2 can easily be adapted to solve Byzantine Broadcast by modifying line 12 to brb-deliver some default value (e.g., ⊥) when the set W i is empty.

Preliminary lemmas
Theorem 1 hinges on two fundamental properties: Certificate Conspicuity (Lemma 4) and Certificate Final Visibility (Lemma 9). Lemmas 6-7 are used to prove Lemma 9. As explained earlier, Certificate Conspicuity forces Byzantine processes that seek to hide a certificate of weight w for a message m to reveal at the latest by round t + 3 − w (the "conspicuity round" of w) that m exists. Certificate Final Visibility ensures that when the initial sender p sender is malicious, if a correct process reaches round t + 1, then this correct process observes all the certificates ever observed by other correct processes.
▶ Lemma 4 (Certificate Conspicuity). Let p i and p j ̸ = p i be correct processes, m a message, and R ∈ [2..t + 1] a round. If p i observes a certificate of weight at least t + 3 − R for m at some point of its execution (i.e. certificate i (m, t + 3 − R) = true) and p j executes round R, then m ∈ known_msgs j,R at round R at p j .
Sketch of proof. (Detail in the appendix.) Let us note r i and γ i a round and a process sequence that render true the condition at line 3 in the definition of certificate i for p i (Alg. 3). The proof depends on whether r i (the round in which p i observes the revealing chain m : p sender : γ i , cf. Alg. 3) occurs before or after the round R, the round during which we seek to prove that all correct processes are aware of m. If r i < R, because p i forwards all chains it has not signed yet, all correct processes observe a chain containing m at the latest by round r i + 1 ≤ R. If r i ≥ R, the fact that only the first process of truncate t+2−w (γ i ) can be backing m in p i 's certificate implies that (t + 2 − w) + (w − 2) + 1 = t + 1 processes (counting the (t + 2 − w)-prefix of γ i , the remaining processes of S i,R not in the prefix, and p sender ) have signed a chain containing m during the first R rounds of the protocol. One of them must be correct, yielding the lemma. ◀ The following corollary from Lemma 4 states that if a correct process has not seen a message m by round R ≥ 2, then no certificate of weight ≥ t + 3 − R will ever exist.
▶ Corollary 5. Let p i and p j ̸ = p i be correct processes, m a message, and R ∈ [2..t + 1] a round. If m ̸ ∈ known_msgs i,R at round R at line 16 of Algorithm 2 at p i , then for any Proof. Consider p i and p j two correct processes. If m ̸ ∈ known_msgs i,R at round R of p i , then by contrapositive of Lemma 4, then certificate j (m, t + 3 − R) = false during all of p j 's execution. Because of the inequality at line 3 of the definition certificate (Alg. 3), certificate j (m, w) implies certificate j (m, w ′ ) for any w ′ ≤ w, and therefore certificate j (m, t + 3 − R) = false implies certificate j (m, t + 3 − R ′ ) = false for any R ′ ≥ R. ◀ In the coming lemmas, we use the following quantity to prove the final visibility of certificates (Lemma 9), which is central to establishing the BRB-No-duplicity property.

Good-Case Early-Stopping Latency of Synchronous BRB
The following lemma states that all length-2 prefixes known by a correct process p i ̸ = p sender at round R are known by all other correct processes by round R + 1.
▶ Lemma 6. Let p i and p j ̸ = p i be two correct processes, such that p i executes the computation step (lines 6-8) of at least the R ≤ t first rounds, and p j executes the communication step of at least the first R + 1 rounds.
Proof. Note that since p i and p j execute Algorithm 2, they are both different from p sender . We prove the lemma by induction. Case by case assumption, We now need to show that truncate 2 view i [R + 1] ⊆ T 2,j [R + 2] to complete the proof. Consider m : p sender : γ ∈ view i [R + 1], with γ ∈ Π R . By assumption, p i ̸ = p sender , we must therefore distinguish two cases depending whether p i appears in γ or not. The following lemma shows that if p sender is Byzantine then all correct processes agree on the length-2 prefixes they have observed by round t + 1. ▶ Lemma 7. Let p sender be Byzantine, and p i and p j be two correct processes that execute the communication step of round t + 1, then T 2,i [t + 1] = T 2,j [t + 1].

