Permissionless consensus based on
Proof-of-eligibility
Geoffrey Saunois, Frédérique Robin Emmanuelle Anceaume
Inria, Univ. Rennes, CNRS, IRISA CNRS, Univ. Rennes, Inria, IRISA
Inria, Campus de Beaulieu, France IRISA, Campus de Beaulieu, France
firstname.lastname@inria.fr emmanuelle.anceaume@irisa.fr
Abstract—We propose a consensus algorithm whose objective
is to decide on an aggregation of values, such that all the
values proposed by the honest nodes belong to the decision. Our
algorithm has been designed to cope with an asynchronous and
permissionless system. By relying on a proof-of-eligibility, our
algorithm is tolerant to an adversary capable of instantaneously
corrupting entities, i.e., a strongly adaptive also called or rushing
adversary. A straightforward application of our algorithm is the
design of permissionless distributed ledgers.
Index Terms—consensus algorithm, proof of eligibility, aggre-
gation, asynchronous and permissionless environment, adaptive
adversary.
I. I NTRODUCTION
Permissionless blockchains aim at achieving the impressive
result of being a persistent, distributed, consistent and con-
tinuously growing log of transactions, publicly auditable and
writable by anyone. Despite the openness of the environment
and thus the inescapable presence of malicious behaviors,
security and consistency of permissionless blockchains do not
demand the presence of a trusted third party [12]. In the
seminal blockchains, i.e., Bitcoin and Ethereum, this achieve-
ment results from the tight combination of two ingredients:
a randomized election of the next block of transactions to
be appended to the blockchain and a short latency broadcast
primitive. While the latter one relies on the properties of peer-
to-peer networks, the former one has so far been commonly
implemented by solving proof-of-work (PoW). A PoW is a
cryptographic puzzle that is provably secure against a large
proportion of participants that may wish to disrupt the system,
and allows to keep the rate at which blocks are created
parametrizable and independent of the size of the system.
Unfortunately, resilience of PoW-based solutions fundamen-
tally relies on the massive use of computational resources,
which is a real issue today. Numerous investigations have been
devoted to find a secure alternative to PoW, but most of them
either rely on the intensive use of a large quantity of physical
resources (e.g. proof-of-space [2], proof-of-space/time [11])
or make compromises in their trust assumptions (e.g. proof-
of-elapsed-time [8], delegated proof-of-stake [6]). In contrast,
solutions based on proof-of-stake (PoS) seem to be a quite
promising way to build secure and permissionless blockchains.
Indeed, proof-of-stake relies on a limited but abstract resource,
the crypto-currency, in such a way that the probability for
Bruno Sericola
Inria, Univ. Rennes, CNRS, IRISA
Inria, Campus de Beaulieu, France
bruno.sericola@inria.fr
a participant to create the next block of the blockchain is
generally proportional to the fraction of currency owned by
this participant. It is an elegant alternative in the sense that
all the information needed to verify the legitimacy of a
stakeholder to create a block (i.e., crypto-currency possession)
is already stored in the blockchain. Finally, by being a sus-
tainable alternative (creating a block requires a few number
of operations), scalability concerns, exhibited by PoW-based
solutions, should be a priori more tractable.
An important condition for a PoS-blockchain to be secure
is randomness: the creator(s) of the next block must be truly
random, and the source of randomness must not be biaised
by any adversarial strategy. So far, this has been achieved
by two main approaches: chain-based consensus and block-
wise Byzantine agreement. In the former approach (e.g. [3]),
a snapshot of current users’ status is periodically taken, from
which the next sequence of leaders is computed. In the
latter one (e.g. [5], [7]), a Byzantine agreement per block,
relying on the properties of verifiable random cryptographic
schemes, is achieved. While [5] is tolerant to a weakly adaptive
adversary (i.e., a targeted attack needs a given amount of time
before being effective), node corruptions in [7] are effective
once decided by the adversary. Algorand [7] handles such a
strong adaptive adversary by requiring that participation to the
agreement protocol is ephemeral and depends on the amount of
stake owned on user account. However, by relying on account
balance, Algorand cannot defend against an adversary that will
observe, during the different rounds of the agreement protocol,
the IP address of users with significant savings account balance
and launch a DoS attack on these users. Since these users
have a higher probability to be involved in multiple rounds of
the protocol than those with low savings, by preventing these
wealthy users from participating to these rounds, the adversary
may jeopardise rounds progress, and thus termination of the
Byzantine tolerant agreement protocol.
The objective of this work is to go a step further by
designing a Byzantine tolerant consensus algorithm, which in
presence of a rushing adversary, guarantees that all correct
users of the permissionless system decide on the same set
of values with any high probability 1 − ε, with ε ∈ (0, 1),
in a bounded number of rounds. Briefly our solution deeply
relies on ephemeral but provable user identities, and repeatedly
combines a verifiable random function and a cryptographic
sortition scheme to guarantee safety and liveness of the
algorithm despite the presence of an adaptive adversary. To fit
the context of blockchains, users propose set of transactions
as their input values, and the decision value is a set of
transactions. When all the proposed transactions are the same
(e.g., all the users have locally the same set of pending
transactions), then the algorithm decides in three rounds with
high probability (w.h.p.). Otherwise, the number of rounds is
upper bounded w.h.p.
The remaining of the paper is orchestrated as follows.
Section II presents the model of system in terms of synchrony,
communication, security, and user transactions. Section III
specifies the problem addressed by this paper. Section IV de-
scribes the main tenets of our consensus algorithm. Section V
presents an in-depth analysis of our algorithm. Section VI
concludes.
