Contention-Aware Cooperation

Albouy, Timothé; Frey, Davide; Gestin, Mathieu; Raynal, Michel; Taïani, François

doi:10.4230/LIPIcs.OPODIS.2025.9

Contention-Aware Cooperation

Timothé Albouy

IMDEA Software Institute, Madrid, Spain Davide Frey

Univ Rennes, Inria, CNRS, IRISA, 35042 Rennes-cedex, France Mathieu Gestin

CEA, Saclay, France Michel Raynal

Univ Rennes, Inria, CNRS, IRISA, 35042 Rennes-cedex, France François Taïani

Univ Rennes, Inria, CNRS, IRISA, 35042 Rennes-cedex, France

Abstract

As shown by Reliable Broadcast and Consensus, cooperation among a set of independent computing entities (sequential processes) is crucial in fault-tolerant distributed computing. Considering $n$ -process asynchronous message-passing systems where some processes may be Byzantine, this paper introduces a novel cooperation abstraction, Contention-Aware Cooperation (CAC). While Reliable Broadcast is a one-to- $n$ cooperation abstraction and Consensus is an $n$ -to- $n$ cooperation abstraction, CAC is a $d$ -to- $n$ cooperation abstraction where $d$ ( $1\leq d\leq n$ ) varies with each run and remains unknown to the processes. Correct processes accept the same set of $\ell$ pairs $\langle v,i\rangle$ ( $v$ is the value proposed by $p_{i}$ ) from the $d$ proposer processes, where $1\leq\ell\leq d$ and (as $d$ ) $\ell$ remains unknown to the processes (except in specific cases). Those $\ell$ values are accepted one at a time, potentially in different orders at each process. In addition, CAC provides each process with an imperfect oracle that provides insights into the values that they may accept in the future. Interestingly, the CAC abstraction is particularly efficient in favorable circumstances, when the oracle becomes accurate, which processes can detect. To illustrate its practical utility, the paper details two applications leveraging CAC: a fast consensus implementation optimized for low contention (named Cascading Consensus), and a novel naming problem that can be solved under full asynchrony. All algorithms presented require signatures.

Keywords and phrases:

Agreement, Asynchronous message-passing system, Byzantine processes, Conflict detection, Consensus, Cooperation abstraction, Distributed computing, Fault tolerance, Optimistically terminating consensus, Short-naming

Copyright and License:

2012 ACM Subject Classification:

Theory of computation

\rightarrow

Distributed algorithms

Related Version:

Full Version: https://arxiv.org/pdf/2311.08776 [2]

Funding:

This work was partially supported by the French ANR projects ByBloS (ANR-20-CE25-0002-01) and PriCLeSS (ANR-10-LABX-07-81), and by the SOTERIA project. SOTERIA has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 101018342. This content reflects only the author’s view. The European Agency is not responsible for any use that may be made of the information it contains.

DOI:

10.4230/LIPIcs.OPODIS.2025.9

Event:

29th International Conference on Principles of Distributed Systems (OPODIS 2025)

Editors:

Andrei Arusoaie, Emanuel Onica, Michael Spear, and Sara Tucci-Piergiovanni

Series and Publisher:

Leibniz International Proceedings in Informatics, Schloss Dagstuhl – Leibniz-Zentrum für Informatik

1 Introduction

Distributed computing is the science of algorithm-based cooperation. It consists in defining (using precise specifications) and implementing distributed abstractions (distributed objects) that allow a set of computing entities (denoted processes, nodes, peers, actors, etc.) to cooperate to reach a common goal. In the following, we use the term process to denote a sequential computing entity. Considering asynchronous $n$ -process message-passing systems, this paper focuses on cooperation abstractions that have to cope with Byzantine processes (i.e., processes that may behave arbitrarily, as defined in [39, 47]).

The gold standard of cooperation abstractions is consensus. It allows a set of processes to propose values, and to eventually agree on one of those values. This abstraction makes it possible to implement a deterministic state machine, i.e., it makes it possible for the processes to run any deterministic algorithm. However, consensus algorithms cannot be deterministically implemented in an asynchronous distributed system in the presence of faulty processes [23]. A way to circumvent this impossibility consists in weakening one of its assumptions: weakening the full asynchrony assumption [8, 17, 19], assuming scheduling constraints, e.g., [9, 12, 36], weakening determinism by allowing the processes to use random numbers, e.g., [6, 18, 41], providing the processes with as-weak-as-possible information on failures [13], or using an appropriate combination of some of the previous weakenings. An issue with these solutions lies in their high cost in terms of latency and in the number of messages exchanged. A survey of these approaches can be found in [51]. Another interesting approach consists in the design of optimistic algorithms that terminate quickly in predefined favorable circumstances (fast-path) and pay a degrading additional price (layered fast-paths) in the other cases, e.g., [10, 35, 52, 53]. Interestingly, the fast-path part of those algorithms usually does not rely on synchrony assumptions. However, the optimistically terminating consensus algorithms do not separate the fast-path from the rest of their consensus algorithm. It is incorporated in the algorithm without considerations for its specificities. In this paper, we propose to isolate the essence of fast-path mechanisms in a standalone abstraction: the Contention-Aware Cooperation.

1.1 Content of the paper

This paper focuses on optimistic termination under limited contention, i.e., the ability to exploit a fast-path strategy when no or little disagreement exists in the system. This occurs for instance when only a few actions may conflict, or only a few participants are active at any given time. To address such cases, the paper introduces a harmoniously degrading ladder of fast-paths and integrates them into a novel standalone communication abstraction called Contention-Aware Cooperation (CAC). This abstraction provides many-to-many communication with weak agreement capabilities that informally work as follows.

$\blacksquare$

Within a CAC instance, some arbitrary number, $d$ (where $1\leq d\leq n$ ), of processes propose values.
$\blacksquare$

During the subsequent CAC execution, each process accepts pairs, $\langle v,i\rangle$ (where $v$ is the value proposed by $p_{i}$ ), so that, eventually, all processes accept the same set of $\ell$ pairs, where $1\leq\ell\leq d$ . A process accepts pairs one after the other in some arbitrary order, which may vary from one process to another.

Both $d$ (the number of actual proposers) and $\ell$ (the number of eventually accepted values) depend on the run of the CAC instance (e.g., the (unknown) number of proposers, asynchrony, and the behavior of Byzantine processes) and are unknown to participating processes. In particular, a process cannot generally conclude it has accepted the $\ell$ pairs composing the final set of accepted pairs (except in some specific favorable cases that will be discussed later).

To help reach agreement in favorable cases, the CAC abstraction endows each process with an imperfect oracle that offers information about the set of pairs that might get accepted in the future. This oracle is imperfect in the sense that it may produce false positives (it might return pairs that never get accepted). The oracle cannot, however, produce false negatives: any pair excluded by the oracle will never be accepted by any correct process.

In favorable cases, the oracle’s predictions allow processes to detect they have converged to the final set of accepted pairs, and that they will not accept any other pair. As a result, CAC provides a weak form of agreement, and falls into an intermediate class of cooperation abstractions that are less powerful than consensus (and thus feasible even in fully asynchronous environments), but that can achieve fast-path agreement under propitious conditions [4, 16, 20, 59]. Specifically, CAC can dynamically adjust to the number of proposers and the conflicts between proposed values, thereby expanding the design space of existing weak-agreement abstractions.

Table 1: Comparison of CAC with existing fast paths of optimistic cooperation algorithms.

Implementation	Optimistic condition	Best latency¹¹1Latency is measured in terms of consecutive asynchronous rounds for all algorithms.	Byzantine resilience
Zyzzyva [34]	Synchronous period and correct leader	$3$	$\mathbf{3t+1}$
Thunderella [46]	Synchronous period and correct leader	3	$4t+1$
Parsimonious BFT [49]	Synchronous period and correct leader	$3$	$\mathbf{3t+1}$
Fast Byzantine consensus [40]	Synchronous period and correct leader	2	$5t+1$
Optimal Fast Byzantine Consensus [35]	Synchronous period and correct leader	2	$5t-1$
PBFT [12]	Synchronous period and unanimity	$3$	$\mathbf{3t+1}$
Algorand [28]	Synchronous period and unanimity	$3$	$\mathbf{3t+1}$
Optimistic Byzantine agreement [60]	No Byzantine behaviour and synchronous period	$3$	$\mathbf{3t+1}$
Fault scalable BFT services [1]	Failure-free and unanimity	3	$5t+1$
HQ Replication [15]	Unanimity	$4$	$\mathbf{3t+1}$
Bosco [53]	Unanimity	2	$5t+1$
Consensus on demand [52]	Unanimity	2	$5t+1$
Optimistically terminating consensus [60]	Correct leader and unanimity	2	$5t+1$
CAC	Unanimity	2	$5t+1$
CAC	Unanimity	$3$	$\mathbf{3t+1}$

1.2 The CAC abstraction to address low contention problems

The CAC abstraction is designed to solve distributed problems efficiently under low contention. This is particularly useful when implementing objects whose state is determined by the sequence of executed operations, but only a subset of these operations conflict with one-another.

When the probability of contention is low, processes can leverage CAC’s imperfect oracle to detect contention and identify competing processes. In the absence of contention or competitors, processes can terminate prematurely (fast path), and fall back on more advanced (and more costly) strategies in the remaining cases. This hybrid strategy is typical of fast/adaptive cooperation distributed algorithms, and ensures safety in all cases, while delivering high performance in favorable ones. In the case of consensus, CAC’s focus on contention makes it possible to realize a consensus algorithm that can terminate optimistically even when multiple (different) values are proposed (Section 5.2). This ability contrasts with existing optimistically terminating consensus algorithms [33, 43, 52, 53, 60], which typically either require unanimity and/or synchrony to activate their fast-path mechanism. To illustrate this point, Table 1 compares the fast-path conditions of existing optimistically terminating consensus to those of CAC. The numbers indicated for CAC are those of the optimized algorithm we present in the full version of this paper, which can terminate in three asynchronous rounds when $n>3t$ and finishes in two asynchronous rounds in the best cases if $n>5t$ using signatures. Although CAC does not implement consensus, its fast-path conditions directly transfer to the consensus algorithm based on CAC that we present in the full version of this paper, which motivates this comparison. In Table 1, unanimity means that there is no contention on the proposed values. In other words, all proposing processes propose the same value.

