` 16 D. Mazieres 5.5. Statement confirmation Both limitations of accepted statements stem from complications when a set of intact nodes S votes against a statement a that is nonetheless ratified. Particularly in light of FBA’s non-uniform quorums, S may prevent some intact node from ever ratifying v. Toprovidevameansofacceptingadespitevotesagainstit,thedefinitionofaccepthas a second criterion based on v-blocking sets. But the second criterion is weaker than ratification, offering no guarantees to befouled nodes that enjoy quorum intersection. Nowsupposeastatement a has the property that no intact node ever votes against it. Then we have no need to accept a and can instead insist that nodes directly ratify a before acting on it. We call such statements irrefutable. Definition (irrefutable). A statementaisirrefutableinanFBASifnointactnodecan ever vote against it. Theorem 8 tells us that two intact nodes cannot accept contradictory statements. Thus, while some intact nodes may vote against a statement a that was accepted by anintact node, the statement “an intact node accepted a” is irrefutable. This suggests holding a second vote to ratify the fact that an intact node accepted a. Definition (confirm). A quorum U in an FBAS confirms a statement a iff ∀v ∈ U , a a v claims to accept a. A node confirms a iff it is in such a quorum. Nodes express that they have accepted statement a by stating “accept(a),” an ab- breviation of the statement, “An intact node accepted a.” To confirm a means to ratify accept(a). A well-behaved node v can vote for accept(a) only after accepting a, as v cannot assume any particular other nodes are intact. If v itself is befouled, accept(a) might be false, in which case voting for it may cost v liveness, but a befouled node has no guarantee of liveness anyway. Thenexttheoremshowsthatnodescanrelyonconfirmedstatementswithoutlosing optimal safety. Theorem 11 then shows that confirmed statements meet the defini- tion of agreement from Section 5.4.2, meaning nodes can rely on confirmed statements without endangering the liveness of intact nodes. THEOREM9. Let ⟨V,Q⟩ be an FBAS enjoying quorum intersection despite B, and suppose B contains all ill-behaved nodes. Let v and v be two nodes not in B. Let a and 1 2 ā be contradictory statements. If v confirms a, then v cannot confirm ā. 1 2 PROOF. First note that accept(a) contradicts accept(ā)—no well-behaved node can vote for both. Note further that v1 must ratify accept(a) to confirm a. By Theorem 5, v2 cannot ratify accept(ā) and hence cannot confirm ā. THEOREM10. Let B be the set of befouled nodes in an FBAS ⟨V,Q⟩ with quorum intersection. Let U be a quorum containing an intact node (U ⊈ B), and let S be any set suchthatU ⊆S ⊆V.LetS+ =S⧵BbethesetofintactnodesinS,andletS− =(V⧵S)⧵B be the set of intact nodes not in S. Either S− = ç, or ∃v ∈ S− such that S+ is v-blocking. PROOF. If S+ is v-blocking for some v ∈ S−, then we are done. Otherwise, we must showS− =ç.IfS+ is not v-blocking for any v ∈ S−, then, by Theorem 7, either S− = ç − B or S is a quorum in ⟨V,Q⟩ . In the former case we are done, while in the latter we B get a contradiction: By Theorem 1, U ⧵B is a quorum in ⟨V,Q⟩ . Since B is a DSet (by B − Theorem3),⟨V,Q⟩ mustenjoyquorumintersection,meaningS ∩(U⧵B)≠ç.Thisis impossible, since (U ⧵B) ⊆ S and S− ∩S = ç. THEOREM11. If an intact node in an FBAS ⟨V,Q⟩ with quorum intersection con- firms a statement a, then, whatever subsequently transpires, once sufficient messages are delivered and processed, every intact node will accept and confirm a.