II. S YSTEM ASSUMPTIONS
a) Asynchronous and permissionless system: By permis-
sionless we mean a distributed system in which (i) the number
of participants for carrying out the protocol is not known
before hand, is not even known during the course of the exe-
cution, and may change over time, (ii) the right to contribute
and to participate is not controlled by a (trustworthy) third
authority, i.e. we do not assume the presence of any public key
infrastructure (PKI), and (iii) participants communicate over
a weakly but reliable connected communication topology. We
assume an asynchronous environment, that is our algorithm
does not make any synchrony assumptions, i.e. does not
assume any bounds on the time needed for a message to be
received by its recipients, nor on the computation time of the
processes, nor on the individual drifts of clocks.
b) Cryptographic functions: Users have access to ba-
sic cryptographic functions, including a cryptographic hash
function h of hash-value size h and an asymmetric signature
scheme that allows a user to generate a public and secret
key pairs (sk, pk), and compute a signature σsk,h (d) of any
message d. Function h is modeled as a random oracle. Our
algorithm relies on verifiable random functions (VRFs). A
Verifiable Random Function (VRF) [10] is the public-key
version of a keyed cryptographic hash. It is a pseudorandom
function that provides a proof of its correct computation.
Only the holder of the private key sk can compute the hash,
but anyone with corresponding public key pk can verify the
correctness of the hash. A VRF hashes an input α using the
private key sk to obtain a VRF hash output β = VRF (sk, α),
commonly denoted as β = VRF sk (α), such that β will always
be unique for a given input message and a public key. Function
VRF is also modeled as a random oracle, and is deterministic,
in the sense that it always produces the same output β given
a pair of inputs (sk, α). The private key sk is also used to
construct a proof π showing that β is the correct hash output,
i.e. π = VRF provesk (α). We adopt the following notation
< β, π >= VRF sk (α).
c) Public Keys as Identities principle [4]: Users own
some minimal amount of stake (i.e., money), which gives them
2
the right to participate to the algorithm. We adopt (a simplified
version of) what is commonly known as the Bitcoin Unspent
Transaction Output (UTXO) model. An UTXO can be roughly
seen as a user’s account credited by some stake. An UTXO is
uniquely characterized by a key pair (pk, sk) and its associated
amount of stake. Each public key is related to the digital
signature schema with the uniqueness property, which allows
stakeholders to use the public keys (or a hash thereof) of their
UTXOs as a reference to them, as demonstrated in the “Public
Keys as Identities principle” of Chaum [4]. Hence user u is
publicly known as pku if u owns the UTXO whose key pair is
(pku , sku ). An UTXO is created when it appears for the first
time in the output set of a transaction, and once it is referenced
in the input set of another transaction, it cannot be used
anymore. Hence, by using UTXOs as user identities, a user
owns as many verifiable identities as he wants. Since UTXOs
are ephemeral, the number of users continuously varies with
the activity of the system.
Remark 1. In the following, when we say that UTXO
(pku , sku ) is selected to perform some action we mean the
user that owns this UTXO is selected to perform some action.
Symmetrically, when we say that some user u executes some
action we mean the owner of UTXO < pku , sku > executes
some action.
d) Threat model: An adaptive adversary: We assume the
presence of Byzantine (i.e. malicious) users which controls up
to pA < 1/3 of the total amount of stake currently available in
the system. This model, named the ”stake threshold adversary”
by Abraham and Malkhi [1], is an alternative to the common
threshold adversary model, which bounds the total number of
parties the adversary controls relative to the total population
of the system, and an extension (or modification) of the com-
putational threshold adversary introduced by Bitcoin, which
bounds the proportion of the computational power owned by
parties. Byzantine users can deviate from the protocol. They
are modeled by an adversary. The adversary can perfectly
coordinates all malicious users. It can learn the messages sent
by honest users (i.e. non malicious users), delay them, and
then chooses messages sent by malicious ones. Further the
adversary is adaptive: it can select at any time which users to
corrupt in replacement of corrupted ones (i.e. corruptions are
”moving”). The adversary is computationally bounded so that
it can neither forge honest nodes’ signatures nor break the hash
function and the signature scheme. Finally, we assume that all
users (honest and malicious) share an initial knowledge that
we call genesis block which contains an initial arbitrary UTXO
set. We assume this block also shares the same properties as
regular blocks. How to setup the genesis block is out of the
scope of this paper.
III. T HE ADDRESSED PROBLEM : THE
M ERGED -C ONSENSUS
While the overall goal of this work is to build a permission-
less blockchain in a Proof-of-eligibility setting (see below for
more details), in this paper we will concentrate on the design
of the consensus algorithm whose objective is to decide on
a set of valid transactions. We will prove that all the honest
users of the asynchronous and permissionless system decide
on the same set of transactions and that the decision is reached
in a finite and bounded number of rounds with any high prob-
ability. We will also show that our algorithm is tolerant to an
adversary capable of instantaneously corrupting entities, i.e.,
a strongly adaptive also called or rushing adversary. Clearly,
by sequentially invoking each instance of the consensus with
a sequence number, this should make easier the construction
of a permissionless blockchain.
The task that honest users want to solve is the Merged-
Consensus which is formalized by the following properties.
• Termination: Each honest user u eventually outputs one
decision value decu ;
• Agreement: For any honest users u and v that respec-
tively decide decu and decv , then decu = decv ;
• Validity: Any decision value dec contains at least the set
of transactions proposed by an honest user.