The main results of this comparison are that our CAC implementation is equivalent to the best existing fast paths of optimistically terminating consensus in favorable conditions, i.e., an agreement can be reached in $2$ asynchronous rounds when $n\geq 5t+1$ and there is a unanimity of proposed values. The capabilities of our CAC implementation go, however, beyond this optimal best case. In particular,it can also be used to improve the latency of intermediate cases, i.e., when some contention exists but remains limited. For instance, the CAC-based consensus algorithm we introduce in the full version of this paper (dubbed Cascading Consensus) can still reach an agreement if less than $k$ processes endorsed the messages that do not have the majority of endorsements.²²2This condition is explained in the full version of this paper, $k$ is a parameter of the algorithm. As a result, it exhibits a ladder of escalating reconciliation strategies, with intermediate cases limiting reconciliation to the subset of conflicting processes, a capability that is of direct practical relevance when these processes happen to be geographically close to one another [7]. This contention management strategy is made possible thanks to the imperfect oracle of the CAC abstraction.

Note that CAC’s interest extends beyond consensus, in particular when there exists a deterministic back-off strategy that can be implemented under full asynchrony. In that case, the CAC abstraction can be used to construct fully asynchronous agreement algorithms, whereas other solutions would have required consensus. To illustrate this strategy, Section 5.1 introduces the short-naming problem, a novel coordination task in which processes seek to adopt unique names with the lowest possible information-theoretic entropy. Using CAC, we present a Byzantine-tolerant algorithm that solves that problem in a fully asynchronous network.

1.3 Benefits of the CAC abstraction

To summarize the benefits of CAC, this novel abstraction along with our proposed implementations make it possible:

$\blacksquare$

to implement algorithms with expanded “graceful conditions,” enhancing the efficiency of fast-paths in optimistically terminating consensus algorithms;
$\blacksquare$

to adjust precisely fast-path parameters to optimally align with algorithmic requirements;
$\blacksquare$

to isolate the fast-path components of consensus algorithms and implement them in isolation for enhanced modularity;
$\blacksquare$

to implement new and more efficient contention resolution methods when fast-path conditions are not met;
$\blacksquare$

to implement new asynchronous solutions to problems weaker than consensus (e.g., such as the short naming problem).

1.4 Related work

The work described in this paper places itself in the context of fast/adaptive cooperation distributed algorithms where an arbitrary, a priori unknown subset of processes try to modify a shared object. These algorithms seek to terminate as rapidly as possible in favorable circumstances (e.g., no or few faults, no or little contention) and with as few as possible actions from non-participating processes while maintaining strong safety guarantees in the general case. Such algorithms have been investigated in earlier works.

Considering shared memory systems, the reader will find more developments of this approach in [50, 54].

Fast/adaptive consensus in message-passing asynchronous crash-prone/Byzantine systems.

As stated in [37] (which introduces the fast Paxos algorithm), the notion of fast consensus algorithm in crash-prone message-passing asynchronous system was introduced in [10]. This algorithm was then extended to Byzantine asynchronous systems in [53]. Many efficiency-oriented Byzantine consensus algorithms have since been designed (e.g., [33, 35, 40, 43, 48] to cite a few).

Structuring the space of weak agreement problems.

The algorithms just discussed are specific to a single problem. In [4], Attiya and Welch go one step further and introduce a new problem termed Multivalued Connected Consensus, which unifies a range of weak agreement problems such as crusader agreement [16], graded broadcast [21] and adopt-commit agreement [26]. Differently from consensus, these agreement problems can be solved without requiring additional computational power such as synchrony constraints [8], randomization [6], or failure detectors [13].

Interestingly, the decision space of these weak agreement problems can be represented as a spider graph. Such a graph has a central clique (which can be a single vertex) and a set of $|V|$ paths (where $V$ is a finite set of totally ordered values) of length $R$ . Two asynchronous message-passing algorithms that solve Multivalued Connected Consensus are described in [4]. Let $n$ be the number of processes and $t$ the maximal number of processes that can fail. The first algorithm considers crash failures and assumes $t<n/2$ , and the second considers Byzantine failures and assumes $t<n/5$ . For both of them, the instance with $R=1$ solves crusader agreement, and the instance $R=2$ solves graded broadcast and adopt-commit.

Albeit bearing some resemblance to our CAC abstraction, these agreements are one-shot agreements with only one output, generally, either a value is decided, or the processes are informed that other processes may have decided a value, then they terminate. No two different values can be decided by a single process. Whereas the CAC abstraction makes it possible to decide multiple values, and the oracle informs the processes about the values they may accept in the future.

1.5 Roadmap

The article is structured into 6 sections. First, Section 2 introduces the computing model while Section 3 provides a formal definition of the CAC cooperation abstraction. Then, on the feasibility front, Section 4 showcases a first implementation of the CAC primitive that assumes $t<n/4$ but is easy to explain and understand. Next, the CAC algorithm presented in the full version of this paper [2] demonstrates how CAC can be used to solve two synchronization problems of immediate practical relevance: $\mathsf{shortnaming}$ (Section 5.1), which provides processes with unique names while minimizing their information-theoretic entropy, and Consensus with optimistic termination (Section 5.2). The consensus implementation we present (termed Cascading Consensus) exploits the CAC abstraction to offer a ladder of harmoniously degrading fast paths that directly arise from the optimistic performance of our optimal CAC implementation to consensus. Finally, Section 6 concludes the article. Due to page limitations, additional developments are provided in the full version of this paper, including our optimal CAC implementation, which only requires $t<n/3$ , and detailed proofs (including the necessity of this resilience bound for the CAC abstraction) [2].

2 Computing Model

Model.

The system is made up of a set $\Pi$ of $n$ processes, denoted $p_{1},\cdots,p_{n}$ , that communicate using message-passing over asynchronous channels. “Asynchronous” means that each message can be delayed an arbitrary finitely long time, and that processes can take an arbitrary but finitely long time to process an incoming message. However, channels are reliable, i.e., no message is dropped. Among the processes, at most $t$ are Byzantine. A Byzantine process can arbitrarily deviate from its prescribed algorithm. The other processes (that are at least $n-t$ and at most $n$ ) are called correct; they follow their prescribed algorithm and do not stop prematurely. We assume an adversary that controls the scheduler and all Byzantine processes. We further assume that cryptographic primitives cannot be forged, namely, we assume an unforgeable signature scheme resistant against chosen message attacks.³³3We conjecture that the CAC abstraction cannot be implemented without cryptographic signatures.

In this paper, the word message refers to messages sent by the algorithm at the network level to implement an abstraction, they are sent and received. The word value, on the other hand, refers to the payloads disseminated at the user level by the abstractions, they are proposed and accepted (or decided in the case of consensus).

Finally, the CAC abstraction uses a best-effort (unreliable as a result of process failures) broadcast abstraction, noted $\mathsf{be\_broadcast}$ , as an underlying communication primitive. An invocation of $\mathsf{be\_broadcast}$ msg by a correct process $p_{i}$ sends the same message msg to all processes in $\Pi$ if not specified otherwise. We say that messages are “be-broadcast” and “received”.

Notations.

We denote by $\langle v_{1},...,v_{k}\rangle$ the $k$ -tuple containing the sequence of $k$ values $v_{1}$ to $v_{k}$ . The $\star$ symbol is used as the wildcard symbol (any value can be matched).

3 Contention-Aware Cooperation: Definition

3.1 Definition

The Contention-Aware Cooperation (CAC) object provides each process $p_{i}$ with (1) an operation denoted $\mathsf{cac\_propose}$ that allows it to propose a value and (2) two sets denoted $\mathit{accepted_{i}}$ and $\mathit{candidates}_{i}$ .⁴⁴4The $\mathit{candidates}_{i}$ set is the imperfect oracle mentioned in this paper’s introduction. When a process $p_{i}$ invokes $\mathsf{cac\_propose}(v)$ , we say that “ $p_{i}$ cac-proposes (in short “proposes”) the value $v$ ” (for clarity sometimes we also say that “ $p_{i}$ cac-proposes the pair $\langle v,i\rangle$ ”). When a pair $\langle v,j\rangle$ is added to the set $\mathit{accepted_{i}}$ of a process $p_{i}$ , we say that “ $p_{i}$ cac-accepts (in short “accepts”) $\langle v,j\rangle$ ”. For the sake of simplicity, when a pair $\langle v,j\rangle$ is cac-accepted, a $\mathsf{cac\_accept}(v,j)$ callback is triggered.

$\blacksquare$

The set $\mathit{accepted_{i}}$ is initially empty. It then grows monotonically, progressively adding a pair $\langle v,j\rangle$ for each value $v$ that is cac-accepted by $p_{i}$ from $p_{j}$ . Eventually, $\mathit{accepted_{i}}$ contains all the pairs $\langle v,j\rangle$ accepted by the CAC abstraction (and only them).
$\blacksquare$

The set $\mathit{candidates}_{i}$ is initialized to $\top$ , where $\top$ is defined as a symbolic value representing the identity element of the $\cap$ operation.⁵⁵5That is to say, for any set $S$ , $S\cap\top=\top\cap S=S$ , and the statement $S\subseteq\top$ is always true. Then, $\mathit{candidates}_{i}$ shrinks monotonically, and contains a dynamic estimation of the pairs $\langle v,j\rangle$ that have been or will be cac-accepted by process $p_{i}$ . Hence, $\mathit{accepted_{i}}\subseteq\mathit{candidates}_{i}$ always holds. More concretely, $\mathit{candidates}_{i}$ contains all the pairs $\langle v,j\rangle$ that have been already added to the $\mathit{accepted_{i}}$ set locally by $p_{i}$ along with some pairs $\langle v,k\rangle$ that may (or may not) be added to the set $\mathit{accepted_{i}}$ later on. Formally, if $\tau_{1}$ and $\tau_{2}$ are two arbitrary time points in the execution of $p_{i}$ (in no particular order, i.e., with either $\tau_{1}\leq\tau_{2}$ or $\tau_{1}\geq\tau_{2}$ ) and $x_{i}^{\tau_{k}}$ represents the value of variable $x_{i}$ at time $\tau_{k}$ , then $\mathit{candidates}_{i}$ satisfies $\mathit{accepted}^{\tau_{2}}_{i}\subseteq\mathit{candidates}^{\tau_{1}}_{i}$ . As a result, if a pair $\langle v,k\rangle$ is not in $\mathit{candidates}_{i}$ at some point, $p_{i}$ will never cac-accept this pair. Furthermore, if at some point $\tau$ , $p_{i}$ observes $\mathit{accepted}^{\tau}_{i}=\mathit{candidates}^{\tau}_{i}$ , then $p_{i}$ knows it has cac-accepted all values for this CAC instance. Let us notice that this case may never happen (see Section 3.2). The behavior of both types of sets is summarized in Figures 2 and 2.

