aa r X i v : . [ c s . L O ] F e b Verifying the Hashgraph Consensus Algorithm
Karl CraryCarnegie Mellon University
Abstract
The Hashgraph consensus algorithm is an algorithm forasynchronous Byzantine fault tolerance intended for dis-tributed shared ledgers. Its main distinguishing character-istic is it achieves consensus without exchanging any extramessages; each participant’s votes can be determined frompublic information, so votes need not be transmitted.In this paper, we discuss our experience formalizing theHashgraph algorithm and its correctness proof using the Coqproof assistant. The paper is self-contained; it includes acomplete discussion of the algorithm and its correctness ar-gument in English.
Byzantine fault-tolerance is the problem of coordinating adistributed system while some participants may maliciouslybreak the rules. Often other challenges are also present,such as unreliable communications. The problem is at thecenter of a variety of new applications such as cryptocur-rencies. Such applications rely on distributed shared ledgers, a form of Byzantine fault-tolerance in which a set of trans-actions are assigned a place in a globally-agreed total orderthat is immutable.
The latter means that once a transactionenters the order, no new transaction can enter at an earlierposition.A distributed shared ledger makes it possible for all par-ticipants to agree, at any point in the order, on the cur-rent owner of a digital commodity such as a unit of cryp-tocurrency. A transaction transferring ownership is validif the commodity’s current owner authorizes the transac-tion. (The authorization mechanism—presumably using adigital signature—is beyond the scope of the ledger itself.)Because the order is total, one transaction out of any pairhas priority. Thus we can show that a commodity’s chainof ownership is uniquely determined. Finally, because theorder is immutable, the chain of ownership cannot changeexcept by adding new transactions at the end.Algorithms for Byzantine consensus (under various as-sumptions) have existed for some time, indeed longer thanthe problem has been named [12, 9]. Practical algorithmsare more recent; in 1999, Castro and Liskov [6] gave an algo-rithm that when installed into the NFS file system slowed itonly 3%. As Byzantine consensus algorithms have becomemore practical, they have been tailored to specific applica-tions. Castro and Liskov’s algorithm was designed for fault-tolerant state machine replication [13] and probably would not perform well under the workload of a distributed sharedledger.However, in the last few years there have arisenByzantine fault-tolerance algorithms suitable for distributedshared ledgers, notably HoneyBadgerBFT [10], BEAT [7],and—the subject of this paper—Hashgraph [2]. Moreover,the former two each claim to be the first practical asyn-chronous
BFT algorithm (with different standards of prac-ticality). Hashgraph does not claim to be first, but is alsopractical and asynchronous.In parallel with that line of work has been the develop-ment of distributed shared ledgers based on proof of work, beginning with Bitcoin [11]. The idea behind proof of workis to maintain agreement on the ledger by maintaining a listof blocks of transactions, and to ensure that the list does notbecome a tree. To ensure this, the rules state that (1) thelongest branch defines the list, and (2) to create a new block,one must first solve a mathematical problem that takes thelist’s old head as one of its inputs. The problem’s solutionis much easier to verify than to obtain, so when one learnsof a new block, one’s incentive is to restart work from thenew head rather than continue work from the old head.Bitcoin and some of its cousins are widely used, so in acertain sense they are indisputably practical. They are alsotruly permissionless, in a way that the BFT algorithms, in-cluding Hashgraph, cannot quite claim. Nevertheless, theyoffer severely limited throughput. Bitcoin is limited to seventransactions per second and has a latency of one hour, whileits BFT competitors all do several orders of magnitudebetter. Proof-of-work systems are also criticized for beingwasteful: an enormous amount of electricity is expended onblock-creation efforts that nearly always fail. Finally—moreto the point of this paper—the theoretical properties of proofof work are not well understood.The Hashgraph consensus algorithm is designed to sup-port high-performance applications of a distributed sharedledger. Like the other BFT systems, it is several orders ofmagnitude faster than proof of work. Actual performancedepends very much on configuration choices ( e.g., how manypeers, geographic distribution, tradeoff between latency andthroughput, etc.), but in all configurations published inMiller, et. al [10] (for HoneyBadgerBFT) and Duan, etal. [7] (for BEAT), the Hashgraph algorithm equals or ex-ceeds the published performance figures [4]. A frequentlycited throughput goal is to equal the Visa credit-card net-work. According to Visa’s published figures, Hashgraph canandle Visa’s average load and is in the ballpark of Visa’sclaimed surge capacity. The key to the Hashgraph algorithm’s performance isachieving nearly zero communications overhead. PreviousBFT systems exchange messages to achieve consensus, butHashgraph does not. In Hashgraph, no peer sends any mes-sages it did not intend to send anyway. Moreover, the over-head in each message it does send is light; each message con-sists mostly of transactions that are new to the recipient. Inaddition to the transaction payload, a message contains anarray of sequence numbers (to keep track of which blockseach peer has seen), and the information needed by consen-sus: just two hashes, a digital signature, and a timestamp.In the Hashgraph algorithm, peers achieve consensus byvoting, but each vote is fully determined by publicly avail-able information, so peers can determine each other’s voteswithout communicating with them. This allows the con-sensus election to be carried out virtually, with no extramessages exchanged. There is no magic here; it still takesmultiple cycles of communication to achieve consensus, butevery message is just an ordinary block filled with newtransactions. Thus, consensus is essentially invisible froma throughput perspective.Another advantage of the Hashgraph algorithm is it re-quires no sophisticated cryptography. The only require-ments are digital signatures and cryptographic hashes, bothof which are now commonplace and have highly optimizedimplementations available.
This work
The Hashgraph consensus algorithm has beenrealized as a large-scale, open-access, commercial systemcalled Hedera [3], so there is considerable interest inmachine-verifying that it is correct. In this paper, we discussthe first steps toward doing so. Using the Coq proof assis-tant [5], we formalized the batch-mode algorithm given inBaird [2] and developed a machine-checkable proof of its cor-rectness. As usual when one formalizes a human-languageproof, we found a few errors, but they were minor and eas-ily corrected. The algorithm implemented in Hedera is anonline algorithm, inspired by the batch-mode algorithm dis-cussed here, but obviously a bit different. We will discusssome of the differences in Section 5.We begin by giving an informal overview of the algo-rithm, to build intuition. Then we give a human-languagemathematical definition of the algorithm and prove its prop-erties, in Section 2. We discuss the formalization in Coqstarting in Section 3. A hashgraph is a directed graph that summarizes who hassaid what to whom. Each peer maintains a hashgraph re-flecting the communications it is aware of. In general, eachpeer knows a different subset of the true graph, but becauseof digital signatures and cryptographic hashes, they cannotdisagree about the information they have in common.The nodes of a hashgraph are events. Each event is cre-ated by a particular peer. Except for each peer’s initialevent, each event has two parents. One parent has the samecreator (we call that one the self-parent ), and the other has a As it happens, none of the minor errors we found appear to affectthe implemented online algorithm.