IV. M AIN PRINCIPLES OF OUR M ERGED -C ONSENSUS
ALGORITHM
The algorithm we propose to implement the Merged-
Consensus specification in a permissionless system consists
of several asynchronous rounds. By adopting the nice idea
of user replacement [7], each asynchronous round r, r ≥ 0,
is run by a dynamically created committee whose members
are selected among all the users (i.e. UTXO owners) of
the system at round r. Selection is achieved in a random,
unpredictable, and non-interactive way. To prevent an adap-
tive adversary from manipulating committee members during
round r, r ≥ 0, the action of each committee member is
limited to a unique step of computation followed by a unique
step of communication. Hence, if the adversary eavesdrops
a message from a committee member u, it is too late for
him to manipulate u since u will not execute any more
steps in round r, and possibly in any other rounds of the
algorithm. Recall that users are ”short-lived” (a user is alive
as long as its UTXO has not been spent). Selection relies on a
proof-of-eligibility. Since Algorand [7], Proof-of-Eligibilities
(PoEs) have become essential in the design of permissionless
distributed ledgers. PoEs allow us to decide who is in charge
of executing an action. When the eligibility is found out by
each one individually, it is called a cryptographic sortition
scheme, i.e. the opportunity to determine if you are the winner
of a ”lottery” depends on you alone. Cryptographic sortition
needs to fulfill three main properties. First, entities should
be able to determine by themselves whether they are eligible
to perform a certain action. Second, the eligibility should be
verifiable by other entities. Third, a cryptographic sortition is
associated with a single identity, i.e. entities need to be sure
that the proof was generated by the entity claiming it. Addi-
tionally, one would also like that the proof is indistinguishable
from random. Note that in contrast to cryptographic sortition,
PoW cannot be attributed to a single user which explains
the development of mining pools. Concretely, cryptographic
3
sortition relies on the properties of verifiable random functions
(VRFs) [10] and random sampling. The idea of our algorithm
is to select, at each round of the algorithm, a random subset
of users proportionally to the amount of stake credited on
user UTXOs. Correctness of our cryptographic sortition is
ensured by guaranteeing that no obvious Byzantine strategy
such as a concentration of the stake on a single manipulated
UTXO or a massive sub-division of stake on a multitude of
compromised UTXOs (Sybil attack), can bias user random
selection. Mitigating the impact of the former strategy is
achieved by assuming an upper bound on the amount of stake
credited on UTXOs. Note that this is not a constraint since
each user may create an arbitrary large number of UTXOs
and the number of transaction outputs is not upper bounded.
The way we mitigate Sybil attacks is presented later in the
paper.
Rule 1. Any UTXO stake amount is bounded by constant U .
Note that in Algorand [7], the selection of users is done
proportionally to the total amount of stake they own. Such
a solution allows the adversary to prevent progress of the
algorithm by launching DoS attacks on wealthiest users.
Indeed, by construction of cryptographic sortition, each one
can verify the voting weight of any committee member. Thus
the adversary can observe and detect the wealthiest users along
the rounds of the algorithm (those with high voting weight),
and make a DoS attack on them. By doing this, the adversary
will prevent round progress by making the number of votes
within any given round insufficient.
Cryptographic sortition exports two functions: the D RAW
and V ERIFY D RAW functions. Function D RAW is a private
function which allows users (i) to determine by themselves
whether they are selected as a committee member of a given
round r of the consensus algorithm, and (ii) to provide later
and if necessary a proof of soundness of this selection. The
D RAW function, whose pseudo-code is given in Algorithm 1,
when invoked by UTXO < sku , pku >, has five arguments:
the secret key sku of the UTXO, a seed seed from which
comes the randomness of the sortition, the expected number
of stake τ selected by the current sortition, the amount of
stake wu credited on UTXO < sku , pku >, and the total
current amount of currency units W owned by all the users
of the system. Computation of the seed is based on the most
recent pieces of information known by every user. In our case,
this is the hash of the last created block, that is the hash
of the decision value decided by the preceding instance of
the Merged-Consensus. In the following we omit to include
the instance number as parameter of the Merged-Consensus
algorithm not to overload the pseudo-codes. The knowledge
of W is obtained by successively reading all the blocks of the
blockchain. Function D RAW is made of two steps, first a call
to a VRF function which calculates a random and verifiable
number hu , and a weighted random sampling seeded with hu .