Figure 1: During an execution, the

\mathit{accepted}_{i}

and

\mathit{candidates}_{i}

sets of a correct process

p_{i}

monotonically grows and shrinks, respectively.

Figure 2: After the execution, the

\mathit{accepted}

set is the same for all correct processes and is contained in the intersection of their

\mathit{candidates}

sets.

CAC specification.

Given a correct process $p_{i}$ and its associated $\mathit{candidates}_{i}$ and $\mathit{accepted_{i}}$ sets, the following properties define an instance of CAC abstraction.⁶⁶6It can easily be extended to a multi-shot version using execution identifiers such as sequence numbers.

$\blacksquare$

CAC-Validity. If $p_{i}$ and $p_{j}$ are correct, $\mathit{candidates}_{i}\neq\top$ , and $\langle v,j\rangle\in\mathit{candidates}_{i}$ ,

then $p_{j}$ cac-proposed value $v$ .
$\blacksquare$

CAC-Prediction. For any correct process $p_{i}$ and for any process identity $k$ , if, at some point of $p_{i}$ ’s execution, $\langle v,k\rangle\not\in\mathit{candidates}_{i}$ , then $p_{i}$ never cac-accepts $\langle v,k\rangle$ (i.e., $\langle v,k\rangle\not\in\mathit{accepted_{i}}$ holds forever).
$\blacksquare$

CAC-Non-triviality. For any correct process $p_{i}$ , $\mathit{accepted_{i}}\neq\varnothing$ implies $\mathit{candidates}_{i}\neq\top$ .
$\blacksquare$

CAC-Local-termination. If a correct process $p_{i}$ invokes $\mathsf{cac\_propose}(v)$ , its set $\mathit{accepted_{i}}$ eventually contains a pair $\langle v^{\prime},\star\rangle$ (note that $v^{\prime}$ is not necessarily $v$ ).
$\blacksquare$

CAC-Global-termination. If $p_{i}$ is a correct process and $\langle v,j\rangle\in\mathit{accepted_{i}}$ , eventually $\langle v,j\rangle\in\mathit{accepted_{k}}$ at every correct process $p_{k}$ .

The CAC-Validity property states that a correct process $p_{i}$ may include, in its $\mathit{candidates}_{i}$ set, and possibly cac-accept, a pair $\langle v,j\rangle$ from a correct process $p_{j}$ , only if $p_{j}$ cac-proposed value $v$ , i.e., only if there is no identity theft for correct processes. The CAC-Prediction property states that, if, at some point of $p_{i}$ ’s execution, some pair $\langle v^{\prime},k\rangle$ is no longer in $\mathit{candidates}_{i}$ , then $p_{i}$ will never accept $\langle v^{\prime},k\rangle$ . In other words, $\mathit{candidates}_{i}$ provides information about which pairs might be accepted by $p_{i}$ in the future. In particular, if a correct process $p_{i}$ cac-accepts a pair $\langle v,j\rangle$ , then $\langle v,j\rangle$ was present in $\mathit{candidates}_{i}$ from the start of $p_{i}$ ’s execution. (However, the converse is generally not true; the prediction provided by $\mathit{candidates}_{i}$ is, as such, imperfect.) This property is at the core of the cooperation provided by a CAC object. The CAC-Non-triviality property ensures that a trivial implementation that never updates $\mathit{candidates}_{i}$ is excluded. As soon as some process $p_{i}$ has accepted some pair $\langle v,k\rangle$ , its $\mathit{candidates}_{i}$ set must contain some explicit information about the pairs that might get accepted in the future.⁷⁷7Ignoring the symbolic value $\top$ , $\mathit{accepted_{i}}$ and $\mathit{candidates}_{i}$ remain finite sets throughout $p_{i}$ ’s execution.

The CAC-Local-termination property states that if a correct process cac-proposes a value $v$ , its $\mathit{accepted_{i}}$ set will not remain empty. Notice that this does not mean that the pair $\langle v,i\rangle$ will ever be added to $\mathit{accepted_{i}}$ . Finally, the CAC-Global-termination property states that eventually, the $\mathit{accepted}$ sets of all correct processes are equal. Let us notice that, in general, no process $p_{i}$ can know when no more pairs will be added to its set $\mathit{accepted_{i}}$ .

3.2 Termination of the CAC abstraction

It follows from the definition that, for some correct process $p_{i}$ , if $\mathit{candidates}_{i}=\mathit{accepted_{i}}$ , then $p_{i}$ will not cac-accept any new pair $\langle v,j\rangle$ . Using the notations from Section 1.1, we see that $\ell=|\mathit{candidates}_{i}|=|\mathit{accepted_{i}}|$ . In this specific case, $p_{i}$ can detect without ambiguity that the CAC execution has terminated (i.e., $p_{i}$ will not receive any other pair). $p_{i}$ also knows that all other correct processes will eventually receive exactly the pairs contained in $\mathit{accepted_{i}}$ . We say that $p_{i}$ knows it terminated.

The most obvious example of “known termination” is when only one process cac-proposes (or is perceived to cac-propose) a value. In this case, by CAC-Validity, $|\mathit{candidates}_{i}|$ eventually equals $1$ .

However, in the general case, there might be runs where $|\mathit{candidates}_{i}|>|\mathit{accepted_{i}}|$ during the whole execution of the abstraction. In this case, $p_{i}$ will not be able to know if it has terminated or if new pairs might be added to the $\mathit{accepted_{i}}$ set. This is an inherent feature of the CAC abstraction, but, as we will see in Section 5, this does not prevent the abstraction from being appropriate to solve complex coordination problems.

Another side effect of the abstraction is that, it is possible for a correct process $p_{j}$ to know it terminated because $\mathit{candidates}_{i}=\mathit{accepted_{i}}$ , while some other correct process $p_{j}$ might never detect its own termination, because $|\mathit{candidates}_{j}|>|\mathit{accepted_{j}}|$ during the whole run, even though $p_{j}$ will not cac-accept any additional value.

3.3 CAC with proofs of acceptance

The properties of the CAC abstraction imply that processes cac-accept pairs asynchronously and in different orders. In some applications, correct processes must prove to others that they have legitimately cac-accepted some pair $\langle v,j\rangle$ . To support such use cases, the CAC definition can be enriched with transferable proofs of acceptance that a process can use to convince others that the underlying algorithm has been respected.

When using proofs of acceptance, the elements in the $\mathit{accepted}_{i}$ sets become triplets $\langle v,j,\pi_{v}\rangle$ , where $\pi_{v}$ is a cryptographic construct that serves as proof that $\langle v,j\rangle$ was added to $\mathit{accepted}_{i}$ while following the prescribed algorithm. We say that $\pi_{v}$ is valid if there exists a function $\mathsf{Verify}$ such that, for any value $v$ and any proof of acceptance $\pi_{v}$ pertaining to $v$ , the following property holds:

\mathsf{Verify}(v,\pi_{v})=\mathtt{true}\iff\operatorname{\exists\,}p_{i}\text% { correct such that, eventually, }\langle v,\star,\pi_{v}\rangle\in\mathit{% accepted_{i}}.

(1)

When $\mathsf{Verify}(v,\pi_{v})=\mathtt{true}$ , we say that $\pi_{v}$ is valid, and by extension that the triplet $\langle v,j,\pi_{v}\rangle$ is valid. When using proofs of acceptance, all properties of the CAC abstraction are modified to use $\langle v,j,\pi_{v}\rangle$ triplets. In this case, the $\mathit{accepted}$ sets contain triplets (the $\mathsf{cac\_propose}$ operation and the $\mathit{candidates}$ sets remain unchanged).

4 CAC: a simple, sub-optimal implementation

This section presents an implementation of the CAC abstraction for $n>4t$ . Although this implementation is sub-optimal from a resilience perspective, its goal is to convince the reader that the CAC abstraction can be implemented in an easy-to-understand manner.⁸⁸8A CAC algorithm that is optimal in terms both of Byzantine resilience ( $n>3t$ ) and best-case latency is presented in the full version of this paper [2]. This second algorithm also fulfills the proof of acceptance property.

Algorithm 1 works in two phases (the witness phase and the ready phase), each of them using a specific type of signature (witSig and readySig). During the witness phase, $p_{i}$ disseminates ${\textsc{witSig}}(p_{i},\langle v,j\rangle)$ to acknowledge that a value $v$ was cac-proposed by process $p_{j}$ . As it is signed by $p_{i}$ , it cannot be forged. During the ready phase, processes exchange readySig signatures to collect information about potential competing values that have been cac-proposed simultaneously, to ensure the CAC-Prediction property. A ${\textsc{readySig}}(p_{i},M_{i})$ signature by $p_{i}$ embeds a set $M_{i}$ containing a critical mass of witSig signatures. Correct processes need to gather enough readySig signatures to construct their $\mathit{candidates}$ and $\mathit{accepted}$ sets.

Algorithm 1 One-shot sig-based CAC implementation assuming

n>4t

(code for

p_{i}

).

The algorithm works as follows. When a process $p_{i}$ invokes $\mathsf{cac\_propose}(v)$ , it first verifies that it has not already cac-proposed a value, or that it did not already $\mathsf{be\_broadcast}$ any witSig (line 3). If this verification passes, $p_{i}$ produces a witSig for the pair $\langle v,i\rangle$ , and be-broadcasts it in a bundle message. This type of message can simultaneously carry witSig and readySig. As a result, each correct process disseminates its complete current knowledge whenever it be-broadcasts a bundle message. Eventually, this witSig will be received by all the correct processes.

Let us consider a correct process $p_{j}$ that receives the bundle message, which contains the signature ${\textsc{witSig}}(p_{i},\langle v,i\rangle)$ . Firstly, $p_{j}$ checks if the initiator’s signature is in the bundle (line 8) and, if so, it saves all the valid signatures into the $\mathit{sigs_{j}}$ variable; otherwise, it stops processing this message as the sender is Byzantine.