A1A2
Alice
B1B2B3B4B5
Bob
C1C2C3
Cathy
D1D2
Dave TimeFigure 1: A Hashgraphdifferent creator (we call it the other-parent ). Honest peersdo not create forks , where a fork is defined as two eventswith the same creator in which neither is a self-ancestor ofthe other. In other words, the events created by an honestpeer will form a chain.We can visualize a hashgraph as shown in Figure 1. Inthis example, all peers are behaving honestly.In the Hashgraph network, each peer periodically choosesanother at random and sends that peer its latest event. Therecipient then creates a new event, with its own latest eventas self-parent and the event it just received as other-parent.Every event is digitally signed, so there can be no disputeover who created it. Each event also contains the hashes ofits two parents, so there is no dispute over parentage either.The recipient of the event will request from the sender any ofthe event’s ancestors that it does not have. (For simplicity,we will ignore that part of the protocol in what follows.)The recipient also puts a timestamp into the event, whichis ultimately used to determine a consensus timestamp forother events.Finally, each event contains a payload of transactions.When a peer wishes to inject a new transaction into thenetwork, it stores it in a buffer of outgoing transactions.The next time it creates an event (this happens multipletimes per second), it uses the contents of its buffer as thenew event’s payload. Transactions are just along for the ridein the consensus algorithm, so we will discuss them little.In the example, Dave sent D1 to Cathy, resulting inCathy creating C2. Then Cathy sent C2 back to Dave, re-sulting in Dave creating D2. Bob sent B1 to both Alice andCathy, resulting in A2 and C3. At about the same time,Alice sent A1 to Bob, resulting in B2. Alice sent A2 to Bob,resulting in B3. Cathy sent C3 to Bob, resulting in B4.Finally, Dave sent D2 to Bob, resulting in B5.The algorithm partitions events into rounds, in a mannerthat is easy for all peers to agree on. The first event createdby a peer in a round is called a witness. (Note that dishonestpeers may have multiple witnesses in a single round.) Awitness that is quickly propagated to most peers is called famous.
Identifying the famous witnesses is the main job ofthe consensus algorithm.Each round, the algorithm selects one famous witnessfrom each peer that has one to be a unique famous witness. A self-ancestor is an ancestor using only self-parent edges.
2n honest peer will have at most one witness per round, so ifthat witness turns out to be famous, it will also be unique. Ifa dishonest peer happens to have multiple famous witnesses,one of them is selected.We say that an event has been received by the network in the first round in which it is an ancestor of all the uniquefamous witnesses. The round received is the primary de-terminer of an event’s place in the order. Ties are brokenusing a consensus timestamp that is computed using theunique famous witnesses. Any remaining ties are broken inan arbitrary but deterministic way. Finally, the orderingof transactions is determined by the ordering of the eventsin which they reside, with transactions in the same eventordered by their position in the payload.
We will begin by reviewing the Hashgraph consensus algo-rithm [2], and defer discussion of the formalization until Sec-tion 3. We will develop the algorithm in pieces, establishingthe properties of those pieces as we go. But first, the algo-rithm relies on the following assumptions:1. The network is asynchronous. However, the adversarycannot disconnect honest peers indefinitely; every hon-est peer will eventually communicate with every otherhonest peer.2. Every peer can determine any event’s creator and par-ents. In the real world, this assumption means that theadversary has insufficient computing power to forge adigital signature, or to find two events with the samehash.3. A supermajority (defined to mean more than two-thirds) of the peers are honest.4. The coin mechanism discussed below satisfies a proba-bility assumption. (Section 2.4.1.)5. Various uncontroversial mathematical assumptionshold. These are discussed in Section 3. For example,the parent relation is well-founded. These assumptionswould ordinarily go unremarked, but formal verifica-tion requires that they be specified.For convenience, we will also assume that there are atleast two peers. (If there is only one peer, the consensusproblem is trivial.)Suppose x and y are events. We will write x ≤ y when x is a (non-strict) ancestor of y , and x < y when x is a strictancestor of y . We say x is a self-ancestor of y (and write x ⊑ y ) when x is an ancestor of y using only self-parentedges, and we write x ⊏ y for the strict version. In all cases,note that the older event is on the left.We will refer to events created by an honest peer as hon-est events. We will refer to a set of events whose creatorsconstitute a supermajority of the peers as a supermajor set.
We will take N to be the total number of peers. Recall that events x and y form a fork if they have the samecreator, and if x y and y x . Note that forks are definedso that no event forms a fork with itself. The main propertyof honest peers is they never create forks. We say that y sees x (written x E y ) if (1) x ≤ y and (2)there does not exist any fork z, z ′ such that z, z ′ ≤ y and creator ( x ) = creator ( z ). Sees is the same as ancestor exceptthat when an event observes a fork, it blacklists the fork’screator and will see none of the fork’s creator’s events.This brings us to the algorithm’s main technical concept: Definition 2.1
We say that y strongly sees x (written x ≪ y ) if there exists a supermajor set Z , such that for all z ∈ Z , x E z ≤ y .Informally, for y to strongly see x means that x has madeits way to most of the network, within the subgraph visibleto y , with hardly anyone observing x ’s creator cheat.For example, consider Figure 1. Every peer is behavinghonestly, so every ancestor is seen. Then we can say that B4strongly sees B1, using A2, B4, and C3 as intermediaries.(B4 has no intermediary on Dave, but it does not need one.Three intermediaries is enough, since 3 > / · Lemma 2.2
1. If x ≪ y then x < y .2. If x ⊑ y ≪ z then x ≪ z .3. If x ≪ y ≤ z then x ≪ z . Proof
For (1), suppose x ≪ y . We can immediately see that x ≤ y , but we also have x = y . Since y strongly sees x ,there must be intermediaries on a supermajority of peers,at least one of which must not be y ’s creator. (Since weassume there are at least two peers, a supermajority isat least two.) Let z be one such. Then x E z < y , so x < y .For (2), observe that x ⊑ y E z implies x E z , since x and y have the same creator, so any fork on x ’s creatoris a fork on y ’s creator. (3) is immediate by transitivityof ancestor.We can now state the main technical lemma, which statesthat at most one side of a fork can be strongly seen, evenby different events: Lemma 2.3 (Strongly Seeing)
Suppose x ≪ v and y ≪ w . Then x and y do not form a fork. Proof
Let Z = { z | x E z ≤ v } and Z ′ = { z ′ | y E z ′ ≤ w } . Bythe definition of strongly-sees, Z and Z ′ are supermajorsets. Also recall that a supermajority of peers are honest.Any three supermajorities have an element in common.Therefore there exist events z ∈ Z and z ′ ∈ Z ′ such z and z ′ share the same creator, and that creator is honest.Since their creator is honest, either z ⊑ z ′ or z ′ ⊑ z .Assume the latter. (The former case is similar.) Then x, y ≤ z . Thus x and y cannot form a fork, since x E z .The definition of strongly-sees limits the influence of dis-honest peers, since at most one side of a fork can be stronglyseen. This is helpful in various ways; one important way isit prevents dishonest peers from obtaining extra votes inan election by creating extra witnesses, since votes must bestrongly seen to count.3 .2 Rounds Every event is assigned to a round. (Note that the round anevent belongs to is different from the round that it is receivedby the network.) Initial events belong to round zero. Fora non-initial event x , let i be the maximum of x ’s parents’rounds. Then x belongs to round i , unless x strongly seesevents in round i on a supermajority of peers, in which case x belongs to round i + 1.For example, consider Figure 1. A1, B1, C1, and D1 areinitial events, so they belong to round 0. For every otherevent, the maximum of the parents’ rounds is 0. Thus, everyother event also belongs to round 0, except B5. As notedabove, B4 can strongly see B1 and D1, but not A1 or C1,so it remains in round 0. However, B5 strongly sees B1, C1,and D1, so it advances to round 1.The first event in a round on each peer (or first events, inthe case of a dishonest peer) are called witnesses. Witnessesare the events that can cast votes in an election.In Figure 1, the witnesses are A1, B1, C1, and D1(round 0), and B5 (round 1).Note that if a peer has not heard from anyone in a while,it is possible for it to skip one or more rounds when it catchesup. Thus, a peer might not have a witness in any particularround. Conversely, a dishonest peer can have multiple wit-nesses in a round, but (by Lemma 2.3) at most one of themcan be strongly seen.Two important properties of rounds follow more-or-lessdirectly:
Lemma 2.4
Suppose i < j and x belongs to round j . Thenthere exists a supermajor set of round i witnesses W , suchthat for all w ∈ W , w ≪ x . Lemma 2.5
Suppose x and y are events. If there exists asupermajor set W such that for all w ∈ W , x ≤ w ≪ y ,then y ’s round is strictly later than x ’s round. The main property we wish to establish about rounds is progress, which says that every round is inhabited.