The weighted random sampling computes the voting weight
voteu of UTXO < sku , pku > during round r according to the
amount of stake credited on this UTXO. This voting weight is
 Algorithm 1: Draw function invoked by UTXO < Algorithm 3: Merged-Consensus algorithm invoked by
sku , pku > UTXO < pku , sku > whose stake is equal to wu
1 Function Draw(sku , seed, τ, wu , W ) is 1 Propose ():
2 < hu , πu > ←− VRFsu (seed) 2 Initialization:
3 voteu ←− 0 3 r←0
4 for j in {0, w − 1} do 4 IsFinal=⊥
5 if hu /2256 < P{B(wu , τ /W ) ≤ j} then 5 (voteu , πu ) ← DRAW (sku , seed||r, τ , wu , W )
6 voteu ++ 6 if voteu > 0 then
7 T ← set of pending transaction
7 return voteu , πu 8 mu ← hIsF inal, 0, (pku , πu ), Tu , ∅, voteu i
9 B ROADCAST(mu ) to all users of the system
10 r ←r+1
11 repeat
used by UTXO < sku , pku > during round r of the consensus 12 (voteu , πk ) ← DRAW(sku , seed||r, τ , wu , W )
algorithm. If voteu is equal to 0, user u cannot participate to 13 if voteu > 0 then
the r-th round of the consensus algorithm. Otherwise, voteu 14 Mu ← C OLLECT M ESSAGES(r)
gives u the right to belong to the committee of round r, and 15 Tu , IsFinalCnt ← T RANSAC M ERGE(Mu )
16 IsFinal ← (IsFinalCnt > 0)
represents the weight of u’s vote during round r. 17 if for any mi , mj ∈ Mu , mi Ti = mj .Tj then
Specifically, let voteu be the random variable representing 18 IsFinal ← T RUE
the voting weight of UTXO < sku , pku > as computed 19 if r = 2 and IsFinal = false then
by function D RAW. Random variable voteu has a binomial 20 Tu ← T RANSAC F REQUENCY(Mu )
distribution B(wu , p) where probability p is equal to τ /W . D E
21 mu ← IsFinal, r, (pku , πu ), Tu , Mu , voteu
The probability that UTXO < sku , pku > is selected is thus
1 − (1 − W τ wu
) . By independence of binomial distributions, 22 B ROADCAST(mu )
whatever the sub-division w1 + w2 = w of w, the distribution 23 r ←r+1
of the weight associated with w is the same as the sum of 24 until IsFinalCnt ≥ µτ ;
25 decision = Tu
the weight associated with w1 and w2 : B(w, p) = B(w1 , p) + 26 return decision
B(w2 , p). This guarantees that an adversary has no advantage
in launching a Sybil attack: an adversary can create as many
accounts as it wants, what will influence the probability of
winning is the total amount of stake, not the number of presented in Algorithm 3. In the following we assume that
accounts. the following parameters are public knowledge: the seed of
Function V ERIFY D RAW is a public function (known to all the current instance of the consensus, the expected number of
users), whose pseudo-code appears in Algorithm 2. It allows stake τ selected by the lottery, the total amount of stake W
each user to verify the legitimacy of UTXO < sku , pku > to in the system, µ ∈ (0, 1), and λ ∈ (0, 1) whose values are
get a voting weight vote. This function is similar to D RAW analyzed in Section V.
except that it is called with the public key pku of the UTXO As previously said, input values of the consensus are the
and proof πu . set of (financial) transactions pending at users. By doing so,
we can legitimately talk about the validity of a transaction. A
Algorithm 2: VerifyDraw function invoked by any user transaction is valid if none of its referenced UTXOs have al-
1 Function VerifyDraw(pku , πu , seed, τ, wu , W ) is ready been spent in some transactions belonging to a previous
2 h ←− V ERIF VRF (pku , πu , seed ) decision value (i.e., in a block belonging to the blockchain).
3 vote ←− 0 In the following we assume that only valid transactions are
4 for j in {0, w − 1} do
proposed.
5 if h/2256 < P{B(wu , τ /W ) ≤ j} then
6 vote ++ a) Round r = 0: committee members propose their
sets of pending transactions: Let u be the owner of
7 return vote UTXO < pku , sku > that successfully passed the D RAW
function for round 0, i.e., voteu > 0. User u proposes
Any honest 1 user of the system invokes the Merged- its set of transactions T by broadcasting the message
Consensus algorithm (invocation of Propose()), but partici- mu = h⊥, 0, (pku , πu ), Tu , ∅, voteu i to all the users (Line 9
pation to round r, r ≥ 0, depends on the outcome of the of Algorithm 3).
Draw function. From above, in expectation, for each round
r, τ stakes are randomly selected among the W stakes of b) Round r > 0: committee members collect and merge
the system. Let us now present in more details an execution proposed transactions: Each round r > 0 is made of the
of the Merged-Consensus algorithm, whose pseudo-code is following two steps: collect of broadcast messages, and the
construction of the final set of transactions, together with
1 Recall that we cannot compel Byzantine user to follow the protocol. the proof that those sets of transactions have been initially

4
broadcast in round r = 0. Algorithm 4: Collect Messages function invoked by <
pku , sku >
• Collecting messages (pseudo-code given in Algorithm 4): 1 Function C OLLECT M ESSAGES(r):
This step consists for committee members of round r in 2 Mu , SeenUsers, BadUsers ← ∅, ∅, ∅
collecting sufficiently many messages broadcast during 3 WeightCnt ← 0
round r − 1. By sufficiently many, we mean that the 4 while WeightCnt < µτ do
5 when mj is received do:
total number of votes of the senders of these messages 6 v ← V ERIFY D RAW(mj .pkj , mj .πj , seed||(r − 1),
must be larger than µτ . Conditions on the value of τ, mj .votej , W )
µτ are provided in Section IV-A). To guarantee the 7 if v = mj .votej and Valid(mj .Mj )=true then
convergence on a unique set of transactions with high 8 if pkj ∈
/ SeenUsers ∪ BadUsers then
probability, we first need to guarantee that messages only 9 if VerifyAllTrans(Tj ) then
10 WeightCnt ← WeightCnt + votej
contain transactions that have been initially sent in round 11 SeenUsers ← SeenUsers ∪ {pkj }
r = 0, and second we need to prevent the adversary from 12 Mu [pkj ] ← mj
withholding the transactions it sent during round r = 0,
and then progressively make honest committee members 13 else
14 if pkj ∈ SeenUsers and Mu [pkj ] 6= mj then
discover them during subsequent rounds. The first case 15 WeightCnt ← WeightCnt - votej
is guaranteed by providing in message mu a proof (data 16 SeenUsers ← SeenUsers \ {pkj }
structure Mu ) asserting that all collected transactions 17 BadUsers ← BadUsers ∪ {pkj }
have been initially proposed by the committee members 18 delete(Mu [pkj ])
of the previous round, and thus by induction by those
of round r = 0. The second case is handled in round 19 return Mu
r = 2 and is detailed below. Note that Lines 14–18
of Algorithm 4 penalize an UTXO from sending several
messages in the same round.