Secondly, if $p_{j}$ did not already sign (and be-broadcast) a witSig, it produces a witSig for the pair $\langle v,i\rangle$ and be-broadcasts it (lines 10-12). If there are multiple signatures on $\langle v,\star\rangle$ in $\mathit{sigs}_{j}$ , line 11 imposes that the $p_{j}$ chooses and signs only one of those pairs. Thirdly, $p_{j}$ checks whether it can sign and send a readySig. When it receives witSig signatures from at least $n-t$ processes, $p_{j}$ produces a readySig on a set of messages $M_{j}$ and disseminates it (lines 13-16). $M_{j}$ contains all the witSig received by $p_{j}$ . This readySig is added to the $\mathit{sigs_{j}}$ set and be-broadcast in a bundle message. Hence, the information about the witSigs known by $p_{j}$ will be received by every correct process along with the readySig, thus ensuring the CAC-Global-termination property.

Finally, $p_{i}$ verifies if it can cac-accept a value. To this end, it waits for readySig signatures from $n-t$ processes, then it cac-accepts all values that are present in at least $2t+1$ sets $M$ (lines 17-21). The $2t+1$ bound and the assumption that $n>4t$ ensure that, if $p_{i}$ cac-accepts a value later on, then it has already been added to the $\mathit{candidates}_{i}$ set, thus ensuring the CAC-Prediction property. A $\mathsf{cac\_accept}$ callback is triggered at this point, it is used by algorithms that build upon CAC to know when new values are added to the $\mathit{accepted}$ set. For space reasons, the proof of correctness of Algorithm 1 is provided in the full version of this paper [2].

5 CAC in Action: Solving Low Contention Problems

The CAC abstraction can solve cooperation problems by combining the optimistic conflict avoidance of the abstraction with a back-off strategy when conflicts occur. This section thoroughly explores two of these applications. The first one is a solution to a new naming problem, called short naming. The naming problem makes it possible for processes to claim new names and to associate them with a public key. Short naming is a variant of the naming problem where the new names attributed to processes have low entropy. The CAC abstraction naturally lends itself to such a problem, as it allows runs in which a single proposer puts forward a value and directly obtains agreement on it, thus capturing the case where a process successfully claims a unique short-name for itself.⁹⁹9By contrast, weak agreement primitives such as crusader agreement [16, 4] require all correct processes to propose a value in every execution, leading to a mismatch with the short-naming problem. Using crusader agreement in a short-naming algorithm would, for instance, require a convoluted strategy in which a correct process $p_{i}$ first advertises its claim to some name $v$ , so that other processes can support this claim by proposing the pair $(i,v)$ .

The second application studied is the well known consensus problem. We explore a CAC-based solution to this problem denoted Cascading Consensus, a new optimistically terminating consensus algorithm that ensures an early decision in favorable circumstances. Moreover, this algorithm uses information provided by the CAC abstraction to reduce synchronization and communication complexity in case of contention. More precisely, this algorithm uses the CAC abstraction to disseminate values. If contention occurs, i.e., if termination is not guaranteed, then only the processes that proposed a value participate in the conflict resolution. This behavior is made possible thanks to the information given by the $\mathit{candidates}$ set. In that sense, this algorithm goes beyond similar existing solutions [43, 40, 48, 33, 35], and, to the best of our knowledge, the CAC abstraction is the only existing abstraction that makes it possible to implement an algorithm with such a behavior. These examples could be extended to many other distributed applications, e.g., shared account asset-transfer protocols, access control, naming services, etc.

The goal of this section is to present new ways of solving distributed problems using the CAC abstraction. We would like to remind the reader that the main contributions of this paper are the definition, the formalisation and the implementation of the CAC abstraction, not its applications. Furthermore, as far as we know, the behavior of this abstraction is fundamentally different from what has been proposed before. Hence, comparisons with existing work would require extended experimental analysis, which is out of the scope of this paper.

5.1 The fault-tolerant asynchronous shortnaming problem

Many distributed applications, including cryptocurrency [11, 45, 55], decentralized identity management [24, 27, 44], or distributed storage [56], involve numerous participating devices that are typically identified by their public keys. For practical purposes, however, applications often choose shorter, more human-manageable names for devices. To formalize this, we define $\mathsf{shortnaming}$ as the problem of choosing such short human-manageable names. A $\mathsf{shortnaming}$ object provides each process $p_{i}$ with one operation $n_{i}\leftarrow\mathsf{\mathsf{shortnaming}\_Claim}(\mathit{pk},\pi)$ that allows it to claim a name $n_{i}$ , starting from its public key, $\mathit{pk}$ , and its proof of knowledge of the associated secret key, $\pi$ . The object also provides $p_{i}$ with an (initially empty) set $\mathit{Names}_{i}$ , which associates names with public keys. A $\mathit{Names}_{i}$ set is composed of triples $\langle n,\mathit{pk},\pi\rangle$ where $n$ is the attributed name, $\mathit{pk}$ is the associated public key, and $\pi$ and the proof of knowledge of the corresponding secret key. The object provides the following properties.

$\blacksquare$

SN-Unicity. Given a correct process $p_{i}$ , $\operatorname{\forall\,}\langle n_{j},\mathit{pk}_{j},\pi_{j}\rangle,\langle n% _{k},\mathit{pk}_{k},\pi_{k}\rangle\in\mathit{Names}_{i}$ , either $n_{j}\neq n_{k}$ or $j=k$ .
$\blacksquare$

SN-Short-names.¹⁰¹⁰10The function $\mathsf{Max\_Common\_Prefix}()$ outputs the longest common prefix between two string,
e.g., $\mathsf{Max\_Common\_Prefix}(\mathtt{``abcdefg"},\mathtt{``abcfed"})=\mathtt{`% `abc"}$ . If all processes are correct, and given one correct process $p_{i}$ , eventually we have $\operatorname{\forall\,}\langle n_{j},\mathit{pk}_{j},\star\rangle,\langle n_{% k},\mathit{pk}_{k},\star\rangle\in\mathit{Names}_{i}$ :
If $|\mathsf{Max\_Common\_Prefix}(\mathit{pk}_{j},\mathit{pk}_{k})|\geq|\mathsf{% Max\_Common\_Prefix}(\mathit{pk}_{j},\mathit{pk}_{\ell})|,\operatorname{% \forall\,}\langle\star,\mathit{pk}_{\ell},\star\rangle\in\mathit{Names}_{i}$ then $|\mathsf{Max\_Common\_Prefix}(\mathit{pk}_{j},\mathit{pk}_{k})|+1\geq|n_{j}|$ .
$\blacksquare$

SN-Agreement. Let $p_{i}$ and $p_{j}$ be two correct processes. If $\langle n,\mathit{pk},\pi\rangle\in\mathit{Names}_{i}$ and if the process that invoked $\mathsf{\mathsf{shortnaming}\_Claim}(\mathit{pk},\pi)$ is correct, then eventually $\langle n,\mathit{pk},\pi\rangle\in\mathit{Names}_{j}$ .
$\blacksquare$

SN-Termination. If a correct process $p_{i}$ invokes $\mathsf{\mathsf{shortnaming}\_Claim}(\mathit{pk},\pi)$ , then eventually $\langle\star,\mathit{pk},\star\rangle\in\mathit{Names}_{i}$ .

The SN-Short-names property captures the fact that the names given to the processes are as short as possible, thereby being easy to remember for humans. If there are no Byzantine processes, each name should be the smallest possible when comparing it to other attributed names. The property only considers this difference eventually, i.e., while a process might have successfully claimed a name, it may take a long time for the process it was concurring with to get its own name.

Existing shortnaming approaches.

Existing systems follow either of two approaches, which, however, do not solve exactly the $\mathsf{shortnaming}$ problem.

$\blacksquare$

The first approach ignores the input public keys and relies on consensus. Each process chooses its name, independently of its public key, and submits it to the consensus algorithm. In case of contention, the consensus algorithm decides which process wins in a first-come, first-served manner. The problem with this method is that it leverages consensus – hence requiring additional computability power (e.g., partial synchrony or randomization), even if the probability of contention is low. Examples of this solution are NameCoin [32], Ethereum Name Service [31], and DNSSec [30].
$\blacksquare$

The second method directly uses the input public keys as the name and does not require consensus. If the underlying cryptography is perfectly secure and secret keys are only known to their legitimate users, then the associated public keys are assumed unique, and no conflict can occur because no two processes can claim the same name. The problem with this method is that it does not satisfy the SN-Short-names property as public keys consist of long chains of random characters, which are hard for humans to remember. Some systems circumvent the problem by using functions to map a random string to something that humans can remember: petname systems [22], tripphrases [57], or Proquint IDs [58]. However, these techniques do not reduce the entropy of the identifier, and they are mainly used to prevent identity theft (e.g., phishing).

Solving shortnaming with CAC.

Assuming perfect public/private keys, the CAC primitive makes it possible to satisfy the SN-Short-names property of $\mathsf{shortnaming}$ without requiring consensus. The idea is to let processes claim sub-strings of their public keys. For example, let a process $p$ have a public key $\mathtt{``abcdefghij"}$ . It will first claim the name $\mathtt{``a"}$ using one instance of the CAC primitive. If there is no conflict, i.e., if the size of the $\mathit{candidates}$ set is $1$ after the first acceptance, then the name $\mathtt{``a"}$ belongs to $p$ and is associated with its public key. On the other hand, if there is a conflict, i.e., another process claimed the name $\mathtt{``a"}$ and the size of the candidate set is strictly greater than $1$ after the first acceptance, then $p$ claims the name $\mathtt{``ab"}$ . This procedure ensures that a process can always obtain a name. Indeed, because we assume perfect cryptographic primitives, only one process knows the secret key associated with its public key. Therefore, if $p$ conflicts with all its claims on the subsets of its public key, it will eventually claim the name $\mathtt{``abcdefghij"}$ . No other process can claim the same name and prove it knows the associated secret key. We formally describe this algorithm and prove that it solves the $\mathsf{shortnaming}$ problem in the full version of this paper.

5.2 A “synchronize only when needed” CAC-based consensus algorithm: Cascading Consensus

Consensus definition.

Consensus is a cooperation abstraction that allows a set of processes to agree on one of the values proposed by one of them. Consensus offers one operation propose and one callback decide and is defined by the following four properties.

$\blacksquare$

C-Validity. If all processes are correct and a process decides a value $v$ , then $v$ was proposed by some process.
$\blacksquare$

C-Agreement. No two correct processes decide different values.
$\blacksquare$

C-Integrity. A correct process decides at most one value.
$\blacksquare$

C-Termination. If a correct process proposes a value $v$ , then all correct processes eventually decide some value (not necessarily $v$ ).