Lemma 2.6 (Broadcast)
Suppose x is an honest event.Then there exists an honest event y such that, in its ances-try, x has reached every honest peer. That is, for every hon-est peer a , there exists z created by a , such that x ≤ z ≤ y . Proof Sketch
By induction on the number of honest peers, using theassumption that every honest peer eventually communi-cates with every other honest peer.
Lemma 2.7 (Progress)
Every round is inhabited.
Proof
We prove the stronger property that for every round i ,there exists an inhabitant of some round j ≥ i . Theinhabitant can then be wound back to i using Lemma 2.4.The proof is by induction on i . The case i = 0 is im-mediate, so suppose i >
0. By induction there existsan inhabitant x of round i −
1. Using Lemma 2.6, thereexists y such that x has reached every honest peer in y ’s ancestry. And again, there exists z such that y hasreached every honest peer in z ’s ancestry.Suppose a is an honest peer. We show that there exists v created by a that x ≤ v ≪ z . Since the honest peers constitute a supermajority, it follows by Lemma 2.5 that z ’s round is later than i −
1, and is thus at least i .By the specification of y , there exists v created by a suchthat x ≤ v ≤ y . It remains to show v ≪ z . For everyhonest peer b , by the specification of z there exists w created by b such that y ≤ w ≤ z . Since a is honest, v E w ≤ z . Since the honest peers constitute a super-majority, v ≪ z . One cannot use the raw witnesses to determine the round anevent was received by the network, because one can neverbe sure that one has observed all the witnesses. Instead, wewill use the notion of a famous witness—eventually everyonewill know all the famous witnesses in any given round. Themain function of the consensus algorithm is to determinewhich witnesses are famous.Fame is determined by an election. Votes are cast bywitness events, not by peers. This is important becauseone peer has no way of knowing what another peer knows.In contrast, if a peer is aware of an event at all, it knowsthat event’s entire ancestry. Thus, if voting is determinis-tic, each witness’s vote can be determined by everyone whois aware of the witness, without any additional communica-tion. However, votes will be “collected” only from strongly-seen witnesses, so there can be at most one meaningful voterper peer per round.We will refer to the witness whose fame is being deter-mined as the candidate, and each witness that is castingvotes on the candidate’s fame as the voter.
The electionbegins d rounds after the candidate’s round, where d is aparameter that is at least 1. Thus if the candidate belongsto round i , the voters in the first round of the election belongto round i + d .In the first round of an election, each voter will vote yes ifthe candidate is among its ancestors. (In essence, you thinksomeone is famous if you have heard of them.) In successiverounds, each voter votes the way it observed the majorityvote in the previous round.We say that a round of an election is nearly unanimous ifvoters on a supermajority of peers vote the same way. (Notethat this is a stronger condition than merely a supermajorityof the voters, since some peers might not be voting.) Ifvoter ever observes a nearly unanimous result in the previousround, then the vote in the current round will be unanimous.Clearly, once the election becomes unanimous, it will stay so.Thus we can end the election as soon as any event observesa nearly unanimous result the previous round. Coins
Under normal circumstances, this process will cometo consensus quickly, but an adversary with sufficient controlof the network can prevent it. Deterministically, the prob-lem is insurmountable [8], but, as usual, it can be solvedwith randomization.Every c rounds (a parameter at least d + 3), the electionwill employ a coin round: Every voter who sees a nearlyunanimous result the previous round will continue to votewith the majority. However, the remaining voters will de-termine their votes using a coin flip. All the voters whosaw a nearly unanimous result will certainly vote the sameway, and eventually—by chance—the coin flippers will alsovote that way. The following round, every voter will see a4nanimous result and the election will end. Definition 2.8 (Voting)
Suppose x is a round i witnessand y is a round j witness, with i + d ≤ j . Then vote ( x, y ) (that is, y ’s vote on x ’s fame) and election ( x, y, t, f ) (that is,the votes on x ’s fame observed by y are t yeas and f nays)are defined simultaneously as follows: • If i + d = j then vote ( x, y ) is yes if x ≤ y , and no otherwise. • If i + d < j and ( j − i ) mod c = 0 and election ( x, y, t, f ) ,then vote ( x, y ) is yes if t ≥ f and no otherwise. • If i + d < j and ( j − i ) mod c = 0 and election ( x, y, t, f ) ,then vote ( x, y ) = yes t > / · N no f > / · N coin ( y ) otherwise • If i + d < j , then election ( x, y, t, f ) holds if and only if: W = { round j − witnesses w such that w ≪ y } t = |{ w ∈ W | vote ( x, w ) = yes }| f = |{ w ∈ W | vote ( x, w ) = no }| In the above definition, coin ( y ) is a pseudo-random coinflip computed by drawing a bit from the middle of a cryp-tographic hash of y . It is important that the coin flip ispseudo-random, not truly random, so that other peers canreproduce it. Definition 2.9 (Decision)
Suppose x is a round i witnessand y is a round j witness, where i + d < j and j is not acoin round (that is, j − i mod c = 0 ). Suppose further that election ( x, y, t, f ) . Then y decides β on x ’s fame (written decide ( x, y, β ) ), if t > / · N and β = yes , or if f > / · N and β = no . The outcome of the election is determined as soon as anypeer decides, but other peers might not realize it right away.
For the algorithm to work, we require four properties:1. Decisions are pervasive: once one peer decides some-one’s fame, that decision propagates to every otherpeer. (Corollary 2.11.)2. Every round will have at least one famous witness.(Theorem 2.13.)3. Late arrivals are not famous: if a witness is not welldisseminated within d +1 rounds (the earliest a decisioncan be made), it will not be famous. (Corollary 2.15.)4. Termination: eventually every witness will have itsfame decided. (Theorem 2.17.) Lemma 2.10 (Decision-Vote Consistency)
Suppose w , x , and y are witnesses, where x and y belong to the sameround. If decide ( w, x, β ) and vote ( w, y ) = β ′ then β = β ′ . This is an important theoretical property, but as a practical mat-ter, in the unlikely event an adversary has enough control over thenetwork to force coin rounds, it will be able to grind the algorithm toa halt for rounds exponential in the number of peers.