• Building the final set of transactions (pseudo-code given
we mean that the cumulative votes of these messages is
in Algorithm 5): Once valid messages have been col-
larger than µτ .
lected, any committee member u tries to build the final
set of transactions. Specifically, if r = 1, then the
preliminary final set of transactions Tu contains the union
of all the transactions received by u during the round Algorithm 5: Construction of the final set of transactions.
and variable IsF inalCnt = 0. It may happen that all Functions invoked by < pku , sku >
the committee members of round r = 0 broadcast the 1 Function T RANSAC M ERGE(Mu ):
same set of transactions, in which case the final set of 2 IsFinalCnt ← 0
transactions will not evolve anymore (Boolean IsFinal is 3 Tu ← ∅
4 for each mj ∈ Mu do
set to true). Set Tu together with the set of collected 5 if IsFinalCnt = 0 then
messages Mu (which acts as a proof for Tu ) is broadcast 6 if mj .IsFinal then
to all the users (Recall that committee members of any 7 IsFinalCnt+ = mj .votej
round r are not known and thus all messages must be 8 Tu ← mj .Tj
broadcast to all users). Round r = 2 is particular and 9 else
its objective is twofold: achieving faster convergence to 10 Tu ← Tu ∪ mj .Tj
the final set of transactions and preventing the adversary 11 else
from withholding the transactions it sent during round 12 if mj .IsFinal then
r = 0, and then progressively making honest committee 13 IsFinalCnt+ = mj .votej
members discover them during subsequent rounds. This
is achieved by keeping in the final set of transactions (i.e., 14 return Tu , IsFinalCnt
Tu ) only transactions that have received sufficiently many 15 Function T RANSAC F REQUENCY(Mu ):
votes (i.e. λµτ ). Parameter λ can be seen as a broadcast 16 WeightPerTransaction, Tu ← ∅, ∅
factor, whose value is discussed in Section IV-A). As for 17 for each mj ∈ Mu do
18 for each t ∈ mj .Tj do
round r = 1, set Tu together with the set of collected 19 WeightPerTransaction[t] + = mj .votej
messages Mu (which acts as a proof for Tu ) is broadcast
to all the users for the next round of the algorithm. 20 for each t ∈ WeightPerTransaction do
Subsequent rounds r > 2 are run until convergence to the 21 if WeightPerTransaction[t] ≥ λµτ then
22 Tu ← Tu ∪ t
same set of transactions is reached. Convergence to the
same final transaction occurs when some user u receives 23 return Tu
sufficiently messages from the previous round where
IsFinal argument is set to T RUE. Again, by sufficiently,

5
A. Validity conditions
Correctness of the Merged-Consensus algorithm imposes
the following conditions on µτ .
a) Size of the Byzantine quorum: Any committee mem-
ber relies on a Byzantine quorum of µτ votes to make a
decision. In the sequel, we introduce three conditions that
any Byzantine quorum must verify to guarantee safety and
liveness properties of our algorithm. As explained earlier
(see Section IV), the number of users selected as committee
members of round r is such that their cumulative stake at
round r follows a binomial law B (W, τ /W ). We denote by
Xr this random variable. We also define by XrH (resp. by XrA )
the honest (resp. adversary) stakes selected at round r among
Xr . We thus have Xr = XrH + XrA for any r ≥ 0.
The first condition is a liveness condition stating that there
exists a Byzantine quorum composed of solely honest users
with any high probability (w.h.p). For any r ≥ 0,
P{XrH ≤ µτ } ≤ ε. (C1 )
The second condition is a safety condition guaranteeing that
even if the adversary combines all his votes, they will not
exceed a certain proportion α ∈ (0, 1) of the quorum w.h.p.
P{XrA > αµτ } ≤ ε. (C2 )
The third condition is a uniqueness condition which ensures
that any two quorums in the same round necessarily intersect.
P{Xr > 2µτ } ≤ ε. (C3 )
As we will see later, two major properties of our algorithm
can be derived from the uniqueness condition: two “final
decisions” cannot emerge from a same round (see Theorem 1),
and a final vote is always unique.
The broadcast factor λ which appears in Round 2 (see
Section IV) aims at preventing the adversary from withholding
the transactions it sent during round r = 0, and then pro-
gressively making honest committee members discover them
during subsequent rounds.
Let us assume without loss of generality that U = 1, i.e.,
users wait for exactly dµτ e messages. Let us consider the
worst-case scenario: the adversary plays with the broadcast
factor to exclude a transaction t broadcast by solely one honest
user at round 0. The adversary does not include t in any of his
transaction sets at round 0, and sends his X0A sets of transac-
tions to all honest users to reduce their chances to receive t.
H
We denote by X1,t the number of honest committee members
H
who keep transaction t at round 1. X1,t follows a binomial
law of parameters X1 and p1 (t) := (dµτ e − X0A )/X0H . The
H
adversary still tries to withhold t and sends his X1A transaction
sets to all users during round 1. Let Nu (t) be the number
of sets containing transaction t at honest user u at round 2.
Since user u has dµτ e − X1A sets to select among X1H ones
containing t, Nu (t) follows an hypergeometric distribution
6
H(dµτ e − X1A , X1H , X1,tH
). Hence, for any u ∈ J1, X2H K
λ must verify for any transaction t broadcast at round 0
X2H
[
P( (Nu (t) < λµτ )) < ε. (C4 )
u=1
Assuming that λµτ ≥ 1, Condition (C4 ) implies that Nu (t) ≥
λµτ ≥ 1, w.h.p. for any honest user u participated at round
2 of the algorithm. In other words, transaction t will be seen
by each honest user by round 2 (and thus by any committee
member in charge of round 2), which shows that honest
transactions spread across the network in a small number of
rounds.
