TheStellar Consensus Protocol 15 problematic for liveness. If a node proceeds to act on a statement because it accepted the statement, other nodes could be unable to proceed in a similar fashion. Consider Figure 10a, in which node v crashes after helping v ratify and accept 3 1 statementa.Thoughv1 acceptsa,v2 andv4 cannot.Inparticular,fromv2’sperspective, thesituation depicted is indistinguishable from Figure 10b, in which v3 voted for ā and is well-behaved but slow to respond, while v is ill-behaved and sent v a vote for ā 1 3 (thereby causing v to accept ā) while illegally also sending v a vote for a. 3 2 Tosupportaprotocol-levelnotionoflivenessincaseslikeFigure10a,v needsaway 1 to ensure every other intact node can eventually accept a before v acts on a. Once this 1 is the case, it makes sense to say the system agrees on a. Definition (agree). An FBAS ⟨V,Q⟩ agrees on a statement a iff, regardless of what subsequently transpires, once sufficient messages are delivered and processed, every intact node will accept a. 5.4.3. Comparison to centralized voting. To understand why the above issues arise in fed- erated voting, consider a centralized Byzantine agreement system of N nodes with quorum size T. Such a system enjoys quorum availability with f = N −T or fewer L nodefailures. Since any two quorumsshareatleast2T −N nodes,quorumintersection of well-behaved nodes holds up to fS = 2T −N −1 Byzantine failures. Centralized Byzantine agreement systems typically set N = 3f + 1 and T = 2f + 1 to yield f =f =f,theequilibriumpointatwhichsafetyandlivenesshavethesame L S fault tolerance. If safety is more important than liveness, some protocols increase T ` so that f > f [Li and Mazieres 2007]. In FBA, because quorums arise organically, S L systems are unlikely to find themselves at equilibrium, making it far more important to protect safety in the absence of liveness. Nowconsider a centralized system in which, because of node failure and contradic- tory votes, some node v cannot ratify statement a that was ratified by other nodes. If v hears f + 1 nodes claim a was ratified, v knows that either one of them is well- S behavedorallsafetyguaranteeshavecollapsed.Eitherway,vcanactonawithnoloss of safety. The FBA equivalent would be to hear from a set B where B, if deleted, un- dermines quorum intersection of well-behaved nodes. Identifying such a B is hard for three reasons: one, quorums are discovered dynamically; two, ill-behaved nodes may lie about slices; and three, v does not know which nodes are well-behaved. Instead, we defined federated voting to accept a when a v-blocking set does. The v-blocking prop- erty has the advantage of being easily checkable, but is equivalent to hearing from f +1nodesinacentralizedsystemwhenwereallywantf +1. L S To guarantee agreement among all well-behaved nodes in a centralized system, one merely needs f +f +1 nodes to acknowledge that a statement was ratified. If more L S than f of them fail, we do not expect liveness anyway. If f or fewer fail, then we L L knowf +1nodesremainwillingtoattest to ratification, which will in turn convince S all other well-behaved nodes. The reliance on fS has no easy analogue in the FBA model. Interestingly, however, f + f + 1 = T, the quorum size, suggesting a similar L S approach might work with a more complex justification. Put another way, at some point nodes need to believe a statement strongly enough to depend on its truth for safety. A centralized system offers two ways to reach this point for a statement a: ratify a first-hand, or reason backwards from f + 1 nodes S claiming a was ratified, figuring safety is hopeless if they have all lied. FBA lacks the latter approach; the only tool it has for safety among well-behaved nodes is first-hand ratification. Since nodes still need a way to overcome votes against ratified statements, we introduced a notion of accepting, but it provides a weaker consistency guarantee limited to intact nodes.