Proof
Let j be the round of x and y . Observe that vote ( w, y ) is given by the second case of the def-inition of voting. Unpacking the definitions, let election ( w, x, t, f ) and election ( w, y, t ′ , f ′ ). Let V z = { round j − v such that v ≪ z } .Suppose β = yes . (The other case is similar.) Then | T | > / · N where T = { v ∈ V x | vote ( w, v ) = yes } .Thus T is a supermajor set. By Lemma 2.4, V y is also asupermajor set. Observe that T and V y are both sets ofround j − V y agrees with T , but T all vote yes. Hence t ′ > f ′ so β ′ = yes .Note that the proof illustrates why decisions cannot bemade in coin rounds. In a coin round, y would have to see asupermajority to determine its vote, not merely a majority,and we cannot guarantee a supermajority. Thus the lemmawould fail to hold. Corollary 2.11 (Propagation)
Suppose x makes a deci-sion on w . Then in every round after x ’s, except coinrounds, every witness decides the same way as x did. Proof Sketch
Let j be the round of x . By Lemma 2.10, every witness inround j votes β . It is easy to see that unanimity persists.Thus every witness in any round after j decides β , unlessit is prohibited from doing so because it is a coin round.An easy corollary is that all decisions agree: Corollary 2.12 (Consistency)
Suppose decide ( w, x, β ) and decide ( w, y, β ′ ) . Then β = β ′ . Proof
Let z be a witness in a later round than x and y that isnot a coin round. (Such a witness exists by Lemma 2.7.)By Corollary 2.11, decide ( w, z, β ) and decide ( w, z, β ′ ).Hence β = β ′ . Theorem 2.13 (Existence)
Every round has at least onefamous witness.
Proof If S is a set of events, define backward ( j, S ) = { w | w is a round j witness and ∃ v ∈ S. w ≪ v } .Suppose S is an inhabited set of round k witnesses and j < k . By Lemma 2.4, / · N < | backward ( j, S ) | ≤ N .Let i be arbitrary, and let z be an arbitrary witness inround i + d + 2, then let: S = { z } S = backward ( i + d + 1 , S ) S = backward ( i + d, S ) S = backward ( i, S )Now consider a bipartite graph between S and S , wherethere is an edge between x ∈ S and y ∈ S if x ≤ y .Since strongly-seeing implies ancestor, Lemma 2.4 tellsus that every event in S is the terminus of more than / · N edges. Thus there are over / · N · | S | edges total.Since there are at most N events in S , by the pigeonholeprinciple there is at least one event in S that is the origin5f over / · | S | edges. Let x be such an event. We willshow that x is famous.By the specification, x is an ancestor of over two-thirdsof the events in S . Thus, over two-thirds of S will voteyes. We claim that every event in S will vote yes. Itfollows that z will decide yes. (We know i + d + 2 willnot be a coin round since c ≥ d + 3 by assumption.)Suppose y ∈ S . The events sending votes to y areexactly backward ( i + d, { y } ) and, as above, / · N < | backward ( i + d, { y } ) | . Thus, the events in S voting yesand the events in S sending votes to y are both super-major, so they have a majority in common. Thus y willsee more yeas than nays, and will vote yes itself. Lemma 2.14 If vote ( x, y ) = yes then x ≤ y . Proof Sketch
By well-founded induction on y using the strict-ancestororder ( < ). In the first voting round, a voter will voteyes only if it is a descendant of x . Thereafter, a votercannot vote yes without receiving some yes votes (halfin regular rounds and a third in coin rounds), and oneonly receives votes from ancestors. Corollary 2.15 (No Late Fame)
Suppose x is a round i witness and y is a round j witness, where i + d < j and ( j − i ) mod c = 0 . If x y then decide ( x, y, no ) . Proof
Any voter sending votes to y must be an ancestor of y ,and therefore it cannot be a descendant of x . Thus, byLemma 2.14, y will see only no votes. Since j is a roundin which one is permitted to decide, y will decide no. The delicate aspect of the termination proof is the proba-bility assumption. There are two things going in the prob-ability assumption:The first is just a fact from probability. With probabil-ity one, a sequence of independent random variables, eachwith a finite range (in our case an N -tuple of booleans), willeventually hit a target value, provided that target is speci-fied in such a way as makes reference only to earlier valuesin the sequence. The second is more subtle. We assume that the aboveholds even though coin flips are not actually random. Thatis, we assume that the coin flip, which is actually pseudo-random, behaves on honest peers as though it really is ran-dom. Certainly any peer can easily dictate an event’s coinflip (which is drawn from a cryptographic hash of the event)by tweaking the event’s payload, but we assume honest peerswill not do that. Beyond that, in principle the adversarymight orchestrate the network in order to control the pay-loads and thereby dictate the coin flips. We assume that ithas insufficient computing power to do so, or least that itcannot do so forever.We will not reason explicitly about probability. Instead,we will simply assume that the coins eventually agree withthe target value. Put more precisely, we assume there isa sample space that dictates random outcomes. Ratherthan equip the sample space with a measure and assume—orprove—that agreement takes place in a subset of measure 1, Without the proviso, one could prevent hitting the target by justsetting the target to any value other than the one obtained. we will instead just restrict our attention to points in thesample space in which agreement takes place. This is for-malized in Section 3.6.
Lemma 2.16 (Good Coins)
Suppose x is a round i wit-ness. Then there exists a round j > i , a round j witness y ,and a boolean β such that:1. ( j − i ) mod c = 0 ,2. β = yes if and only if y receives as many yes votes for x as no votes, and3. for all honest round j witnesses w , coin ( w ) = β . Proof Sketch
We construct our sequence by looking at every c -th roundstarting at i + c . So let r k = i + c · ( k +1). Suppose round r k has m k honest witnesses. Note that m k is at mostthe number of honest peers. Let X k be the m k tupleconsisting of the coin for every honest, round r k witness.For every k , let y k be an arbitrary round r k witness. Let β k = yes if and only if y receives as many yes votes on x than no votes. Let the target T k be the m k tuple inwhich every element is β k .By the probability assumption, there exists k such that X k = T k . Let j = r k and y = y k and β = β k . Therequired properties hold by construction. Theorem 2.17 (Termination)
For every witness x , thereexists z and β such that decide ( x, z, β ) . Proof
Let i be the round of x . Let j , y , and β be as given byLemma 2.16. We claim that every round j vote will be β . Then, let z be an arbitrary round j + 1 witness. ByLemma 2.4, z receives votes from a supermajor set, and j + 1 is not a coin round, so decide ( x, z, β ).To show the claim, suppose w is a round j witness. If w uses its coin, the result is immediate. Suppose, instead, w receives a supermajority. As we have seen before, whenthere is a supermajority, every witness (in particular, y )will receive a majority that agrees with the supermajor-ity, and y receives a majority of β . Thus, the super-majority that w receives (and therefore w ’s vote) mustbe β .At this point we know that all peers can agree on theidentity of the famous witnesses: For any given witness,eventually someone will decide (Theorem 2.17). Once some-one decides, everyone else will make the same decision inshort order (Corollary 2.11). Once a peer has settled thefame of every witness it has heard of, it can consider itselfdone, since any additional witnesses it hasn’t heard of areguaranteed not to be famous (Corollary 2.15). Moreover, atleast one famous witness will exist (Theorem 2.13). At this point the real work is done. Next, we identify at mostone famous witness per peer as a unique famous witness.