Sketch of proof.
(Detail in the appendix.) The proof uses the fact that the length-2 prefixes that p i receives in round t + 1 have been propagated by t + 1 processes. One of these processes must be correct, and because p sender is Byzantine, it must be a process that signed the chain at the earliest in round 2, implying that the length-2 prefix is also known to p j . This observation, together with Lemma 6 yields the proof. ◀ Proof. The proof follows either from Lemma 7 or 6, depending on whether r = t + 1 or not. If r = t + 1, the corollary follows trivially from Lemma 7. If r < t + 1, this follows from Lemma 6, and observing that T 2,j [r + 1] ⊆ T 2,j [t + 1]. ◀ The following lemma states that if p sender behaves maliciously (for instance, by sending different messages in round 1), if a certificate of weight w exists for a message m (meaning that it is observed at some point by some correct process), then all correct processes that reach round t + 1 observe a certificate of weight w for m by round t + 1, a property we have dubbed Final Certificate Visibility.
▶ Lemma 9 (Certificate Final Visibility). Let p sender be Byzantine, and p i and p j be correct processes such that p i observes certificate i (m, w) = true at some round R ∈ [1..t + 1], and p j executes the communication step of round t + 1. Then p j observes certificate j (m, w) = true at round t + 1.
Proof. Assume a correct process p i observes certificate i (m, w) = true at some round R. Consider p j another correct process that reaches round t + 1. Without loss of generality, assume p j ̸ = p i (as the case p i = p j is trivial).
In the following, r i and γ i denote a round and a process sequence that render true the condition at line 3 for p i in the definition of certificate i (Algorithm 3). (3) The rest of the proof distinguishes two cases, depending on whether p j ∈ γ i or not, with the case p j ̸ ∈ γ i leading to more sub-cases.
Case p j ∈ γ i : As p j is correct, p j ∈ γ i implies p j has signed and therefore received a chain m : p sender : γ j at line 8 of Alg. 2 during some round r j < r i , where γ j is a prefix of γ i . As a result of this broadcast, at all rounds higher or equal to r j , we have As γ j is a prefix of γ i , truncate t+2−w (γ j ) is also a prefix of truncate t+2−w (γ i ), which implies using (3) As |E i,R | ≥ w − 2 (since certificate i (m, w) = true at round R by lemma assumption), this last inclusion yields Equations (4) and (5) render true line 3 of certificate j (m, w) (Alg. 3) at round t + 1, proving the lemma.

Good-Case Early-Stopping Latency of Synchronous BRB
Case p j ̸ ∈ γ i : If p j 's signature is not in γ i the approach to find r j and γ j that fulfill line 3 of Alg. 3 for p j depends on the value of r i and on whether p i appears in the set E i,R of length-2 prefixes. Line 3 of Alg. 3 implies view i [r i ] ̸ = ∅. As view i [r i ] is initially empty and only updated in the communication step of round r i , this implies R ≥ r i . Case r i = t + 1: R ≥ r i yields R ≥ t + 1. As R ≤ t + 1 by lemma assumption, we conclude R = t + 1. Since p sender ̸ ∈ γ i due to the acyclic nature of signature chains accepted by correct processes, |{p sender } ∪ γ i | = |{p sender }| + |γ i | = 1 + r i − 1 = t + 1 (by case assumption). {p sender } ∪ γ i therefore contains at least one correct process p k . As p sender is Byzantine (by lemma assumption), p k ∈ γ i . this means that p k has broadcast to all processes a chain m : p sender : γ j during some round r j ≤ t + 1, where γ j is a prefix of γ i . p j has received this chain, and we therefore have As above, |E t+1,i | ≥ w −2 (since R = t+1, see above) implies that this last set contains at least w − 2 elements. This fact with (6) renders true line 3 of certificate j (m, w) (Alg. 3) at round t + 1, proving the lemma. Case r i < t + 1: If p i ̸ ∈ γ i , p i signs the chain m : p sender : γ i (line 8, Alg. 2) and broadcasts to all processes (since p i is correct) the chain m : p sender : γ i : p i during the communication step of round r i + 1. If p i ∈ γ i , this means p i has already performed these two steps (signing and broadcasting) at some earlier round. In both cases, p j receives a chain m : p sender : γ ′ i : p i during some round r j ≤ r i + 1. By choosing γ j = γ ′ i : p i , we therefore have If p i ∈ γ i , then γ j is a prefix of γ i , truncate t+2−w (γ j ) ⊆ truncate t+2−w (γ i ) and If However, by case assumption |γ i | < t + 2 − w implies p i ̸ ∈ E i,R , and therefore (8) continues to hold. Using Corollary 8 on (8) we therefore have independently of γ i As above, using |E i,R | ≥ w − 2 on the above inclusion yields |{q ∈ Π \ truncate t+2−w (γ j ) | m : p sender : q ∈ T 2,j [t + 1] }| ≥ w − 2.
(9) Equations (7) and (9) render true line 3 of certificate j (m, w) (Alg. 3) at round t + 1 (since r j = r i + 1 ≤ t + 1 by case assumption), proving the lemma. * Sub-case p i ∈ E i,R and |γ i | < t+2−w: p i ∈ E i,R means that p i has signed m : p sender . Since p i is correct, it has therefore broadcast to all processes m : p sender : p i during round 2. As a result, from round 2 onward m : p sender : p i ∈ view j [2]. (10) By definition r i ≥ 2 (line 3 of Alg. 3), and therefore |γ i | = r i − 1 ≥ 1, implying γ i is non-empty (and t + 2 − w > 1 by sub-case assumption). Consider p γ the first process in γ i . As |γ i | < t + 2 − w (sub-case assumption), p γ ∈ truncate t+2−w (γ i ), and therefore p γ ̸ ∈ E i,R , by definition of E i,R (Equations 2 and 3).
We construct a set of length-2 prefixes for p j by removing p i and adding p γ from/to E i,R . More precisely, we have Moreover as m : p sender : As p i ∈ E i,R by case assumption, and As |E i,R | ≥ w − 2 (since certificate i (m, w) = true at round R by lemma assumption), the above inclusion leads to By choosing γ j = p i and r j = 2, (10) and (12) render true line 3 of certificate j (m, w) (Alg. 3) at round t + 1 (since t ≥ 1, and t + 1 ≥ 2), proving the lemma. ◀