V. A NALYSIS
This section is dedicated to the analysis of our Consensus-
Merged algorithm. In the sequel, we assume that conditions
C1 , C2 , C3 and C4 hold and that λµτ ≥ 1 and U = 1.
Theorem 1 (Agreement). For any honest users u and v that
respectively decide decu and decv , then decu = decv with
probability 1 − ε.
Proof. A user decides once it has received more than µτ
final votes (i.e. where IsFinal is T RUE). By construction of
the algorithm (Lines 14–18 of Algorithm 4) each user votes
solely once per round and (C3 ), ensures that with probability
at most 1 − ε there are strictly less than 2µτ votes per
round. Consequently, there cannot be more than one set of
transactions in a round acknowledged by more than µτ votes:
the acknowledged transaction set is thus unique. Finally, (C2 )
guarantees that any Byzantine quorum must contain at least
one honest UTXO’s owner w.h.p.. This ensures that the set of
acknowledged transactions has been acknowledged by at least
one honest user w.h.p.
Theorem 2 (Validity). Any transaction t belonging to an
honest set broadcast at round 0 will appear into the final
decision with probability 1 − ε .
Proof. Condition (C4 ) states that any transaction t broadcast
at round 0 will belong to the sets of all honest members of
round 2 with probability 1 − ε. Condition (C2 ) imposes that
any committee member of round 3 uses at least µτ − X2A >
(1 − α)µτ ≥ 1 honest sets from round 2. Thus, all committee
members of round 3 will have t in their sets, which will
therefore necessarily be part of the decision value of the
algorithm.
The following lemma provides an upper bound on the
number of transactions, proposed by the adversary, that can
be delayed in round 2.
Lemma 1 (Upper bound on the number of delayed trans-
actions). The adversary can delay at most b αλ c of its own
transactions sets at round 2 with probability 1 − ε.
Proof. Let S A be the set of transactions sets delayed by the
adversary, i.e. the transactions sets secretly exchanged by the
adversary during the two first rounds. Recall that Condition
(C4 ) ensures that a transaction t ∈ S is accepted at Round 2
only if set S is composed of more than dλµτ e sets proposed
at round 1. Therefore, if the adversary wishes to delay several
sets, he must use at least dλµτ e from his own selected users
at round 1 to keep each set (these sets of selected users must
be pairwise distinct, otherwise the sets of transactions will be
aggregated, and from then on will behave as the same set).
Recall that the number of selected Byzantine users at round 1
is X1A , the maximum

number of sets the adversary can delay
is thus Card S A = X1A /λµτ < bα/λc , since, according
to Condition (C1 ), we have X1A < αµτ with probability 1 −
ε.
Finally, we can provide an upper bound on the number of
rounds necessary for our algorithm to terminate.
Theorem 3 (Termination). Algorithm 3 completes in a finite
number of rounds r, and r is upper bounded by rmax with
rmax = 3 (bα/λc + 1) with probability 1 − ε.
To prove Theorem 3, we need the following lemma.
H A
Lemma 2. Let Si,r = {Si,r , Sj,r } with i ∈ J1, XrH K and
A •
j ∈ J1, Xr K be the sets of honest (resp. Byzantine) members
participating at round r ≥ 2. For any transaction t belonging
to an honest set broadcast at round r, we have with an high
probability that
H H
∀i ∈ J1, Xr+2 K, t ∈ Si,r+2 and ∀i ∈ J1, Xr+3 K, t ∈ Si,r+3 .
Proof. We apply the same approach as the one used for the
broadcast factor, see Condition (C4 ). Using that our results
remain valid for any transaction t broadcast in a honest set at
any round r ≥ 2, for any member u of round r+2, and with an
high probability, we have Nu (t) ≥ λµτ ≥ 1. Then, all honest
members of round r + 2 will received with high probability
at least one set containing t, and hence add it to their set.
H
That is, ∀i ∈ J1, Xr+2 H
K, t ∈ Si,r+2 . Furthermore, similarly
to Theorem 2, Condition (C2 ) imposes that any committee
member of round r + 3 must use at least µτ − Xr+2 A
> (1 −
α)µτ ≥ 1 honest sets from round r + 2. Thus, all committee
members of round r + 3 will have t in their sets. That is,
∀i ∈ J1, Xr+3 K, t ∈ Si,r+3 .
This lemma guarantees that any transaction broadcast at
round r by an honest user will belong to all honest sets
at round r + 2, and in all sets (whether they are honest or
malicious) at round r + 3. We can now prove Theorem 3:
Proof. (Theorem 3). We
S first introduce some notations: for
any r ≥ 1, let SrH := i Si,r
H
and
n o
new
S3r := S ∈ S A |S ∩ S3(r−1)
H H
= ∅ and S ∩ S3r 6= ∅ ,
be the “new” transactions sets which appeared to honest mem-
bers between rounds 3(r − 1) and 3r. Due to the aggregation
H H
procedure, it is straightforward that S3(r−1) ⊂ S3r . Thus
new
the sequence (S3r )n∈N∗ are pairwise distinct. Furthermore
∀r ≥ 1, S3rnew
⊂ S A , which is a finite set according to
new
Lemma 1. Thus ∃r ∈ N such that S3r = ∅. We denote by
7
r0 the smallest r ∈ N∗ meeting this condition. According to
H H H
Lemma 2, ∀i ∈ J1, X3r K, S3(r−1) ⊂ Si,3r−1 . In other words,
any honest user that does not see new transaction between
rounds 3(r − 1) and 3r received only messages from round
H
3r − 1 containing the exact same set S3(r−1) , and hence
new
broadcast a final vote. Then, if S3r = ∅, it means that no
honest member has seen any new transaction between round
3(r−1) and 3r. All honest members will then broadcast a final
vote, which will be accepted by all other any honest committee
members since by Condition (C1 ), we have X3H r ≥ µτ
with probability 1 − P ε. The consensus algorithm completes
r0 −1
by round 3r0 . Since r=1 new
Card(S3r ) < Card(S A ) and
new
∀r ∈ J1, r0 − 1K,  Card(S3r ) ≥ 1, we have r0 ≤
Card(S A ) + 1 ≤ αλ + 1, which shows  that
the number of
rounds is upper bounded by 3r0 ≤ 3 αλ + 1 rounds.
