TheStellar Consensus Protocol 5 v4 Q(v ) = {{v ,v ,v }} 1 1 2 3 v2 v3 Q(v ) = Q(v ) = Q(v ) = 2 3 4 {{v ,v ,v }} 2 3 4 v1 Fig. 2. v ’s quorum slice is not a quorum without v . 1 4 3/4 v v v v Top tier: slice is 3 out of 1 2 3 4 {v ,v ,v ,v }, including self 1 2 3 4 2/4 v v v v Middle tier: slice is self + any 5 6 7 8 2 top tier nodes 2/4 v v Leaf tier: slice is self + any 9 10 2 middle tier nodes Fig. 3. Tiered quorum structure example that membershipandquorumsmustsomehowbepre-ordained,precludingopenmem- bership and decentralized control. A traditional system, such as PBFT [Castro and Liskov1999],typically has 3f +1 nodes, any 2f +1 of which constitute a quorum. Here f is the maximum number of Byzantine failures—meaning nodes acting arbitrarily— the system can survive. FBA, introduced by this paper, generalizes Byzantine agreement to accommodate a greaterrangeofsettings.FBA’skeyinnovationisenablingeachnodevtochoseitsown quorumslicesetQ(v).System-widequorumsthusarisefromindividualdecisionsmade by each node. Nodes may select slices based on arbitrary criteria such as reputation or financial arrangements. In some settings, no individual node may have complete knowledge of all nodes in the system, yet consensus should still be possible. 3.2. Examples and discussion Figure 3 shows an example of a tiered system in which different nodes have different slice sets, something possible only with FBA. A top tier, comprising v ,…,v , is struc- 1 4 tured like a PBFT system with f = 1, meaning it can tolerate one Byzantine failure so long as the other three nodes are reachable and well-behaved. Nodes v ,…,v consti- 5 8 tute a middle tier and depend not on each other, but rather on the top tier. Only two top tier nodes are required to form a slice for a middle tier node. (The top tier assumes at most one Byzantine failure, so two top tier nodes cannot both fail unless the whole system has failed.) Nodes v and v are in a leaf tier for which a slice consists of any 9 10