Sketch of proof. (Detail in the appendix.)
BRB-Validity follows from the use of (secure) signatures and the fact that correct processes only accept valid signature chains.
BRB-No-duplication is ensured by construction of the algorithm, and BRB-Localdelivery from the code executed by p sender when it is correct. BRB-No-duplicity follows from BRB-Validity when p sender is correct. When p sender is Byzantine, the no-duplicity follows from the Conspicuity of the certificates (Lemma 4) and from their Final Visibility (Lemma 9). Certificate conspicuity ensures that if two processes p i and p j brb-deliver a message before round t + 1, the process with the "weaker" certificate (say p j ) must be aware of p i 's message when it brb-delivers its own message, and therefore must brb-deliver the same message as p i , due to the condition at line 17.

Good-Case Early-Stopping Latency of Synchronous BRB
If p i brb-delivers before round t + 1 and p j during round t + 1, then the Final Visibility of certificates guarantees that p j will observe p i 's certificate at line 12. Corollary 5 implies that p i 's message is guaranteed to have the "heaviest" certificate, ensuring agreement. Finally, if both p i and p j deliver in round t + 1, Final Visibility guarantees they see the same set of messages and certificates and that they brb-deliver the same message. The good-case latency of the algorithm, max(2, t+3−c) rounds, follow from the observation that all correct processes observe a certificate of weight c by the end of round 2 when the initial sender, p sender , is correct. As no other message exists in the system, the condition at line 16 ensures that all correct processes have delivered p sender 's message at the latest either by the end of round 2 or by the end of round t + 3 − c, whichever occurs first.
BRB-Global-delivery follows from the above reasoning when p sender is correct. When p sender is Byzantine, the property follows from Certificate Finality. ◀