Ifa peer has only one famous witness (as will be always be thecase for honest peers), that famous witness will be unique.In the unlikely event that a peer has multiple famous wit-nesses, one of them is chosen to be unique in an arbitrarybut deterministic manner. (Textual comparison of the datathat expresses the event will do fine.)Then, using the unique famous witnesses, we define anevent’s round received: efinition 2.18 Suppose x is an event. The round x isreceived by the network is the earliest round i for which allthe round i unique famous witnesses are descendants of x . Suppose x is an event that is received in round i . We com-pute the consensus timestamp for x as the median of thetimestamps assigned to x by the unique famous witnessesof round i . (If there is an even number of unique famouswitnesses, we take the median to be the smaller of the twocentral elements. This provides the useful property that theconsensus timestamp is the timestamp from some particularpeer.)Suppose y is a round i unique famous witness. The times-tamp y assigns to x is the timestamp of the earliest z suchthat x ≤ z ⊑ y . Note that z certainly exists, since x ≤ y ,and that z is uniquely defined since the self-ancestors of y are totally ordered. We can now define the consensus order:
Definition 2.19
Suppose x and y are events. Let i and i ′ be the rounds x and y are received by the network. Let t and t ′ be the consensus timestamps of x and y . Then x precedes y in the consensus order if: • i < i ′ , or • i = i ′ and t < t ′ , or • i = i ′ and t = t ′ and x is less than y using the arbitrarycomparison used to select unique famous witnesses. It is clear that the consensus order is a total order. Sinceall peers can agree on the unique famous witnesses, theycan all agree on the consensus order. Finally, the order isimmutable: the unique famous witnesses do not change oncedetermined, and their ancestries never change either.
Our work builds on lessons learned from a previous effortto verify the Hashgraph consensus algorithm by GregoryMalecha and Ryan Wisnesky. In that earlier effort the al-gorithm was expressed by implementing it as a function inGallina (the Coq specification language). This allowed thecode to be directly executed within Coq, and it was thoughtthat such code could be more easily related to the actualcode in the commercial Hashgraph implementation, Hedera.However, the specification as a Gallina implementationwas challenging to work with. Although the effort did nothit a show-stopping problem, the concreteness of the imple-mentation made it clumsy to work with. Moreover, express-ing the algorithm using recursive functions, rather than in-ductive relations, meant that one was denied nice inductionprinciples.In this work we started over with new definitions, mak-ing events and other objects of interest abstract, and usinginductive relations for most definitions. This allowed forstreamlined proofs that usually closely resemble the human-language proofs, and nice induction principles in most cases.(An important exception, induction over votes, is discussedin Section 3.4.) The axioms that define hashgraphs are just 258 lines.This is the trusted part of the development, apart from Coqitself.The full proof is 14 thousand lines of Coq (version 8.9.1),including comments and whitespace. It takes 25 seconds tocheck using a single core of a 1.8 GHz Intel Core i5. Notall of these lines are allocated to matters that are conceptu-ally interesting: the largest and third-largest files (2.6k linesbetween them) are dedicated to defining and establishingproperties of the cardinalities of sets, and medians.We will discuss changes we made from the original algo-rithm in Baird [2], and then touch on interesting points thatarose during the formalization. The survey here will not becomplete; the complete development is available at: cs.cmu.edu/~crary/papers/2020/hashgraph-formal.tgz
As typically happens when formalizing a human-languageproof, we did uncover a few errors, but they were minor andeasily corrected. These corrections are already reflected inSection 2:1. The original definition of strongly-sees was a bit differ-ent: it said that y strongly sees x if x E z E y (for all z in some supermajor set). But that definition didn’tprovide the “stickiness” property of Lemma 2.2 (thatis, x ≪ y ≤ w implies x ≪ w ) since w might observe afork that y does not.2. Because of that change, strongly-seeing does not nec-essary imply seeing. The original rule for first-roundvoting required that for y to vote yes on x , y must see x and not merely be a descendant of x . But that meantthat y strongly seeing x was not enough for y to voteyes for x , which breaks the proof of the existence offamous witnesses (Theorem 2.13).3. Originally, when a peer had multiple famous witnesses,instead of choosing one to consider unique, none ofthem were. But then it was not obvious that uniquefamous witnesses always exist.In addition to these changes, we added a careful proof ofProgress (Lemma 2.7). Also, a trivial difference is our firstround is 0, instead of 1. This is preferable so every naturalnumber is a round number. To illustrate the abstract style we used to formalize the al-gorithm, these are definitions of peers and events:
Parameter peer : Type.Axiom peer_eq_dec: forall (a b : peer), {a = b} + {a <> b}.
The axiom states that it is decidable whether two peersare the same. This is a good example of the sort of uncontro-versial mathematical assumption we alluded to in Section 2.A typical human-language proof would not bother to makesuch an assumption explicit. These errors pertain to the batch-mode algorithm discussed here,not to the online algorithm that the Hedera implementation is basedon. We discuss some of the differences in Section 5. For example, theonline algorithm defines strongly seeing somewhat differently. arameter number_peers : nat.Axiom number_of_peers: cardinality (@every peer) number_peers.Axiom number_peers_minimum : number_peers >= 2. There exists a natural number that is the number ofpeers, and that number is at least two. (In the preceding wecalled it N .) The code “ @every peer ” denotes the set of allpeers. Parameter honest : peer -> Prop.Axiom supermajority_honest: supermajority honest every.
The set of honest peers is a supermajority of the set ofall peers.
Parameter event : Type.Axiom event_eq_dec: forall (e f : event), {e = f} + {e <> f}.Parameter creator : event -> peer.
The equality of events is decidable, and every event hasa creator.
Parameter parents: event -> event -> event -> Prop.Axiom parents_fun :forall e e’ f f’ g,parents e f g-> parents e’ f’ g-> e = e’ /\ f = f’.Axiom parents_creator :forall e f g,parents e f g-> creator e = creator g.
We write parents e f g when e and f are the self-parentand other-parent of g . The axioms say parents are uniquelydefined, and the self-parent has the same creator as theevent. Definition initial (e : event) : Prop :=~ exists f g, parents f g e.Axiom initial_decide :forall e,initial e \/ exists f g, parents f g e.
An initial event is one without parents, and it is decidablewhether an event is initial.
Inductive parent : event -> event -> Prop :=| parent1 {e f g} :parents e f g-> parent e g| parent2 {e f g} :parents e f g-> parent f g.Definition self_parent (e f : event) : Prop :=exists g, parents e g f.Axiom parent_well_founded: well_founded parent.
