` 20 D. Mazieres So long as node v has no candidate values, v may vote in favor of nominate x for any value x that passes application-level validity checks (such as timestamps not being in the future). In fact, v should generally re-nominate any values that it sees other nodes nominate, with some rate-limiting discussed below to avoid an explosion of can- didates.Assoonasvhasacandidatevalue,however,itmustceasevotingtonominatex for any new values x. It should still continue to accept nominate statements for new values (when accepted by a v-blocking set) and confirm new nominate statements as prescribed by the federated voting procedure. The nomination protocol enjoys several properties when a system has intact nodes (meaning it has avoided complete failure). Specifically, for each slot: (1) Intact nodes can produce at least one candidate value. (2) At some point, the set of possible candidate values stops growing. (3) If any intact node considers x to be a candidate value, then eventually every intact node will consider x to be a candidate value. Nowconsider how the nomination protocol achieves its three properties. Property 1 is achieved because nominate statements are irrefutable. Nodes never vote against nominating a particular value, and until the first candidate value is confirmed, intact nodes can vote to nominate any value. So long as any value x passes application-level validity checks, intact nodes can vote for and confirm nominate x. Property 2 is en- suredbecauseonceeachintactnodeconfirmsatleastonecandidatevalue—whichwill happeninafiniteamountoftime—nointactnodeswillvotetonominateanynewval- ues. Hence, the only values that can become candidates are those that already have votes from intact nodes. Property 3 is a direct consequence of Theorem 11. The nomination process will be more efficient if fewer combinations of values are in play. Hence, we assign nodes a temporary priority and have each node, when pos- sible, nominate the same values as a higher-priority node. More concretely, let H be a cryptographic hash function whose range can be interpreted as a set of integers {0,…,ℎ −1}. (H might be SHA-256 [National Institute of Standards and Technol- max ogy 2012], in which case ℎ = 2256.) Let G (m) = H(i,x , m) be a slot-specific hash max i i−1 function for slot i, where xi−1 is the value chosen for the slot preceding i (or the sorted set of values of all immediate dependencies of slot i when slots are governed by a par- tial order). Givenaslotiandaroundnumbern,eachnodevcomputesasetofneighbors andapriority for each neighbor as follows: ó ¨ ó {q ∣ q ∈ Q(v) ∧ v ∈ q} ó ó ¨ ó ó weight(v,v ) = ó ó Q(v) ó ó ¨ ó ¨ ó ¨ neighbors(v,n) = v ∣ G (N,n,v ) < ℎ ⋅ weight(v,v ) i max ¨ ¨ priority(n,v ) = G (P,n,v ) i N and P are constants to produce two different hash functions. The function ¨ ¨ weight(v,v ) returns the fraction of slices in Q(v) containing v . By using weight as theprobability over n that v¨ appears in neighbors(v,n), we also reduce the chance that nodes without a lot of trust will dominate a round. Each node v should initially find a node v ∈ neighbors(v,0) that maximizes 0 priority(0,v ) among nodes it can communicate with, then vote to nominate the same 0 values as v . Only if v = v should v introduce a new value to nominate. v should use 0 0 timeouts to decide on new nominate statements to vote for. After n timeouts, v should