Note that this definition differs slightly from the usual theoretical definition of consensus in that not all processes need to participate in all executions. This reflects what happens in practical consensus-based systems [18], including cryptocurrencies [41], denylists [25], or auditable registers [3]. In particular, the C-Termination property only guarantees termination when some correct process proposes a value.

A novel CAC-based cascading consensus algorithm.

Building upon the CAC abstraction, we present a new consensus algorithm, called Cascading Consensus (CC), that adopts an optimistic contention-aware strategy to offer several fast paths for a varying set of favorable circumstances, including non-unanimous settings. This contrasts with existing optimistic consensus algorithms, which can typically only exploit one (usually unanimity). Specifically, if $n\geq 5t+1$ and there is unanimity, CC decides in 2 rounds without synchrony – as one cac instance suffices – thus matching the best existing algorithms for this case [52, 53, 60] (Table 1). If $n\geq 3t+1$ and there is unanimity, CC decides in 3 rounds without synchrony, surpassing existing optimistic algorithms that either terminate in more than 3 rounds [15, 34] and/or require synchrony to exploit their fast path [12, 28, 34, 38, 49, 60] (Table 1). When there is no unanimity, CC further offers a progressive degradation of its fast-path, in contrast with existing unanimity-based algorithms [1, 12, 15, 28, 38, 52, 53, 60], which fall back to a “slow-path” as soon as several conflicting values are proposed. Specifically, CC leverages the fact that not all processes need to propose a value to restrict conflict resolution to the set of processes that actually issued proposals. This yields two advantages. (i) These few processes are more likely to experience synchronous network phases [7] (which are required to guarantee that a deterministic consensus algorithm terminates [8, 17, 19]), and (ii) these “restricted” synchronous phases tend to exhibit shorter network delays, leading to overall heightened efficiency. This local approach is more efficient than full-scale consensus as validated by a recent experimental study [7].

In a nutshell, CC disseminates messages over the entire system using the CAC implementation presented in the full version of this paper extended with proofs of acceptance (cf. Section 3.3). When the first CAC dissemination fails to deliver a (fast) decision, CC exploits a Restrained Consensus algorithm (solving a relaxed consensus variant defined in the full version of this paper). This algorithm makes it possible for a subset $\Pi^{\prime}$ of processes to agree on a set of values, and to prove to the rest of the system that all the processes in $\Pi^{\prime}$ did agree on this value. Hence, it makes it possible to solve the consensus problem locally, and to inform other processes about the result of this consensus. Both the CAC and Cascading Consensus algorithms are fully asynchronous, i.e., they do not require any (partial) synchrony assumptions.

Restrained Consensus, on the other hand, may fail to terminate if there are Byzantine processes or if the network behaves asynchronously (exhibiting long delays). For this reason, Cascading Consensus combines Restrained Consensus with timers as a first fallback strategy to resolve conflicts rapidly among a small subset of processes during favorable synchronous phases. When circumstances are unfavorable (e.g. when network delays exceed timeouts, or under Byzantine failures), the timer expires, and CC falls back to a slow-path mode, which guarantees safety properties in all cases, and terminates (albeit more slowly). Note that the use of timers does not prevent CC from working under asynchrony. Timers are local, and when they expire, CC can fall back to a probabilistic asynchronous or to a partially synchronous algorithm.

CC leverages four sub-algorithms (two CAC instances, an instance of Restrained Consensus, and an instance of a standard consensus, which is used as fallback). It works in four steps, each step being associated with a termination condition that is more likely to be met than the previous one (as shown experimentally in [7]).

In the first step, processes propose values using the first CAC instance. Let $p_{i}$ be a process that proposed a value. If there is no contention (contention-awareness) i.e., the $\mathit{candidates}_{i}$ set of the first CAC instance has size $1$ , $p_{i}$ can terminate: the value proposed by $p_{i}$ becomes the decided value. Otherwise, if the size of the $\mathit{candidates}_{i}$ set is greater than $1$ after cac-accepting the value proposed by $p_{i}$ , $p_{i}$ must resolve the conflict with the other processes that proposed a value, whose pairs are in $\mathit{candidates}_{i}$ (contention-awareness). In this case, conflicting processes proceed to a second step, which involves an instance of the Restrained Consensus (RC) algorithm presented in the full version of this paper. If the conflicting processes are correct and benefit from stable network delays, the RC algorithm is guaranteed to succeed. In this case, the concerned processes disseminate the result of this step to the whole system using the second CAC instance (third step). If, on the other hand, some of the processes participating in the RC algorithm are Byzantine, or if messages from correct processes are delayed too much, the RC algorithm fails. This failure is detected by the second CAC instance (third step), which, in this case, returns $\mathit{candidates}$ sets with more than $1$ pair (contention-awareness). In this case, the Cascading Consensus algorithm proceeds to its final fourth step, handing the final decision to a Global Consensus (GC), i.e., any consensus algorithm based on additional assumptions such as partial synchrony [8, 17, 19], randomization [6, 42], or information on failures [13]. The implementation of GC can be chosen without any constraint. For example, if an asynchronous probabilistic consensus algorithm is chosen to instantiate GC, then CC implements consensus under fully asynchronous assumptions.

Note that, in a single execution, not all processes necessarily perform the same number of steps. For example, some processes may accept a single value after 2 rounds, reaching a decision in the first CAC instance. Other processes may, instead, require additional steps to reach the same decision because their candidate set contains additional values. The CAC-Prediction property guarantees that the latter processes can only accept the value accepted by the former.

Table 2: Notations for the different abstractions used in this section.

Abstraction

Operations

Communication

# participants

Contention-Aware

Cooperation (CAC)

\mathsf{cac\_propose}(v)

\mathsf{cac\_accept}(v,i)

Asynchronous

n

Cascading

Consensus (CC)

\mathsf{ccons\_propose}(v)

\mathsf{ccons\_decide}(v)

Async. for whole system

Sync. for RC

n

Restrained

Consensus (RC)

\mathsf{rcons\_propose}(v)

\mathsf{rcons\_select}(E,S_{e},S_{r})

\mathsf{rcons\_no\_selection}()

Synchronous

\ell

(where typically

\ell\ll n

)

Global

Consensus (GC)

\mathsf{gcons\_propose}(v)

\mathsf{gcons\_decide}(v)

Any

n

Table 3: Summary of the “progressively degrading” conditions of Cascading Consensus (instantiated with the optimal CAC algorithm presented in the full version of this paper), and their associated round complexity.

Condition

Assumpt.

needed

Execution path

Nb of system-

wide rounds

Nb of

RC rounds

Unanimity (fast path)

n>5t

CAC_{1}

(fast path)

2

N/A

Unanimity (slow path)

n>3t

CAC_{1}

(slow path)

3

N/A

All procs of RC

correct and sync.

n>5t

CAC_{1}

;

R C

;

CAC_{2}

(fast path)

4

1

All procs of RC

correct and sync.

n>3t

CAC_{1}

;

R C

;

CAC_{2}

(slow path)

5

1

\geq 1

Byzantine proc. in

RC or async. period

n>3t

CAC_{1}

;

R C

;

CAC_{2}

;

G C

5 +

G C

rounds

1

Table 3 summarizes the termination conditions of the CC algorithm and their associated round complexity. The table considers two types of rounds: the fourth column counts system-wide rounds – i.e., for one asynchronous round, each process has to send $n$ messages. The final column counts the asynchronous rounds executed by RC– i.e., for RC round, the $\ell$ processes that execute RC have to send a message to all other $\ell-1$ involved processes. With fewer processes involved, the asynchronous rounds of RC will typically be faster (measured in wall-clock time) than those of the whole network [7]. The “execution path” column details where in the algorithm a process terminates by listing the sub-algorithm instances (noted $CAC_{1}$ , $R C$ , $CAC_{2}$ , and $G C$ ) that intervene in a process execution. For instance, the first row describes the most favorable scenario in which a correct process terminates after the first two rounds of the first CAC instance.¹¹¹¹11In the table, Unanimity refers to the unanimity of the proposers (since not all processes are required to propose in our algorithm). We have omitted an even more favorable case, in which all correct processes propose the same value (i.e., there is a pre-agreement between correct processes), and Byzantine processes remain silent. In this limit case, CC saves one further round under the conditions presented in the first two rows: it decides in one round when $n>5t$ and two rounds when $n>3t$ .

We detail the workings of the Restrained Consensus algorithm (RC), and the operations of Cascading Consensus in the full version of this paper.

6 Conclusion

The paper has introduced a new cooperation abstraction denoted “Contention-Aware Cooperation” (CAC). This abstraction allows an arbitrary set of processes to propose values while multiple value acceptances are triggered. Furthermore, each acceptance comes with information about other acceptances that can possibly occur. This paper is the first to formalize such a cooperation abstraction. Two implementations of CAC have been presented. The first one is a simple algorithm that works in asynchronous networks when $n>4t$ . The second is a latency and Byzantine resilient optimal implementation, which uses fine-tuned thresholds to improve efficiency and reduce the probability of contention. This second implementation works in three asynchronous rounds if $n>3t$ and in two asynchronous rounds in favorable cases when $n>5t$ .

This new cooperation abstraction can be used in low-contention distributed applications to improve efficiency or remove the need for synchronization. The paper proposed two such examples, where the CAC abstraction can be used to build distributed algorithms. The first is an optimistically terminating consensus algorithm denoted Cascading Consensus. This algorithm (as some other consensus algorithms, e.g., [10, 52]), can optimistically terminate when there is no contention or when the inputs satisfy specific patterns. However, differently from other algorithms that do not use the CAC abstraction, Cascading Consensus is the first to use information about contention to restrain synchronization to the processes that actually proposed a value. Furthermore, unlike other optimistically terminating consensus algorithms, cascading consensus terminates optimistically even if multiple processes propose different values. The second example is a short-naming algorithm, which works deterministically in fully asynchronous networks. It allows processes to claim shorter names based on their public keys. However, contrary to other asynchronous naming algorithms, the claimed name is a sub-string of the public key, thus reducing the size of the name space, making it easier for humans to handle. This paper is the first to introduce this new solution for the naming problem, where the entropy of names can be reduced in fully asynchronous networks, where processes can be faulty.

More generally, the CAC abstraction can be used to optimistically or deterministically solve other distributed cooperation problems where contention is low, e.g., shared account asset-transfer protocols [5, 14, 29], or distributed access control mechanism [25, 27]. These applications will be explored in future work.