We say parent x y when x is either parent of y , and self_parent x y when x is the self-parent of y . We as-sume that the parent relation is well-founded, which meanswe can do induction using that relation. (In classical logic,that is equivalent to saying there are no infinite descendingchains.) From that assumption, we can show that the self-parent, strict ancestor, and strict self-ancestor relations arealso well-founded. In Baird [2] the definitions of rounds and witnesses are mu-tually dependent. As here, a witness was the first eventcreated by a peer in a round. Unlike here, to advance tothe next round an event would need to strongly see many witnesses in the current round, while we require it only tostrongly see many events in the current round. It is not hardto see that the definitions are equivalent, but our version hasthe virtue that rounds can be defined without reference towitnesses.Our formalization of rounds then is:
Inductive round : nat -> event -> Prop :=| round_initial {x} :initial x-> round 0 x| round_advance {x y z m n A} :parents y z x-> round m y-> round n z-> supermajority A every-> (forall a,A a-> exists w,creator w = a/\ stsees w x/\ round (max m n) w)-> round (S (max m n)) x. round_nadvance {x y z m n A} :parents y z x-> round m y-> round n z-> superminority A every-> (forall a w,A a-> creator w = a-> stsees w x-> exists i,i < max m n /\ round i w)-> round (max m n) x The first case says initial events belong to round 0. Ineach of the other two cases, x ’s parents’ rounds are m and n . Then, in the second case, we advance to the next round( i.e., give x the round max( m, n ) + 1) if there exists a setof peers A , comprising a supermajority of the peers, suchthat for each peer a ∈ A , there exists w created by a inround max( m, n ) where w ≪ x . The third case expressesthe negation of that condition. There S is a “superminor-ity” of T if S contains at least one-third of T ’s elements.That is, a superminority is a subset large enough to deny asupermajority to its complement.It is necessary to express the conditions for advancingor not advancing to the next round as a pair of affirmativeproperties. One might imagine saying something like: ...-> (b = true<->(.. x stsees enough from this round ..))-> round (max m n + if b then 1 else 0) x but with such a definition, the “strongly sees enough” por-tion could not be implemented, since it could not mentionrounds. Any mention of rounds in that position would be anon-positive occurrence of the relation being defined, whichis not permissible in an inductive definition.The benefit to going to the trouble to use an inductivedefinition is one can do induction over the derivation of anevent’s round. When one is reasoning about rounds, thisproduces exactly the cases you want: one base case, oneinductive case where you advance, and one where you don’t. Expressing voting as an inductive definition is a bit tricky.We gave vote the type: sample -> event -> event -> bool -> Prop
Here, vote s x y b means y ’s vote on whether x is famousis b . The s is a point in the sample space, and can besafely ignored for now. (We discuss the sample space in theSection 3.6.)The case for the first round of voting is straightforward: | vote_first {s x y m n v} :rwitness m x-> rwitness n y-> m < n-> m + first_regular >= n-> (Is_true v <-> x @ y)-> vote s x y v Here, first_regular is the formalization’s name for the pa-rameter d , rwitness m x means that x is a round m witness,and @ means strict ancestor ( < , formalized as the transitiveclosure of parent ). Then y votes yes if y is a strict descen-dant of x , and no otherwise, provided round ( x ) < round ( y ) ≤ round ( x ) + d . The complications begin in the next case: (* not a coin round *)| vote_regular {s x y m n t f v} :rwitness m x-> rwitness n y-> m + first_regular < n-> (n - m) mod coin_freq <> 0-> election (vote s x) (pred n) y t f-> ((t >= f /\ v = true)\/ (f > t /\ v = false))-> vote s x y v
The first four premises say that more than d rounds haveelapsed since x , and it is not currently a coin round. Then election (vote s x) (pred n) y t f says that when y collects votes on x from the previous round, it receives t yeas and f nays. Then y ’s vote is true if t ≥ f and falseotherwise.The trickiness lies in election . It has type: (event -> bool -> Prop)-> nat -> event -> nat -> nat -> Prop The first argument abstracts over the recursive call to vote ,in order to disentangle election and vote . We fill it inwith vote s x to give it access to everyone’s votes on x .The second argument is the round to collect votes from; wefill it in with round ( y ) − elector n w y , specifies theround n witnesses w that can send votes to y : Definition elector (n : nat) (w y : event) :=rwitness n w /\ stsees w y.
At this point, we might imagine defining election V n y t f as follows: cardinality(fun w =>elector n w y /\ V w true) t/\cardinality(fun w =>elector n w y /\ V w false) f
Indeed, this is a perfectly good definition. However, if wedefine election this way, vote is not allowed to call it asabove. Since vote calls election with a recursive instanceof vote , election must use V only positively, and this def-inition does not (because cardinality does not use its firstargument only positively). Thus vote would be ill-defined.Instead, we code around the problem: This is a minor departure from the definition in Section 2.3. Itis convenient to allow witnesses to vote before the required d roundshave elapsed, but such early votes are ignored. efinition election(V : event -> bool -> Prop)(n : nat) (y : event) (t f : nat):=exists T F,cardinality(fun w => elector n w y) (t + f)/\ cardinality T t/\ cardinality F f/\ (forall w, T w-> elector n w y /\ V w true)/\ (forall w, F w-> elector n w y /\ V w false) We existentially quantify over two sets T and F , where theintention is that T is the yeas and F the nays. The finaltwo conjuncts check that every element of T ( F ) is indeedan elector and votes yes (no). The previous two conjunctscheck that the cardinalities of T and F are t and f .Finally, the first conjunct ensures that we are not miss-ing any votes: If we assume that V does not allow a singlewitness to vote both ways (which vote s x will not), it fol-lows that T and F are disjoint. Thus, in order to check thatevery vote is accounted for, we need only check that thereare t + f electors total.The remaining two cases of vote implement coin rounds.They call election in the same manner as above, in orderto find out whether a supermajority already exists. (* coin round but supermajority exists *)| vote_coin_super {s x y m n t f} {v : bool} :rwitness m x-> rwitness n y-> m < n-> (n - m) mod coin_freq = 0-> election (vote s x) (pred n) y t f-> (if v then t else f)> two_thirds number_peers-> vote s x y v(* coin round and no supermajority exists *)| vote_coin {s x y m n t f} :rwitness m x-> rwitness n y-> m < n-> (n - m) mod coin_freq = 0-> election (vote s x) (pred n) y t f-> t <= two_thirds number_peers-> f <= two_thirds number_peers-> vote s x y (coin y s) In the final case, coin y s gives y ’s pseudo-random coin flip. Induction
Although Coq accepts the definition of vote ,since all its recursive occurrences are positive, the definitionis still too complicated for Coq to give it a useful inductionprinciple. It does, however, provide a useful case-analysisprinciple. Thus, Coq essentially promises that vote is afixed point, but not a least fixed point.This is inconvenient, because there are many times onewould like to do induction over votes. Fortunately, we canwork around the problem. The recursive instances of vote always deal with strict ancestors of the vote in question,so one can employ well-founded induction using the strict-ancestor relation. Within that induction, one can then do a case analysis over the vote in question. This provides thepower of the induction principle that one would have likedCoq to provide automatically.