Conclusion
Considering n-process synchronous distributed systems where up to t < n processes can be Byzantine, this paper explored the good-case latency of deterministic Byzantine reliable broadcast (BRB) algorithms, the time taken by correct processes to deliver a message when the initial sender is correct.
In contrast to their randomized counterparts, no deterministic BRB algorithm was known that exhibited a good-case latency better than t + 1 (the worst-case bound) under a majority of Byzantine processes. This article has proposed a novel deterministic synchronous BRB algorithm that substantially improves on this earlier bound and provides a good case latency of max(2, t + 3 − c) rounds, where t is the upper bound on the number of Byzantine processes, and c the number of effectively correct processes in the considered run.
The algorithm that has been presented extends the "signature chain mechanism" first proposed four decades ago and allows correct processes to brb-deliver much earlier when the context is favorable. In particular, when the sender is correct, and there are enough effectively correct processes (c > t), our algorithm delivers in 2 rounds, thus outperforming all known dishonest-majority BRB algorithms (whether deterministic or randomized).
Several crucial open questions remain, in particular, whether the upper bound of t + 3 − c rounds can be further improved (for instance, using techniques employed in sub-linear randomized algorithms [4,27]). In terms of lower bounds, one might ask whether the lower bound of ⌈n/(n − t)⌉ − 1 shown in [4] can be refined to include the effective number of correct processes c, and whether this same lower bound can be strengthened in the deterministic case, for instance considering the fact that Byzantine Agreement cannot be solved in a (worst-case) sub-linear communication complexity using algorithms that tolerate a strongly adaptive adversary (which include deterministic algorithms) [1]. Proof. Assume a correct process p i observes certificate i (m, t+3−R) = true. In the following, r i and γ i denote a round and a process sequence that render true the condition at line 3 in the definition of certificate i (Algorithm 3). The remainder of the proof distinguishes two cases, depending on whether r i < R or not. Case r i < R: m : p sender : γ i ∈ view i [r i ] implies that p i receives m : p sender : γ i during the communication step of round r i < R (line 7 of Algorithm 2). If p i ̸ ∈ γ i , p i signs the chain (line 8, Alg. 2), and broadcast it during the communication step of round r i + 1 ≤ R (line 6 of the same algorithm). If p i ∈ γ i , p i has signed a chain m : p sender : γ ′ earlier, and broadcast the result before or during round r i . In both cases, this means all other correct processes receive some chain m : p sender : γ ′ i : p i either during or before round R, and therefore that m ∈ known_msgs j,R at round R for all correct processes p j that execute round R. Case r i ≥ R: Let us note γ R−1 = truncate R−1 (γ i ). m : p sender : γ i ∈ view i [r i ] at line 3 means that |γ i | = r i − 1. Since by case assumption r i ≥ R, |γ i | ≥ R − 1, and therefore

4:18
The condition of line 3 implies |E| ≥ t + 1 − R. By construction of E, γ R−1 ∩ E = ∅. Similarly, because correct processes only accept acyclic signature chains, p sender ̸ ∈ E. For the same reason line 3 of Algorithm 3 implies p sender ̸ ∈ γ R−1 ⊆ γ i . E, γ R−1 , and {p sender } are therefore pair-wise disjoint. We therefore have contains at least one correct process, p k . If p k = p sender , the sender is correct, and all correct processes observe message m during round 1.
If p k ∈ E, p k has signed a chain of length 2 with message m and has broadcast this chain to all processes during round 2. Finally, if p k ∈ γ R−1 , the facts that γ R−1 = truncate R−1 (γ i ) and m : p sender : γ i ∈ view i [r i ] at line 3 of Alg. 3 imply that p k has signed a chain with message m and has broadcast this chain to all processes during or before round R ≤ r i . All three cases imply that all correct processes that have not stopped earlier have observed message m at the latest by the end of the communication step of round R, i.e., that m ∈ known_msgs j,R at line 16 of Algorithm 2. ◀ ▶ Lemma 7. Let p sender be Byzantine, and p i and p j be two correct processes that execute the communication step of round t + 1, then T 2,i [t + 1] = T 2,j [t + 1].

Proof. By definition
Applying Lemma 6 we have T 2,i [t] ⊆ T 2,j [t + 1], which with the previous equality yields We now prove that truncate 2 view i [t+1] ⊆ T 2,j [t+1]. Consider m : p sender : γ ∈ view i [t+1]. As p i is correct, it only accepts acyclic signature chains, and p sender ̸ ∈ γ. This implies |p sender ∪ γ| = |p sender | + |γ| = 1 + t. {p sender } ∪ γ therefore contains at least one correct process, p k . As p sender is Byzantine by lemma assumption, p k ∈ γ, and p k therefore has signed a chain m : p sender : γ ′ at line 8 of Alg. 2 before or during round t, where γ ′ : p k is a prefix of γ. As a result, p k has broadcast the resulting chain m : p sender : γ ′ : p k to all other processes during the following round R ′ ≤ t + 1. This implies m : p sender : γ ′ : p k ∈ view j [R ′ ], and hence truncate 2 (m : p sender : γ) = truncate 2 (m : p sender : This last equation shows that truncate 2 (view i [t + 1]) ⊆ T 2,j [t + 1], which injected in (13) yields T 2,i [t + 1] ⊆ T 2,j [t + 1]. By inverting p i and p j , by the same reasoning we obtain T 2,j [t + 1] ⊆ T 2,i [t + 1], which concludes the Lemma's proof. ◀