Finally, another interesting direction for future work would be to design an algorithm that implements CAC without cryptographic signatures, or to prove that such an algorithm does not exist.

References

[1] Michael Abd-El-Malek, Gregory R. Ganger, Garth R. Goodson, Michael K. Reiter, and Jay J. Wylie. Fault-scalable Byzantine fault-tolerant services. Proc. 20th ACM Symposium on Operating Systems Principles (SOSP’05), 39:59–74, 2005. doi:10.1145/1095810.1095817.
[2] Timothé Albouy, Davide Frey, Mathieu Gestin, Michel Raynal, and François Taïani. Contention aware cooperation. CoRR, abs/2311.08776, 2025. doi:10.48550/arXiv.2311.08776.
[3] Hagit Attiya, Antonella Del Pozzo, Alessia Milani, Ulysse Pavloff, and Alexandre Rapetti. The Synchronization Power of Auditable Registers. In Alysson Bessani, Xavier Défago, Junya Nakamura, Koichi Wada, and Yukiko Yamauchi, editors, 27th International Conference on Principles of Distributed Systems (OPODIS 2023), volume 286 of Leibniz International Proceedings in Informatics (LIPIcs), pages 4:1–4:23, Dagstuhl, Germany, 2024. Schloss Dagstuhl – Leibniz-Zentrum für Informatik. doi:10.4230/LIPIcs.OPODIS.2023.4.
[4] Hagit Attiya and Jennifer L. Welch. Multi-valued connected consensus: A new perspective on crusader agreement and adopt-commit. In OPODIS, volume 286 of LIPIcs, pages 6:1–6:23. Schloss Dagstuhl – Leibniz-Zentrum für Informatik, 2023. doi:10.4230/LIPICS.OPODIS.2023.6.
[5] Alex Auvolat, Davide Frey, Michel Raynal, and François Taïani. Money transfer made simple: a specification, a generic algorithm, and its proof. Bulletin of EATCS, 132:22–43, 2020. URL: http://eatcs.org/beatcs/index.php/beatcs/article/view/629.
[6] Michael Ben-Or. Another advantage of free choice (extended abstract): Completely asynchronous agreement protocols. In Proc. 2nd ACM Symposium on Principles of Distributed Computing (PODC’83), pages 27–30, 1983.
[7] Christian Berger, Lívio Rodrigues, Hans P. Reiser, Vinicius Cogo, and Alysson Bessani. Chasing lightspeed consensus: Fast wide-area Byzantine replication with mercury. In Middleware’24, pages 158–171. Association for Computing Machinery, 2024. doi:10.1145/3652892.3700756.
[8] Zohir Bouzid, Achour Mostéfaoui, and Michel Raynal. Minimal synchrony for Byzantine consensus. In Proc. 34th ACM Symposium on Principles of Distributed Computing (PODC’15), pages 461–470. ACM, 2015. doi:10.1145/2767386.2767418.
[9] Gabriel Bracha and Sam Toueg. Asynchronous consensus and broadcast protocols. J. ACM, 32(4):824–840, 1985. doi:10.1145/4221.214134.
[10] Francisco Vilar Brasileiro, Fabíola Gréve, Achour Mostéfaoui, and Michel Raynal. Consensus in one communication step. In Proc. 6th International Conf. on Parallel Computing Technologies (PaCT’01), LNCS 2127, pages 42–50. Springer, 2001. doi:10.1007/3-540-44743-1_4.
[11] Vitalik Buterin. Ethereum: A next-generation smart contract and decentralized application platform, 2014.
[12] Miguel Castro and Barbara Liskov. Practical Byzantine fault tolerance and proactive recovery. ACM Trans. Comput. Syst., 20(4):398–461, 2002. doi:10.1145/571637.571640.
[13] Tushar Deepak Chandra, Vassos Hadzilacos, and Sam Toueg. The weakest failure detector for solving consensus. J. ACM, 43(4):685–722, 1996. doi:10.1145/234533.234549.
[14] Daniel Collins, Rachid Guerraoui, Matteo Monti, Athanasios Xygkis, Matej Pavlovic, Petr Kuznetsov, Yvonne-Anne Pignolet, Dragos-Adrian Seredinschi, and Andrei Tonkikh. Online payments by merely broadcasting messages. In Proc. 50th Int’l Conference on Dependable Systems and Network (DSN20), pages 1–13. IEEE, 2020.
[15] James Cowling, Daniel Myers, Barbara Liskov, Rodrigo Rodrigues, and Liuba Shrira. HQ replication: A hybrid quorum protocol for Byzantine fault tolerance. In Proc. 7th Symposium on Operating Systems Design and Implementation (OSDI’06), pages 177–190, 2006. URL: http://www.usenix.org/events/osdi06/tech/cowling.html.
[16] Danny Dolev. The Byzantine generals strike again. J. Algorithms, 3(1):14–30, 1982. doi:10.1016/0196-6774(82)90004-9.
[17] Danny Dolev, Cynthia Dwork, and Larry J. Stockmeyer. On the minimal synchronism needed for distributed consensus. J. ACM, 34(1):77–97, 1987. doi:10.1145/7531.7533.
[18] Sisi Duan, Michael K. Reiter, and Haibin Zhang. BEAT: asynchronous BFT made practical. In Proc. 25th ACM SIGSAC Conference on Computer and Communications Security (CCS’18), pages 2028–2041. ACM, 2018. doi:10.1145/3243734.3243812.
[19] Cynthia Dwork, Nancy A. Lynch, and Larry J. Stockmeyer. Consensus in the presence of partial synchrony. J. ACM, 35(2):288–323, 1988. doi:10.1145/42282.42283.
[20] Paul Feldman and Silvio Micali. Optimal algorithms for byzantine agreement. In STOC, pages 148–161. ACM, 1988. doi:10.1145/62212.62225.
[21] Pesech Feldman and Silvio Micali. An optimal probabilistic protocol for synchronous Byzantine agreement. SIAM J. Comput., 26(4):873–933, 1997. doi:10.1137/S0097539790187084.
[22] Md. Sadek Ferdous, Audun Jøsang, Kuldeep Singh, and Ravishankar Borgaonkar. Security usability of petname systems. In Identity and Privacy in the Internet Age, pages 44–59, 2009. doi:10.1007/978-3-642-04766-4_4.
[23] Michael J. Fischer, Nancy A. Lynch, and Michael S. Paterson. Impossibility of distributed consensus with one faulty process. J. ACM, 32:374–382, 1985. doi:10.1145/3149.214121.
[24] Sovrin Foundation. Sovrin: A protocol and token for self-sovereign identity and decentralized trust. Technical report, Sovrin Foundation, 2018.
[25] Davide Frey, Matthieu Gestin, and Michel Raynal. The synchronization power (consensus number) of access-control objects: the case of allowlist and denylist. In Proc. 37th Int’l Symposium on Distributed Computing (DISC’23), volume 281 of LIPICs, pages 21:1–21:23, 2023. doi:10.4230/LIPICS.DISC.2023.21.
[26] Eli Gafni. Round-by-round fault detectors: Unifying synchrony and asynchrony (extended abstract). In Proc. 17th ACM Symposium on Principles of Distributed Computing (PODC’98), pages 143–152. ACM, 1998. doi:10.1145/277697.277724.
[27] Mathieu Gestin. Privacy Preserving and fully-Distributed Identity Management Systems. PhD thesis, Université de Rennes, 2024.
[28] Yossi Gilad, Rotem Hemo, Silvio Micali, Georgios Vlachos, and Nickolai Zeldovich. Algorand: Scaling Byzantine agreements for cryptocurrencies. In Proceedings of the 26th Symposium on Operating Systems Principles, Shanghai, China, October 28-31, 2017, SOSP ’17, pages 51–68, New York, NY, USA, 2017. doi:10.1145/3132747.3132757.
[29] Rachid Guerraoui, Petr Kuznetsov, Matteo Monti, Matej Pavlovič, and Dragos-Adrian Seredinschi. The consensus number of a cryptocurrency. Distributed Computing, 35:1–15, 2022. doi:10.1007/S00446-021-00399-2.
[30] P. Hoffman. Dns security extensions (dnssec), 2023.
[31] N Johnson and V Griffith. Ethereum name service, 2018.
[32] Harry A Kalodner, Miles Carlsten, Paul M Ellenbogen, Joseph Bonneau, and Arvind Narayanan. An empirical study of namecoin and lessons for decentralized namespace design. In WEIS, volume 1, pages 1–23, 2015.
[33] Lefteris Kokoris-Kogias, Alberto Sonnino, and George Danezis. Cuttlefish: Expressive fast path blockchains with fastunlock. CoRR, abs/2309.12715, 2023. doi:10.48550/arXiv.2309.12715.
[34] Ramakrishna Kotla, Lorenzo Alvisi, Mike Dahlin, Allen Clement, and Edmund Wong. Zyzzyva: speculative Byzantine fault tolerance. In Proceedings of the 21st ACM Symposium on Operating Systems Principles 2007, SOSP 2007, Stevenson, Washington, USA, October 14-17, 2007, SOSP ’07, pages 45–58, 2007. doi:10.1145/1294261.1294267.
[35] Petr Kuznetsov, Andrei Tonkin, and Yan Zang. Revisiting optimal resilience of fast Byzantine consensus. In Proc. 40th ACM Symposium on Principles of Distributed Computing (PODC’21), pages 343–353, 2021.
[36] Leslie Lamport. The part-time parliament. ACM Trans. Comput. Syst., 16(2):133–169, 1998. doi:10.1145/279227.279229.
[37] Leslie Lamport. Fast Paxos. Distributed Computing, 19:79–103, 2006. doi:10.1007/S00446-006-0005-X.
[38] Leslie Lamport. Lower bounds for asynchronous consensus. Distributed Computing, 19:104–125, 2006. doi:10.1007/S00446-006-0155-X.
[39] Leslie Lamport, Robert E. Shostak, and Marshall C. Pease. The Byzantine generals problem. ACM Trans. Program. Lang. Syst., 4(3):382–401, 1982. doi:10.1145/357172.357176.
[40] Jean-Philippe Martin and Lorenzo Alvisi. Fast Byzantine consensus. IEEE Trans. Dependable Secur. Comput., 3(3):202–215, 2006. doi:10.1109/TDSC.2006.35.
[41] Andrew Miller, Yu Xia, Kyle Croman, Elaine Shi, and Dawn Song. The honey badger of BFT protocols. In Proc. 23rd ACM Conference on Computer and Communications Security (CCS’16), pages 31–42, 2016. doi:10.1145/2976749.2978399.
[42] Achour Mostéfaoui, Hamouma Moumen, and Michel Raynal. Signature-free asynchronous binary Byzantine consensus with $t>n/3$ , $o(n^{2})$ messages, and $o(1)$ expected time. J. ACM, 2015. doi:10.1145/2785953.
[43] Achour Mostéfaoui and Michel Raynal. Low cost consensus-based atomic broadcast. In Proc. 2000 Pacific Rim International Symposium on Dependable Computing (PRDC’00), pages 45–52. IEEE Computer Society, 2000. doi:10.1109/PRDC.2000.897283.
[44] Alexander Mühle, Andreas Grüner, Tatiana Gayvoronskaya, and Christoph Meinel. A survey on essential components of a self-sovereign identity. Computer Science Review, 30:80–86, November 2018. doi:10.1016/j.cosrev.2018.10.002.
[45] Satoshi Nakamoto. Bitcoin: A peer-to-peer electronic cash system. Technical report, Bitcoin, March 2009. URL: https://bitcoin.org/bitcoin.pdf.
[46] Rafael Pass and Elaine Shi. Thunderella: Blockchains with optimistic instant confirmation. In Jesper Buus Nielsen and Vincent Rijmen, editors, Advances in Cryptology – EUROCRYPT 2018, pages 3–33, 2018. doi:10.1007/978-3-319-78375-8_1.
[47] Marshall Pease, Robert Shostak, and Leslie Lamport. Reaching agreement in the presence of faults. J. ACM, 27:228–234, 1980. doi:10.1145/322186.322188.
[48] Fernando Pedone and André Schiper. Optimistic atomic broadcast: a pragmatic viewpoint. Theor. Comput. Sci., 291(1):79–101, 2003. doi:10.1016/S0304-3975(01)00397-8.
[49] HariGovind V. Ramasamy and Christian Cachin. Parsimonious asynchronous byzantine-fault-tolerant atomic broadcast. In Principles of Distributed Systems, pages 88–102, 2006.
[50] Michel Raynal. Concurrent programming: Algorithms, principles and foundations. Springer, 2013. doi:10.1007/978-3-642-32027-9.
[51] Michel Raynal. Fault-tolerant message-passing distributed systems: an algorithmic approach. Springer, 2018. doi:10.1007/978-3-319-94141-7.
[52] Jakub Sliwinski, Yann Vonlanthen, and Roger Wattenhofer. Consensus on demand. In Proc. 24th Int’l Symposium on Stabilization, Safety, and Security of Distributed Systems, volume 13751 of LNCS, pages 299–313. Springer, 2022. doi:10.1007/978-3-031-21017-4_20.
[53] Yee Jiun Song and Robbert van Renesse. Bosco: One-step Byzantine asynchronous consensus. In 22nd Int’l Symposium on Distributed Computing, volume 5218 of LNCS, pages 438–450. Springer, 2008. doi:10.1007/978-3-540-87779-0_30.
[54] Gadi Taubenfeld. Synchronization algorithms and concurrent programming. Pearson Education/Prentice Hall, 2006.
[55] Andrei Tonkikh, Pavel Ponomarev, Petr Kuznetsov, and Yvonne-Anne Pignolet. Cryptoconcurrency: (almost) consensusless asset transfer with shared accounts. In Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, CCS ’23, pages 1556–1570. Association for Computing Machinery, 2023. doi:10.1145/3576915.3616587.
[56] Dennis Trautwein, Aravindh Raman, Gareth Tyson, Ignacio Castro, Will Scott, Moritz Schubotz, Bela Gipp, and Yiannis Psaras. Design and evaluation of ipfs: a storage layer for the decentralized web. In Proceedings of the ACM SIGCOMM 2022 Conference, SIGCOMM ’22, pages 739–752. ACM, August 2022. doi:10.1145/3544216.3544232.
[57] Bret Victor. Tripphrases. http://worrydream.com/tripphrase/, 2008. Accessed: 2023-12-11.
[58] Daniel Shawcross Wilkerson. A proposal for Proquints: Identifiers that are readable, spellable, and pronounceable. CoRR, abs/0901.4016, 2009. arXiv:0901.4016.
[59] Jiong Yang, Gil Neiger, and Eli Gafni. Structured derivations of consensus algorithms for failure detectors. In PODC, pages 297–306. ACM, 1998. doi:10.1145/277697.277755.
[60] Piotr Zielinski. Optimistically terminating consensus: All asynchronous consensus protocols in one framework. In Proc. 5th Int’l Symposium on Parallel and Distributed Computing (ISPDC’06), pages 24–33. IEEE Computer Society, 2006. doi:10.1109/ISPDC.2006.37.