We use worlds to talk about potentially incompatible evo-lutions of the hashgraph. (The term is motivated by theuse of the term in Kripke models.) In a modest loosening ofthe rules from our informal presentation, we allow that anevent x might have two distinct self-children y and z , evenif x ’s creator is honest, provided that y and z exist only indistinct futures. However, y and z can never coexist in thesame future (again, if the creator is honest). That is, twoevents in the same world cannot form a fork on an honestpeer.Thus, a world is a set of events that is closed under an-cestor, and contains no forks: Definition fork (e f : event) : Prop :=creator e = creator f/\ ~ e $= f/\ ~ f $= e.Record world : Type :=mk_world{ member : event -> Prop;world_closed :forall x y,x @= y -> member y -> member x;world_forks :forall a,honest a-> ~ exists e f,member e /\ member f /\fork e f /\ creator e = a }.
Here @= means ancestor ( ≤ ), and $= means self-ancestor ( ⊑ ).Many facts rely only on the events themselves, not anyworlds they inhabit, but some require a world assump-tion. For example, consider the strongly seeing lemma(Lemma 2.3): Lemma strongly_seeing :forall W x y v w,member W v-> member W w-> fork x y-> stsees x v-> stsees y w-> False.
Recall that, in the proof, we obtained events z and z ′ ,sharing the same honest creator, where x E z ≤ v and y E z ′ ≤ w . We concluded that either z ⊑ z ′ or z ′ ⊑ z ,since otherwise z and z ′ would constitute a fork on a hon-est peer. But in the formalization, forks are possible—evenon an honest peer—if the sides of the fork belong to differ-ent futures. Requiring v and w (and therefore z and z ′ ) tobelong to the same world rules that out. Note that nothing requires a world to contain all the events, evenat a particular point in time. Thus, for example, we can also useworlds to express the knowledge that a particular peer has about thehashgraph. .6 Pseudo-probability The first element in our treatment of pseudo-probability isa sample space. A point in the sample space determinesthe outcome of every random or nondeterministic action, aswell as the behavior of the adversary. However, unlike atrue treatment of probability, we do not establish a measurefor the sample space and compute probabilities. Instead, wewill simply exclude any point in the sample space in whichsomething happens that (informally speaking) has discreteprobability zero. Specifically, we exclude any point that vi-olates the probability assumption that was given informallyin Section 2.4.1 and formally by eventual_agreement below.This is formalized as the type sample , which one canthink of as the type of all points in the sample space thatare not being excluded.Since a point in the sample space determines everythingthat takes place, and specifically determines what events getcreated, a sample determines a world. We call this the global world determined by that sample. global : sample -> world
For now we can think of global as primitive, but once wedevelop some more machinery, we can actually define it.At this point we can state the termination theorem (The-orem 2.17):
Theorem fame_consensus :forall s x,member (global s) x-> witness x-> exists y v,member (global s) y/\ decision s x y v. If s is a sample, and x is a witness that gets created in thetimeline resulting from s , then there exists some y from thesame timeline, such that y makes a decision on x .Recall that termination relied on a good coins lemma(Lemma 2.16), which we can state thus: Lemma good_coins :forall s i x,rwitness i x-> exists j y t f b,i < j/\ (j - i) mod coin_freq = 0/\ member (global s) y/\ rwitness j y/\ election (vote s x) (pred j) y t f/\ ((t >= f /\ b = true)\/ (f > t /\ b = false))/\ forall w,member (global s) w-> rwitness j w-> honest (creator w)-> coin w s = b.
Good coins depends in turn on the probability assumption.Before we can state it, we need a little more machinery. Theprobability assumption says that eventually all coins willagree with a target, provided the target is specified usingonly information available earlier. We get this notion of“earlier” from spawn order , defined by:
Axiom spawn_inj :forall s i j,spawn s i = spawn s j -> i = j.Axiom spawn_parent :forall s x i,parent x (spawn s i)-> exists j, x = spawn s j /\ j < i.Axiom spawn_forks :forall s i j,honest (creator (spawn s i))-> fork (spawn s i) (spawn s j)-> False.Axiom honest_peers_sync :forall s i a b,honest a-> honest b-> a <> b-> exists j k,i <= j/\ j <= k/\ creator (spawn s j) = a/\ creator (spawn s k) = b/\ spawn s j @ spawn s k.Axiom no_orphans :forall x, exists s i, x = spawn s i.
Figure 2: Spawn order axioms spawn : sample -> nat -> event
Suppose s is a point in the sample space. Then there existsa set S of all the events that will be created in the world s determines. (In order words, S contains all the elements of global s .) Then sort S according to the order the events arecreated in real time to obtain x , x , x , . . . . Then we define spawn s i = x i . Obviously, the “real time” ordering cannotbe used by any participant, it is used only in reasoning aboutthe algorithm.Several axioms (appearing in Figure 2) govern spawn or-der: (1) No event spawns more than once. (2) An event’sparents spawn before it does. The next two axioms are gen-eral rules of hashgraphs that are convenient to formalize interms of spawn order: (3) Honest peers do not create forks.(4) Every honest peer eventually communicates with everyother honest peer. (5) Finally, it is convenient to excludeany event that is part of no future.We can define the global world global s usingspawn order as the set of all events x such that exists i, spawn s i = x . The spawn_parent axiom pro-vides the world_closed specification, and spawn_forks pro-vides world_forks .To define the eventual agreement axiom, we need to for-malize the notion of a target depending only on earlier infor-mation. We will say that two samples are similar up to the i th spawn if their first i spawned events are the same, andthey give the same coin flip for all of them except possiblythe last:11 efinition similar (s s’ : sample) i :=(forall j,j <= i -> spawn s j = spawn s’ j) /\(forall j,j < i -> coin (spawn s j) s= coin (spawn s j) s’). This is the information the i th event’s coin’s target can de-pend on, which is why it includes the i th event, but not itscoin. Then the axiom says: Axiom eventual_agreement :forall(n : nat)(s : sample)(Q : nat -> event -> Prop)(P : nat -> sample -> Prop),(forall i j x, Q i x -> Q j x -> i = j)-> (forall i x,Q i x -> honest (creator x))-> (forall i, cardinality_lt (Q i) n)-> (forall i k s’,Q i (spawn s k)-> similar s s’ k-> P i s <-> P i s’)-> exists i v,(forall x, Q i x -> coin x s = v)/\ (Is_true v <-> P i s).
This says that, for any n and any sample s , if:1. Q is a sequence of disjoint sets of honest events, eachof size less than n ( e.g., the honest witnesses of eachround), and2. P is a sequence of predicates (the targets), such that P i depends only on events earlier than every event in Q i ,then there exists some i such that all Q i ’s events’ coin flipsagree with P i .The axiom’s final antecedent expresses the second con-dition above. It says if i is a position in the sequence, and k is the spawn order of some element of Q i , and s ′ is anothersample that is similar to s up to the k th spawn, then P i isinsensitive to whether it sees s or s ′ .The alert reader might wonder why P returns a propo-sition and not a boolean, when that proposition must thenbe converted into a boolean ( v ). This gives us the flexibil-ity to resolve a technical issue related to Coq’s type systemand constructivity. In the proof of good_coins , one needsthe target to agree with the supermajority, if a supermajor-ity exists. To ensure this, we make the round i target bewhatever majority is observed by some arbitrary event in Q i (specifically, we use the first element of Q i to spawn). InCoq we cannot pluck an element from a set without someform of the axiom of choice, which we prefer to avoid. How-ever, we can describe an element, and then state the targetbased on that, but we can do that only if we are giving thetarget as a proposition rather than a boolean, so we haveaccess to the needed logical machinery. We also formalized an unpublished fairness theorem byBaird [1].