A. Relating parameters of the algorithm
We now detail how to set the values of the different
parameters of the algorithm. From the following parameters,
• the proportion of stakes pA controlled by the adversary,
the mean number of selected stakes per round τ ,
• the total amount of stake W in the system,
• the maximal number of round rmax , and
• the threshold parameter ε.
we obtain parameters α, µ and λ.
a) Parameters τ and W : First, note that parameters
W and τ are tightly linked through the binomial sampling
procedure (see Section IV). Indeed, the proportion of stakes
p selected among the W stakes of the system is such that
τ = pW . We thus just need to focus on τ , the mean number
of stakes selected at each round. In the sequel, we assume
that W −→ +∞ which enables us to apply the Poisson’s law
approximation of the binomial law X ∼ B(W, τ /W ), as it has
been done for Algorand [7]. Such a result is rather classic (e.g.,
see [9]) and says that X can be approximated by Y ∼ P(τ ).
We can also use the Poisson approximation Y H ∼ P(τ pH )
of X H ∼ B(W, τ pH /W ).
b) Parameter µ: Parameter µ depends on parameters τ ,
ε and pA . From conditions Conditions (C1 ) and (C3 ), we get
a maximal and minimal bound for µ, denoted by µ+ and µ−
respectively. We have
µ+ (τ, ε, pA ) := max {µ ∈ [0, 1] s. t. Condition (C1 ) holds}
and µ− (τ, ε) := min {µ ∈ [0, 1] s. t. Condition (C3 ) holds}.
(1)
Note that µ+ depends on pA although µ− does not. Clearly,
Conditions (C1 ) and (C3 ) are simultaneously satisfied when
µ− ≤ µ+ . Figure 1 represents the evolution of µ− and µ+
as a function of τ , with pA = 0.1, 0.2 and 0.3 and ε =
10−15 . We observe that there is a threshold value τµ = 3, 768
that increases with pA , below which conditions (C1 ) and (C3 )
are not simultaneously satisfied (i.e., µ− > µ+ ). Figure 1
illustrates the behaviors of parameters µ− , µ+ , α and λ as a
function of τ .
 α λ µ τ pA ε rmax W
1.00
α X X X X X X
μmin and μmμx
0.75
λ X X X X X X
0.50 µ X X X
0.25 W X
TABLE I
0.00 D IRECT DEPENDENCIES BETWEEN THE DIFFERENT PARAMETERS OF THE
0 500 1,000 1,500 2,000 2,500 3,000 3,500 4,000 4,500
τμ = 805 τμ = 1331 τ τμ = 3741 ALGORITHM AND SYSTEM . F OR EACH PARAMETER (α, λ, µ AND W ), WE
REPRESENT THE DIRECT DEPENDENCY WITH A CHECKMARK . T HE BLUE
2.0
 α AND
λ DEPENDENCIES RELATES TO RELATION
COLOR FOR
1.5
rmax = 3 α λ
+ 1 ( SEE T HEOREM 3) WHILE THE BLACK ONE
CORRESPONDS TO E Q . (5) OR E Q . (2).
α

1.0

0.5 200
0.0

log10(τ)
0 500 1,000 1,500 2,000 2,500 3,000 3,500 4,000 4,500
τα = 100 τα = 1065 τ 150 4

Rmax
τα = 259

100
0.15

0.10
3
λ

0.05
0.1 0.2 0.3
0.00

0 500 1,000 1,500 2,000 2,500 3,000 3,500 4,000 4,500

τ
Fig. 1. Evolution of parameters µ− , µ+ , α and λ as a function of τ .
Figure on the top: for each τ value, we compute µ− (plain black line) and µ+
(colored black line) applying Eq. (1). Figure in the middle: for each τ value,
we compute α+ (colored dashed lines) and α− (colored plain lines) applying
Eq. (3). The black dashed line corresponds to the α = 1 threshold value.
Figure at the bottom: for each τ value, we compute λ+ (colored plain lines)
and λ− (colored dashed lines) applying Eq. (6). In all cases, we assume that
W tends to infinity and thus use the cumulative Poisson distribution functions
of parameters τ pH and τ , respectively. We fix ε = 10−15 . red: pA = 0.1,
blue: pA = 0.2 and green: pA = 0.3.
c) Parameter α: We choose the value of parameter α as
its minimum value that satisfies Condition (C2 ). We denote
this value as α.
α(τ, ε, pA , µ) := min {α ∈ [0, 1] s. t. Condition (C2 ) holds}.
(2)
As parameter α is tightly linked to parameter µ, we derive
a maximal and a minimal bound for α from parameters µ−
and µ+ , denoted by α+ and α− respectively.