[bib.bib1] [1] Michael Abd-El-Malek, Gregory R. Ganger, Garth R. Goodson, Michael K. Reiter, and Jay J. Wylie. Fault-scalable Byzantine fault-tolerant services. Proc. 20th ACM Symposium on Operating Systems Principles (SOSP’05), 39:59–74, 2005. doi:10.1145/1095810.1095817.

[bib.bib2] [2] Timothé Albouy, Davide Frey, Mathieu Gestin, Michel Raynal, and François Taïani. Contention aware cooperation. CoRR, abs/2311.08776, 2025. doi:10.48550/arXiv.2311.08776.

[bib.bib3] [3] Hagit Attiya, Antonella Del Pozzo, Alessia Milani, Ulysse Pavloff, and Alexandre Rapetti. The Synchronization Power of Auditable Registers. In Alysson Bessani, Xavier Défago, Junya Nakamura, Koichi Wada, and Yukiko Yamauchi, editors, 27th International Conference on Principles of Distributed Systems (OPODIS 2023), volume 286 of Leibniz International Proceedings in Informatics (LIPIcs), pages 4:1–4:23, Dagstuhl, Germany, 2024. Schloss Dagstuhl – Leibniz-Zentrum für Informatik. doi:10.4230/LIPIcs.OPODIS.2023.4.

[bib.bib4] [4] Hagit Attiya and Jennifer L. Welch. Multi-valued connected consensus: A new perspective on crusader agreement and adopt-commit. In OPODIS, volume 286 of LIPIcs, pages 6:1–6:23. Schloss Dagstuhl – Leibniz-Zentrum für Informatik, 2023. doi:10.4230/LIPICS.OPODIS.2023.6.

[bib.bib5] [5] Alex Auvolat, Davide Frey, Michel Raynal, and François Taïani. Money transfer made simple: a specification, a generic algorithm, and its proof. Bulletin of EATCS, 132:22–43, 2020. URL: http://eatcs.org/beatcs/index.php/beatcs/article/view/629.

[bib.bib6] [6] Michael Ben-Or. Another advantage of free choice (extended abstract): Completely asynchronous agreement protocols. In Proc. 2nd ACM Symposium on Principles of Distributed Computing (PODC’83), pages 27–30, 1983.

[bib.bib7] [7] Christian Berger, Lívio Rodrigues, Hans P. Reiser, Vinicius Cogo, and Alysson Bessani. Chasing lightspeed consensus: Fast wide-area Byzantine replication with mercury. In Middleware’24, pages 158–171. Association for Computing Machinery, 2024. doi:10.1145/3652892.3700756.

[bib.bib8] [8] Zohir Bouzid, Achour Mostéfaoui, and Michel Raynal. Minimal synchrony for Byzantine consensus. In Proc. 34th ACM Symposium on Principles of Distributed Computing (PODC’15), pages 461–470. ACM, 2015. doi:10.1145/2767386.2767418.

[bib.bib9] [9] Gabriel Bracha and Sam Toueg. Asynchronous consensus and broadcast protocols. J. ACM, 32(4):824–840, 1985. doi:10.1145/4221.214134.

[bib.bib10] [10] Francisco Vilar Brasileiro, Fabíola Gréve, Achour Mostéfaoui, and Michel Raynal. Consensus in one communication step. In Proc. 6th International Conf. on Parallel Computing Technologies (PaCT’01), LNCS 2127, pages 42–50. Springer, 2001. doi:10.1007/3-540-44743-1_4.

[bib.bib11] [11] Vitalik Buterin. Ethereum: A next-generation smart contract and decentralized application platform, 2014.

[bib.bib12] [12] Miguel Castro and Barbara Liskov. Practical Byzantine fault tolerance and proactive recovery. ACM Trans. Comput. Syst., 20(4):398–461, 2002. doi:10.1145/571637.571640.

[bib.bib13] [13] Tushar Deepak Chandra, Vassos Hadzilacos, and Sam Toueg. The weakest failure detector for solving consensus. J. ACM, 43(4):685–722, 1996. doi:10.1145/234533.234549.

[bib.bib14] [14] Daniel Collins, Rachid Guerraoui, Matteo Monti, Athanasios Xygkis, Matej Pavlovic, Petr Kuznetsov, Yvonne-Anne Pignolet, Dragos-Adrian Seredinschi, and Andrei Tonkikh. Online payments by merely broadcasting messages. In Proc. 50th Int’l Conference on Dependable Systems and Network (DSN20), pages 1–13. IEEE, 2020.

[bib.bib15] [15] James Cowling, Daniel Myers, Barbara Liskov, Rodrigo Rodrigues, and Liuba Shrira. HQ replication: A hybrid quorum protocol for Byzantine fault tolerance. In Proc. 7th Symposium on Operating Systems Design and Implementation (OSDI’06), pages 177–190, 2006. URL: http://www.usenix.org/events/osdi06/tech/cowling.html.

[bib.bib16] [16] Danny Dolev. The Byzantine generals strike again. J. Algorithms, 3(1):14–30, 1982. doi:10.1016/0196-6774(82)90004-9.

[bib.bib17] [17] Danny Dolev, Cynthia Dwork, and Larry J. Stockmeyer. On the minimal synchronism needed for distributed consensus. J. ACM, 34(1):77–97, 1987. doi:10.1145/7531.7533.

[bib.bib18] [18] Sisi Duan, Michael K. Reiter, and Haibin Zhang. BEAT: asynchronous BFT made practical. In Proc. 25th ACM SIGSAC Conference on Computer and Communications Security (CCS’18), pages 2028–2041. ACM, 2018. doi:10.1145/3243734.3243812.

[bib.bib19] [19] Cynthia Dwork, Nancy A. Lynch, and Larry J. Stockmeyer. Consensus in the presence of partial synchrony. J. ACM, 35(2):288–323, 1988. doi:10.1145/42282.42283.