A.2 Proofs of Theorem 1
The proof of Theorem 1 follows from Lemmas 10-15, which follow.
Proof. Consider p i a correct process. If p i = p sender , the brb-delivery of a message m at line 3 of Algorithm 1 trivially implies that p i has executed Algorithm 1, and hence has brb-broadcast m.
If p i ̸ = p sender , p i may brb-deliver a message m either at lines 17 or 15 of Algorithm 2. In both cases, m belongs to some known_msgs i,R variable computed at line 10, and must therefore appear in a signature chain of the form m : p i1 : · · · : p i ℓ received by p i at line 7. As p i is correct, it only accepts and processes valid chains of signatures by assumption, in which m is first signed by p sender (i.e. p i1 = p sender ). Since p sender is correct, and we have assumed signatures to be secure, for m to be signed by p sender , p sender must have executed line 2 of Algorithm 1, and must therefore have brb-broadcast m. ◀ ▶ Lemma 11. Algorithm 2 verifies the BRB-No-duplication Property.
Proof. Trivially, this is because once a correct process executes a brb_deliver operation (either at line 3 of Algorithm 1, or lines 17 or 15 of Algorithm 2), it terminates its execution, either immediately or at line 9 in the next round, without invoking brb_deliver. Proof. The property trivially follows from the code executed by p sender (Algorithm 1). If p sender is correct it executes Algorithm 1 to broadcast a message m, then brb-delivers its own message at line 3. ◀ ▶ Lemma 13. Algorithm 2 verifies the BRB-No-duplicity Property.

Proof.
If p sender is correct, p sender brb-broadcasts one single message m (Algorithm 1), and by BRB-Validity (Lemma 10), all correct processes that do brb-deliver a message only brb-deliver m.
If p sender is Byzantine, consider two correct processes p i and p j (both necessarily different from p sender ) that each brb-deliver some message: p i brb-delivers m i and p j brb-delivers m j . We distinguish three cases depending on the lines at which p i and p j execute brb_deliver. Case 1: Assume p i and p j both deliver their respective message at line 17 of Algorithm 2. Due to the condition at line 16, there exist two rounds R i and R j such that the following holds Without loss of generality, assume R i ≤ R j . By Lemma 4, certificate i (m i , t + 3 − R i ) = true implies that m i ∈ known_msgs j,Ri at round R i at p j (since R i ≤ R j implies that p j executes round R i ). R i ≤ R j further implies known_msgs j,Ri ⊆ known_msgs j,Rj by definition of known_msgs j,− , and the way view j is initialized and updated. m i ∈ known_msgs j,Ri therefore implies that m i ∈ known_msgs j,Rj . Combined with known_msgs j,Rj = {m j }, this last statement yields m i = m j , proving the lemma. Case 2: Assume p i and p j both brb-deliver their respective message at line 15 of Algorithm 2, during round t + 1. Let us consider the two following sets, defined at round t + 1: W i = w ∈ N ∃m ∈ known_msgs i,t+1 : certificate i (m, w) , and W j = w ∈ N ∃m ∈ known_msgs j,t+1 : certificate j (m, w) .
Consider w ∈ W i . By Lemma 9, certificate i (m, w) = true implies certificate j (m, w) = true for p j . Because of line 3 of the definition of certificate (Alg. 3), certificate j (m, w) = true implies that m ∈ known_msgs j,t+1 , and therefore that w ∈ W j . Inverting p i and p j leads to W i = W j , and therefore to wmax i = wmax j . Using wmax i = wmax j , and following an identical reasoning on candidate_msgs i and candidate_msgs j produces candidate_msgs i = candidate_msgs j , and therefore that p i and p j brb-deliver the same message at line 15. Case 3: Assume p i brb-delivers m i at line 17 of Algorithm 2, and p j brb-delivers m j at line 15 of the same algorithm. Due to the condition at line 16, there exists a round R i such that the following holds certificate i (m i , t + 3 − R i ).