α+ (τ, ε, pA ) := α(τ, ε, pα , µ− ) and
α− (τ, ε) := α(τ, ε, p , µ+ ). α
As illustrated in Figure 1, α(τ, ε, µ) may not be defined for
too low values of τ : Condition (C2 ) implies that α > 1 for
τ < τα = 1, 065 for µ = µmax and pA = 1/3 for instance.
As expected, α decreases when µ increases, and conversely.
d) Parameter λ: We choose the value of parameter λ as
its maximal value that satisfies Condition (C4 ), and denote its
value as λ. More precisely, let y := (τ, ε, pA ) be the vector
whose respective entries are τ , ε, and pA .
λ(y, µ, α) := max {λ ∈ [0, 1] s. t. Condition (C4 ) holds}.
(5)
Again, as λ is tightly related to parameters µ and α, we get
a maximal and a minimal bounds for λ, denoted as λ+ and
λ− respectively, from parameters µmin and µmax .
λ+ (y) := λ(y, µ+ , α− ) and λ− (y) := λ(y, µ− , α+ ),
p
Fig. 2. Logarithmic value of τ as a function of Rmax and pA values. We
set ε = 10−15 .
Figure 1 provides some values for λ+ and λ− . Note that λ+
and λ− are equal to zero when τ is less than a threshold
value. This phenomena can be explained by the fact that if τ
is too low, Nu (t), the number of sets containing transaction t
at round 2 is equal to zero with high probability. Hence, λ+
and λ− are null as well.
Theorem 3 relates the broadcast factor λ to the total
 amount
of round rmax and parameter α as rmax = 3 αλ + 1 .


Hence, to ensure a lowest maximal round number rmax , α
must be chosen as low as possible while λ must be chosen as
high as possible.
Table I summarizes the relationships between the parameters
of the algorithm and those of the system. Note that parameter
µ can be set independently from α and λ, which is not the
case for α and µ.
(3) e) Optimizing parameters: Optimizing values of the pa-
(4) rameters amounts to solve a constrained optimization problem.
For instance, assuming that ε, pA and a maximal round number
Rmax are set by the user, parameter τ can be chosen as follow:
let x := (ε, pA , Rmax ) be a vector of parameters defined as
follows.
τ (x) := min {τ ∈ N such that
µ− (x) < µ+ (x), α ≤ 1, and rmax < Rmax }. (7)
Here, τ is chosen as the smallest value to minimize the amount
of committee members at each round of the algorithm. As
far as the total stake amount W in the system is concerned,
τ represents also the minimal amount of stake that should
be present in the system. Figure 2 illustrates the fact that
parameter τ is tightly related to the maximal number of round
(6) in the sense that Rmax decreases when τ increases.

8
 VI. C ONCLUSIONS
In this paper we have presented the design of a Byzantine
tolerant consensus algorithm, which in presence of a rushing
adversary, guarantees that all correct users of the permission-
less system decide on the same set of values with any high
probability 1 − ε, with ε ∈ (0, 1), in a bounded number
of rounds. This algorithm deeply relies on ephemeral and
numerous user identities to implement cryptographic sortition
and short live committees. Our analysis aims at providing
hints on the relationships between the different parameters of
the algorithm. As future work, plan to adapt our consensus
algorithm to distributed ledgers whose structure is a directed
acyclic graph of blocks.
R EFERENCES
[1] Ittai Abraham and Dahlia Malkhi. The blockchain consensus layer and
bft. Bulletin of the European Association for Theoretical Computer
Science, (123), 2017.
[2] G. Ateniese, I. Bonacina, A. Faonio, and N. Galesi. Proofs of Space:
When Space Is of the Essence. In International Conference on Security
and Cryptography for Networks (SCN), 2014.
[3] D. Bernardo, Peter Gaži, Aggelos Kiayias, and Alexander Russell.
Ouroboros praos: An adaptively-secure, semi-synchronous proof-of-
stake blockchain. In International Conference on the Theory and
Applications of Cryptographic (EUROCRYPT), 2018.
[4] David Chaum. Untraceable electronic mail, return addresses, and digital
pseudonyms. Communications of the ACM, 24(2):84–90, 1988.
[5] A. Durand, E. Anceaume, and R. Ludinard. Stakecube: Combining
sharding and proof-of-stake to build fork-free secure permissionless
distributed ledgers. In Proceedings of the International Conference on
Networked Systems (NETYS), 2019.
[6] EOS.IO. Technical white paper v2, 2019. Accessed: 2019-03-10.
[7] Yossi Gilad, Rotem Hemo, Silvio Micali, Georgios Vlachos, and Nick-
olai Zeldovich. Algorand: Scaling byzantine agreements for cryptocur-
rencies. In Proceedings of the 26th Symposium on Operating Systems
Principles (SOSP), SOSP 17, page 5168, New York, NY, USA, 2017.
Association for Computing Machinery.
[8] Intel. Hyperledger Sawtooth description, 2019. Accessed: 2019-03-10.
[9] Lucien Le Cam. An approximation theorem for the poisson binomial
distribution. Pacific Journal of Mathematics, 10(4):1181–1197, 1960.
[10] S. Micali, M. Rabin, and S. Vadhan. Verifiable random functions. In
40th Annual Symposium on Foundations of Computer Science, 1999.
[11] Tal Moran and Ilan Orlov. Proofs of space-time and rational proofs of
storage. In Cryptology ePrint Archive, Report 2016/035, 2016.
[12] S.Nakamoto. Bitcoin: A peer-to-peer electronic cash system.
www.bitcoin.org, 2008.