[bib.bib20] [20] Paul Feldman and Silvio Micali. Optimal algorithms for byzantine agreement. In STOC, pages 148–161. ACM, 1988. doi:10.1145/62212.62225.

[bib.bib21] [21] Pesech Feldman and Silvio Micali. An optimal probabilistic protocol for synchronous Byzantine agreement. SIAM J. Comput., 26(4):873–933, 1997. doi:10.1137/S0097539790187084.

[bib.bib22] [22] Md. Sadek Ferdous, Audun Jøsang, Kuldeep Singh, and Ravishankar Borgaonkar. Security usability of petname systems. In Identity and Privacy in the Internet Age, pages 44–59, 2009. doi:10.1007/978-3-642-04766-4_4.

[bib.bib23] [23] Michael J. Fischer, Nancy A. Lynch, and Michael S. Paterson. Impossibility of distributed consensus with one faulty process. J. ACM, 32:374–382, 1985. doi:10.1145/3149.214121.

[bib.bib24] [24] Sovrin Foundation. Sovrin: A protocol and token for self-sovereign identity and decentralized trust. Technical report, Sovrin Foundation, 2018.

[bib.bib25] [25] Davide Frey, Matthieu Gestin, and Michel Raynal. The synchronization power (consensus number) of access-control objects: the case of allowlist and denylist. In Proc. 37th Int’l Symposium on Distributed Computing (DISC’23), volume 281 of LIPICs, pages 21:1–21:23, 2023. doi:10.4230/LIPICS.DISC.2023.21.

[bib.bib26] [26] Eli Gafni. Round-by-round fault detectors: Unifying synchrony and asynchrony (extended abstract). In Proc. 17th ACM Symposium on Principles of Distributed Computing (PODC’98), pages 143–152. ACM, 1998. doi:10.1145/277697.277724.

[bib.bib27] [27] Mathieu Gestin. Privacy Preserving and fully-Distributed Identity Management Systems. PhD thesis, Université de Rennes, 2024.

[bib.bib28] [28] Yossi Gilad, Rotem Hemo, Silvio Micali, Georgios Vlachos, and Nickolai Zeldovich. Algorand: Scaling Byzantine agreements for cryptocurrencies. In Proceedings of the 26th Symposium on Operating Systems Principles, Shanghai, China, October 28-31, 2017, SOSP ’17, pages 51–68, New York, NY, USA, 2017. doi:10.1145/3132747.3132757.

[bib.bib29] [29] Rachid Guerraoui, Petr Kuznetsov, Matteo Monti, Matej Pavlovič, and Dragos-Adrian Seredinschi. The consensus number of a cryptocurrency. Distributed Computing, 35:1–15, 2022. doi:10.1007/S00446-021-00399-2.

[bib.bib30] [30] P. Hoffman. Dns security extensions (dnssec), 2023.

[bib.bib31] [31] N Johnson and V Griffith. Ethereum name service, 2018.

[bib.bib32] [32] Harry A Kalodner, Miles Carlsten, Paul M Ellenbogen, Joseph Bonneau, and Arvind Narayanan. An empirical study of namecoin and lessons for decentralized namespace design. In WEIS, volume 1, pages 1–23, 2015.

[bib.bib33] [33] Lefteris Kokoris-Kogias, Alberto Sonnino, and George Danezis. Cuttlefish: Expressive fast path blockchains with fastunlock. CoRR, abs/2309.12715, 2023. doi:10.48550/arXiv.2309.12715.

[bib.bib34] [34] Ramakrishna Kotla, Lorenzo Alvisi, Mike Dahlin, Allen Clement, and Edmund Wong. Zyzzyva: speculative Byzantine fault tolerance. In Proceedings of the 21st ACM Symposium on Operating Systems Principles 2007, SOSP 2007, Stevenson, Washington, USA, October 14-17, 2007, SOSP ’07, pages 45–58, 2007. doi:10.1145/1294261.1294267.

[bib.bib35] [35] Petr Kuznetsov, Andrei Tonkin, and Yan Zang. Revisiting optimal resilience of fast Byzantine consensus. In Proc. 40th ACM Symposium on Principles of Distributed Computing (PODC’21), pages 343–353, 2021.

[bib.bib36] [36] Leslie Lamport. The part-time parliament. ACM Trans. Comput. Syst., 16(2):133–169, 1998. doi:10.1145/279227.279229.

[bib.bib37] [37] Leslie Lamport. Fast Paxos. Distributed Computing, 19:79–103, 2006. doi:10.1007/S00446-006-0005-X.

[bib.bib38] [38] Leslie Lamport. Lower bounds for asynchronous consensus. Distributed Computing, 19:104–125, 2006. doi:10.1007/S00446-006-0155-X.

[bib.bib39] [39] Leslie Lamport, Robert E. Shostak, and Marshall C. Pease. The Byzantine generals problem. ACM Trans. Program. Lang. Syst., 4(3):382–401, 1982. doi:10.1145/357172.357176.

[bib.bib40] [40] Jean-Philippe Martin and Lorenzo Alvisi. Fast Byzantine consensus. IEEE Trans. Dependable Secur. Comput., 3(3):202–215, 2006. doi:10.1109/TDSC.2006.35.

[bib.bib41] [41] Andrew Miller, Yu Xia, Kyle Croman, Elaine Shi, and Dawn Song. The honey badger of BFT protocols. In Proc. 23rd ACM Conference on Computer and Communications Security (CCS’16), pages 31–42, 2016. doi:10.1145/2976749.2978399.

[bib.bib42] [42] Achour Mostéfaoui, Hamouma Moumen, and Michel Raynal. Signature-free asynchronous binary Byzantine consensus with $t>n/3$ , $o(n^{2})$ messages, and $o(1)$ expected time. J. ACM, 2015. doi:10.1145/2785953.

[bib.bib43] [43] Achour Mostéfaoui and Michel Raynal. Low cost consensus-based atomic broadcast. In Proc. 2000 Pacific Rim International Symposium on Dependable Computing (PRDC’00), pages 45–52. IEEE Computer Society, 2000. doi:10.1109/PRDC.2000.897283.

[bib.bib44] [44] Alexander Mühle, Andreas Grüner, Tatiana Gayvoronskaya, and Christoph Meinel. A survey on essential components of a self-sovereign identity. Computer Science Review, 30:80–86, November 2018. doi:10.1016/j.cosrev.2018.10.002.

[bib.bib45] [45] Satoshi Nakamoto. Bitcoin: A peer-to-peer electronic cash system. Technical report, Bitcoin, March 2009. URL: https://bitcoin.org/bitcoin.pdf.

[bib.bib46] [46] Rafael Pass and Elaine Shi. Thunderella: Blockchains with optimistic instant confirmation. In Jesper Buus Nielsen and Vincent Rijmen, editors, Advances in Cryptology – EUROCRYPT 2018, pages 3–33, 2018. doi:10.1007/978-3-319-78375-8_1.

[bib.bib47] [47] Marshall Pease, Robert Shostak, and Leslie Lamport. Reaching agreement in the presence of faults. J. ACM, 27:228–234, 1980. doi:10.1145/322186.322188.

[bib.bib48] [48] Fernando Pedone and André Schiper. Optimistic atomic broadcast: a pragmatic viewpoint. Theor. Comput. Sci., 291(1):79–101, 2003. doi:10.1016/S0304-3975(01)00397-8.

[bib.bib49] [49] HariGovind V. Ramasamy and Christian Cachin. Parsimonious asynchronous byzantine-fault-tolerant atomic broadcast. In Principles of Distributed Systems, pages 88–102, 2006.

[bib.bib50] [50] Michel Raynal. Concurrent programming: Algorithms, principles and foundations. Springer, 2013. doi:10.1007/978-3-642-32027-9.

[bib.bib51] [51] Michel Raynal. Fault-tolerant message-passing distributed systems: an algorithmic approach. Springer, 2018. doi:10.1007/978-3-319-94141-7.

[bib.bib52] [52] Jakub Sliwinski, Yann Vonlanthen, and Roger Wattenhofer. Consensus on demand. In Proc. 24th Int’l Symposium on Stabilization, Safety, and Security of Distributed Systems, volume 13751 of LNCS, pages 299–313. Springer, 2022. doi:10.1007/978-3-031-21017-4_20.

[bib.bib53] [53] Yee Jiun Song and Robbert van Renesse. Bosco: One-step Byzantine asynchronous consensus. In 22nd Int’l Symposium on Distributed Computing, volume 5218 of LNCS, pages 438–450. Springer, 2008. doi:10.1007/978-3-540-87779-0_30.

[bib.bib54] [54] Gadi Taubenfeld. Synchronization algorithms and concurrent programming. Pearson Education/Prentice Hall, 2006.

[bib.bib55] [55] Andrei Tonkikh, Pavel Ponomarev, Petr Kuznetsov, and Yvonne-Anne Pignolet. Cryptoconcurrency: (almost) consensusless asset transfer with shared accounts. In Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, CCS ’23, pages 1556–1570. Association for Computing Machinery, 2023. doi:10.1145/3576915.3616587.

[bib.bib56] [56] Dennis Trautwein, Aravindh Raman, Gareth Tyson, Ignacio Castro, Will Scott, Moritz Schubotz, Bela Gipp, and Yiannis Psaras. Design and evaluation of ipfs: a storage layer for the decentralized web. In Proceedings of the ACM SIGCOMM 2022 Conference, SIGCOMM ’22, pages 739–752. ACM, August 2022. doi:10.1145/3544216.3544232.

[bib.bib57] [57] Bret Victor. Tripphrases. http://worrydream.com/tripphrase/, 2008. Accessed: 2023-12-11.

[bib.bib58] [58] Daniel Shawcross Wilkerson. A proposal for Proquints: Identifiers that are readable, spellable, and pronounceable. CoRR, abs/0901.4016, 2009. arXiv:0901.4016.

[bib.bib59] [59] Jiong Yang, Gil Neiger, and Eli Gafni. Structured derivations of consensus algorithms for failure detectors. In PODC, pages 297–306. ACM, 1998. doi:10.1145/277697.277755.

[bib.bib60] [60] Piotr Zielinski. Optimistically terminating consensus: All asynchronous consensus protocols in one framework. In Proc. 5th Int’l Symposium on Parallel and Distributed Computing (ISPDC’06), pages 24–33. IEEE Computer Society, 2006. doi:10.1109/ISPDC.2006.37.