` 8 D. Mazieres v v 1 4 Q(v ) = Q(v4) = 1 Q(v ) = Q(v5) = 2 Q(v ) = Q(v6) = 3 {{v ,v ,v }} v v v v {{v ,v ,v }} 1 2 3 2 3 5 6 4 5 6 Fig. 6. FBASlackingquorumintersection Q(v ) = {{v }} 7 7 v v7 v 1 4 Q(v1) = Q(v4) = Q(v2) = Q(v5) = Q(v3) = Q(v6) = {{v ,v ,v ,v }} v v v v {{v ,v ,v ,v }} 1 2 3 7 2 3 5 6 4 5 6 7 Fig. 7. Ill-behaved node v can undermine quorum intersection. 7 This section answers the following question: given a specific ⟨V,Q⟩ and particular subset of V that is ill-behaved, what are the best safety and liveness that any feder- ated Byzantine agreement protocol can guarantee regardless of the network? We first discuss quorum intersection, a property without which safety is impossible to guar- antee. We then introduce a notion of dispensable sets—sets of failed nodes in spite of which it is possible to guarantee both safety and liveness. 4.1. Quorum intersection Aprotocol can guarantee agreement only if the quorum slices represented by function Qsatisfy a validity property we call quorum intersection. Definition (quorum intersection). An FBAS enjoys quorum intersection iff any two of its quorums share a node—i.e., for all quorums U and U , U ∩U ≠ ç. 1 2 1 2 Figure 6 illustrates a system lacking quorum intersection, where Q permits two quo- rums, {v ,v ,v } and {v ,v ,v }, that do not intersect. Disjoint quorums can indepen- 1 2 3 4 5 6 dentlyagreeoncontradictorystatements,underminingsystem-wideagreement.When manyquorumsexist, quorum intersection fails if any two do not intersect. For exam- ple, the set of all nodes {v ,…,v } in Figure 6 is a quorum that intersects the other two, 1 6 but the system still lacks quorum intersection because the other two do not intersect each other. Noprotocol can guarantee safety in the absence of quorum intersection, since such a configuration can operate as two different FBAS systems that do not exchange any messages. However, even with quorum intersection, safety may be impossible to guar- antee in the presence of ill-behaved nodes. Compare Figure 6, in which there are two disjoint quorums, to Figure 7, in which two quorums intersect at a single node v , and 7 v is ill-behaved. If v makes inconsistent statements to the left and right quorums, 7 7 the effect is equivalent to disjoint quorums. In fact, since ill-behaved nodes contribute nothing to safety, no protocol can guaran- tee safety without the well-behaved nodes enjoying quorum intersection on their own. After all, in a worst-case scenario for safety, ill-behaved nodes can just always make any possible (contradictory) statement that completes a quorum. Two quorums over- lapping only at ill-behaved nodes will again be able to operate like two different FBAS