Phalanx: A Practical Byzantine Ordered Consensus Protocol

1^st Guangren Wang Zhejiang University
2^nd Liang Cai Zhejiang University
3^rd Fangyu Gai University of British Columbia
4^th Jianyu Niu Southern University of Science and Technology

Abstract

Byzantine fault tolerance (BFT) consensus is a fundamental primitive for distributed computation. However, BFT protocols suffer from the ordering manipulation, in which an adversary can make front-running. Several protocols are proposed to resolve the manipulation problem, but there are some limitations for them. The batch-based protocols such as Themis has significant performance loss because of the use of complex algorithms to find strongly connected components (SCCs). The timestamp-based protocols such as Pompe have simplified the ordering phase, but they are limited on fairness that the adversary can manipulate the ordering via timestamps of transactions. In this paper, we propose a Byzantine ordered consensus protocol called Phalanx, in which transactions are committed by anchor-based ordering strategy. The anchor-based strategy makes aggregation of the Lamport logical clock of transactions on each participant and generates the final ordering without complex detection for SCCs. Therefore, Phalanx has achieved satisfying performance and performs better in resisting ordering manipulation than timestamp-based strategy.

Index Terms:

Blockchain, Byzantine Fault Tolerance, Ordering Manipulation, Distributed System

I Introduction

Byzantine Fault Tolerance (BFT) consensus protocols could be used to deal with arbitrary behaviors. However, the most widely used BFT consensus protocols (PBFT[1][2], HotStuff [3], etc.), limited types of malicious manners could be prevented because of the limitation of the leader-based system model. The leader always determines the next proposal to be applied, while backups can only detect whether a leader is crashed or the proposal is proposed on a duplicated serial number. Therefore, the leader could always decide on the content of proposals and could decide the ordering of proposals to commit. As for permissioned blockchain and some of the permissionless blockchain, they are mostly constructed based on leader-based BFT consensus protocols that Diem (Libra) is based on DiemBFT (HotStuff [3]) and Solana takes use of protocol based on PBFT, so we need to deal with the potential risks on ordering manipulation.

The possibilities of manipulating the ordering have left latent danger of malicious behavior. In recent works [4], researchers found that the manipulation of transactions in the permissionless blockchain, such as Ethereum [5], has made the attackers grab millions of profits. In the traditional financial system, front-running is a well-known illegal means to grab profits, especially on Wall Street [6]. For instance, when a broker receives a market order from a customer to buy a large amount of stock, before placing the order for the customer, he or she buys a few amounts of shares of the same stock for the broker’s account. Then, the broker places the customer’s order and the price of the stock will be driven up. If we allow the broker to immediately sell his or her shares, a significant profit will be generated in just a short time. The profits are just a part of the additional cost to the customer’s purchase caused by the broker’s self-dealing. In the situation such as sec-killing, the priority of transactions determines whether the dealer can get the products he or she prefers.

To deal with the ordering manipulation in BFT protocols, recently, the property called order-fairness has been widely discussed. Researchers have found that though collecting quorum[7] votes to decide the context of transactions seems like an effective approach. However, the Condorcet Paradox [8] [9] prevents us to reach a deterministic execution ordering. So that, how to resolve the Condorcet Paradox is the major barrier to designing a practical protocol to achieve order-fairness. Kelkar et al. proposed Aequitas[10] and Themis[11], which are batch-based protocols and achieve the order-fairness between by detecting strongly connected components (SCCs). But because of the complex graph algorithm to detect SCCs, the performance of Aequitas/Themis seems not satisfying. Pompe[12] proposed by Zhang et al. and Wendy[13] proposed by Kursawe et al. are timestamp-based protocols. They discard the logical clock and ordering the transactions with the timestamps. Because of the linearity of real clock, these protocols avoid the Condorcet Paradox and simplify the ordering phase to reduce performance loss. However, the timestamp-based protocols are easily destroyed by manipulating timestamps [14]. It might not be a good choice to construct industrial systems. (See Section VI for details)

It should be noted that we cannot distinguish the adversarial participants from the honest ones in a distributed system, and recent works [10] [11] [12] show that we cannot make the final ordering completely independent of Byzantine nodes. However, we are supposed to minimize the impact of the adversary on execution ordering, and an effective Byzantine ordered strategy should try to eliminate malicious behavior as much as possible and reduce the impact on performance at the same time.

