TheStellar Consensus Protocol 9 systems thanks to the duplicity of the ill-behaved nodes. In short, FBAS ⟨V,Q⟩ can survive Byzantine failure by a set of nodes B ⊆ V iff ⟨V,Q⟩ enjoys quorum intersection after deleting the nodes in B from V and from all slices in Q. More formally: Definition (delete). If ⟨V,Q⟩ is an FBAS and B ⊆ V is a set of nodes, then to delete B B B from ⟨V,Q⟩, written ⟨V,Q⟩ , means to compute the modified FBAS ⟨V⧵B,Q ⟩ where B Q (v) = {q ⧵B ∣ q ∈ Q(v)}. It is the responsibility of each node v to ensure Q(v) does not violate quorum inter- section. One way to do so is to pick conservative slices that lead to large quorums. Of course, a malicious v may intentionally pick Q(v) to violate quorum intersection. But a malicious v can also lie about the value of Q(v) or ignore Q(v) to make arbitrary as- sertions. In short, Q(v)’s value is not meaningful when v is ill-behaved. This is why the necessary property for safety—quorum intersection of well-behaved nodes after deleting ill-behaved nodes—is unaffected by the slices of ill-behaved nodes. SupposeFigure6evolvedfromathree-nodeFBASv ,v ,v withquorumintersection 1 2 3 to a six-node FBAS without. When v ,v ,v join, they maliciously choose slices that 4 5 6 violate quorum intersection and no protocol can guarantee safety for V. Fortunately, {v ,v ,v } deleting the bad nodes to yield ⟨V,Q⟩ 4 5 6 restores quorum intersection, meaning at least {v ,v ,v } can enjoy safety. Note that deletion is conceptual, for the sake of 1 2 3 describing optimal safety. A protocol should guarantee safety for v ,v ,v without their 1 2 3 needing to know that v ,v ,v are ill-behaved. 4 5 6 4.2. Dispensable sets (DSets) We capture the fault tolerance of nodes’ slice selections through the notion of a dis- pensible set or DSet. Informally, the safety and liveness of nodes outside a DSet can be guaranteedregardlessofthebehaviorofnodesinsidetheDSet.Putanotherway,inan optimally resilient FBAS, if a single DSet encompasses every ill-behaved node, it also contains every failed node, and conversely all nodes outside the DSet are correct. As an example, in a centralized PBFT system with 3f +1 nodes and quorum size 2f +1, anyf orfewernodesconstituteaDSet.SincePBFTinfactsurvivesuptof Byzantine failures, its robustness is optimal. In the less regular example of Figure 3, {v1} is a DSet, since one top tier node can fail without affecting the rest of the system. {v } is also a DSet because no other node 9 dependsonv forcorrectness.{v ,…,v }isaDSet,becauseneitherv northetoptier 9 6 10 5 depend on any of those five nodes. {v ,v } is not a DSet, as it is a slice for v and v 5 6 9 10 and hence, if entirely malicious, can lie to v9 and v10 and convince them of assertions inconsistent with each other or the rest of the system. To prevent a misbehaving DSet from affecting the correctness of other nodes, two properties must hold. For safety, deleting the DSet cannot undermine quorum inter- section. For liveness, the DSet cannot deny other nodes a functioning quorum. This leads to the following definition: Definition (DSet). Let ⟨V,Q⟩ be an FBAS and B ⊆ V be a set of nodes. We say B is a dispensible set, or DSet, iff: B (1) (quorum intersection despite B) ⟨V,Q⟩ enjoys quorum intersection, and (2) (quorum availability despite B) Either V⧵B is a quorum in ⟨V,Q⟩ or B = V. Quorum availability despite B protects against nodes in B refusing to answer re- quests and blocking other nodes’ progress. Quorum intersection despite B protects against the opposite—nodes in B making contradictory assertions that enable other nodes to externalize inconsistent values for the same slot. Nodes must balance the two threats in slice selection. All else equal, bigger slices lead to bigger quorums with