Lemma 4.1
Suppose d ≥ . Suppose also that x is a round i witness. If there exists y such that x ≪ y and both parentsof y belong to a round no later than i , then x will be famous. Proof
Suppose w is an arbitrary round i + d witness. We claimthat x ≤ w . It follows that w votes yes. Since w isarbitrary, every round i + d witness votes yes, so x willbe decided to be famous in round i + d + 1.Since x ≪ y , the set U = { u | x E u ≤ y } is supermajor.By Lemma 2.4, there exists a supermajor set V of round i + d − v ∈ V , v ≪ w . The in-tersection of three supermajorities is nonempty, so thereexists an honest peer a and events u and v created by a such that x E u ≤ y and v ≪ w . Since a is honest,either u ⊑ v or v ⊏ u .If u ⊑ v then we are done, since x ≤ u ≤ v ≤ w , so let usassume v ⊏ u . Then v < y . Thus v is an ancestor of oneof y ’s parents, both of whom belong to a round no laterthan i . But v belongs to round i + d −
1, which is at least i + 1 since d ≥
2. This is a contradiction, since v cannotbelong to a later round than any of its descendants. Theorem 4.2 (Fairness) If d ≥ then every round’s setof famous witnesses is supermajor. Proof
Let i be a round number. By Lemma 2.7, there exists around i + 1 witness x . By following back x ’s ancestry, wecan obtain a round i +1 witness y (possibly x itself), bothof whose parents belong to round at most i . Since neitherof y ’s parents belong to round i + 1, y must strongly seea supermajor set of round i witnesses. By Lemma 4.1,all those witnesses will be famous.The significance of the fairness theorem is that it meansa majority of the famous witnesses in any round must behonest. Consequently, every event’s consensus timestamp isgoverned by honest peers. The timestamp might come froma dishonest peer, but even if so, it will be bracketed on bothsides by timestamps from honest peers.The formalization of the fairness theorem and its con-sequences regarding timestamps is just under 700 lines ofCoq. The ultimate goal of this work is a fully verified implemen-tation of the Hashgraph consensus algorithm. There are anumber of differences between the algorithm given here andthe one that is implemented. We have incorporated manyof them into the formalization already, but some others arefuture work. • We have completed a version of the algorithm thatsupports weighted peers (a.k.a., proof-of-stake) insteadof giving an equal weight to every peer. In that ver-sion, a supermajority of the weight must belong to hon-est peers. This change is largely straightforward, butthere were some complications in the re-proof of Theo-rem 2.13 stemming mainly from the need for a weightedversion of the pigeonhole principle. • The algorithm here is a batch algorithm, while the im-plemented system is online. Moving to an online ver-sion requires two main changes:12
We cannot permanently blacklist peers who cre-ate a fork, since this would require retaining in-formation about them indefinitely. Instead weintroduce a consistent way of establishing prior-ity between the forked events, and one can only“see” the higher priority event. This is sufficientto reestablish Lemma 2.3, since the heart of theproof was the construction of an impossible eventthat sees both sides of a fork, and that remainsimpossible. This development is complete. – Since the participants of the network changeover time, we need a way to deal with changingweights. (When a participant leaves the network,we can view that as its weight going to zero.) Thisis future work, although a prerequisite (havingweights at all) is already done. The main compli-cation is ensuring that all peers always agree onall the weights, when the weights are determinedby previous transactions. • The algorithm includes some operations that are ex-pensive to perform and that we want to avoid as muchas possible. A good example is strongly seeing, whichrequires one to count all the different peers one can passthrough between one event and another. That involvesexploring many different paths. However, one can showthat one can limit oneself to exploring certain canonicalpaths without sacrificing any key properties. A versionincorporating this and other optimizations is complete.In addition, one would like to establish the fairness theo-rem for d = 1. This is an important area for research, since d = 1 is preferable (faster consensus) but provably honesttimestamps are also desirable. References [1] Leemon Baird. Personal communication.[2] Leemon Baird. The Swirlds Hashgraph consensus algo-rithm: Fair, fast, Byzantine fault tolerance. TechnicalReport SWIRLDS-TR-2016-01, Swirlds Inc., May 2016.[3] Leemon Baird, Mance Harmon, and Paul Madsen.Hedera: A public Hashgraph network & governingcouncil. White paper at , August 2019.[4] Leemon Baird and Atul Luykx. The Hashgraph pro-tocol: Efficient asynchronous BFT for high-throughputdistributed ledgers. In
IEEE International Conferenceon Omni-layer Intelligent Systems (COINS) , 2020. Toappear.[5] Bruno Barras, Samuel Boutin, Cristina Cornes, Ju-dica¨el Courant, Jean-Christophe Filliˆatre, EduardoGim´enez, Hugo Herbelin, G´erard Huet, C´esar Mu˜noz,Chetan Murthy, Catherine Parent, Christine Paulin-Mohring, Amokrane Sa¨ıbi, and Benjamin Werner.
The Coq Proof Assistant Reference Manual . INRIA-Rocquencourt, CNRS and ENS Lyon, 1996.[6] Miguel Castro and Barbara Liskov. Practical Byzan-tine fault tolerance. In
Third Symposium on Operat-ing Systems Design and Implementation , New Orleans,Louisiana, February 1999. [7] Sisi Duan, Michael K. Reiter, and Haibin Zhang.BEAT: Asynchronous BFT made practical. In
ACMSIGSAC Conference on Computer and Communica-tions Security , January 2018.[8] Michael J. Fischer, Nancy A. Lynch, and Michael S.Paterson. Impossibility of distributed consensus withone faulty process.
Journal of the ACM , 32(2):374–382,April 1985.[9] Leslie Lamport, Robert Shostak, and Marshall Pease.The Byzantine generals problem.
ACM Transactionson Programming Languages and Systems , 4(3), July1982.[10] Andrew Miller, Yu Xia, Kyle Croman, Elaine Shi, andDawn Song. The honey badger of BFT protocols. In
ACM SIGSAC Conference on Computer and Commu-nications Security , pages 31–42, October 2016.[11] Satoshi Nakamoto. Bitcoin: A peer-to-peer electroniccash system. Disseminated to The Cryptography Mail-ing List, November 2008.[12] Marshall Pease, Robert Shostak, and Leslie Lamport.Reaching agreement in the presence of faults.
Journalof the ACM , 27(2), April 1980.[13] Fred B. Schneider. Implementing fault-tolerant servicesusing the state machine approach: A tutorial.
ACMComputing Surveys , 22(4), December 1990.[14] Visa Corporation. Visa Inc. at a glance.Marketing document at https://usa.visa.com/dam/VCOM/download/corporate/media/visa-fact-sheet-Jun2015.pdf , 2015. RetrievedJuly 2020.[15] Visa Corporation. Visa fact sheet. Marketingdocument at https://usa.visa.com/dam/VCOM/download/corporate/media/visanet-technology/aboutvisafactsheet.pdfhttps://usa.visa.com/dam/VCOM/download/corporate/media/visanet-technology/aboutvisafactsheet.pdf