In this paper, we aim to introduce a new strategy that could avoid complex graph detection and could achieve more fairness than the timestamp-based protocols. Based on previous work, we believe that the Byzantine ordered consensus has two properties, free will and correctness. Because of the vulnerability of real clock, we take the Lamport Logical Clock as the indicator to order transactions. Then, to achieve the fairness, we make aggregation of each participant preferences on transactions ordering to find the anchor commands with linear reliable context to make a commitment. It has prevented the occurrence the Condorcet Paradox, and the complex graph detection has been avoided. So that, we design, implement, and evaluate Phalanx, a anchor-based Byzantine ordered consensus protocol. It avoids complex graph detection and reflects the real preference of each node to commit transactions. In summary, we make the following contributions:

•

We propose anchor-based ordering strategy, which has avoided graph detection and could resist ordering manipulation.
•

We propose a protocol called Phalanx which has achieved anchor-based ordering and we implement it as a modular component. We release it for public use¹¹1https://github.com/Grivn/phalanx.
•

We conduct a comprehensive evaluation of Phalanx for performance and reliability. Phalanx does not introduce too much performance loss and has advantages in the WAN environment. And Phalanx performs better in resisting ordering manipulation than timestamp-based strategy.

II System Model and Anchor-Based Ordering

In this section, we firstly present the system model, then define ordering properties. Finally we introduce our strategy to prevent ordering manipulation with logical clock, and how to avoid the occurrence of the Condorcet Paradox.

II-A System Model

We consider a system of $n=3f+1$ consensus nodes (hereinafter referred to as nodes for short) and any number of proposers (or we can call them clients). In this paper, we focus on the adversary in nodes and ignore the potential malicious behavior of proposers. We assume that an adversary can control up to $f$ nodes.

Command and Context. The command is the atomic unit for our Byzantine ordered consensus system. It is generated by proposers. Let $r$ denotes command. For commands $r_{1}$ and $r_{2}$ , we use notion $\prec$ to describe their context, which means the sequential relationship between $r_{1}$ and $r_{2}$ . If $r_{1}$ should be committed before $r_{2}$ , then $r_{1}\prec r_{2}$ . The command can be assigned with sequence number to indicate the preference ordering for the proposer. Whenever proposer $P_{i}$ is trying to propose request $m$ , it should generate a command with data structure $\langle i,n,d,m\rangle$ , in which $i$ is the identifier of proposer, $m$ is the request content, $n$ is a monotonically increasing sequence number which indicates the sending order for current command on $P_{i}$ , $d$ is the digest of command that $d\leftarrow h(\langle i,n,m\rangle)$ .

Partial Ordering and Total Ordering. The commands generated by proposers would be broadcast to every node. The node $N_{i}$ needs to generate its partial ordering according to the order of reception. And $N_{i}$ generates logs to describe its partial ordering. Each node has a logical clock starting from 0. Every time $N_{i}$ has received command $r$ , the logical clock is advanced by 1. Then, $N_{i}$ generates a log for $r$ assigned with current logical clock. The structure is $\langle i,n,d_{r}\rangle$ , in which $i$ is the identifier of $N_{i}$ , $n$ is the logical clock stamp when current log has been generated, $d_{r}$ is the digest of $r$ that $d_{r}\leftarrow r.d$ .

Taking the partial ordering of each node as the material, Byzantine ordered consensus would make all the trusted nodes obtain a consistent total ordering. The commands would be committed according to the consistent total ordering and would send back reply message to specific proposers.

Let $o$ denotes log. Call that $o\to r$ , if and only if $o.d_{r}=r.d$ . Let $\prec_{i}$ denote the context in $N_{i}$ ’s partial ordering. For logs $o_{1}$ and $o_{2}$ from $N_{i}$ , there are $r_{1}$ and $r_{2}$ that $o_{1}\to r_{1}$ and $o_{2}\to r_{2}$ . There is a context that $r_{1}\prec_{i}r_{2}$ if and only if $o_{1}.n<o_{2}.n$ . Although the partial ordering for each node might- be different, every non-faulty node would eventually find the same total ordering to commit commands.

II-B Network Model

The modular implemented Phalanx component should be combined with a BFT protocol so that the network assumptions should support both Phalanx component itself and the combined original BFT protocol.

The communication in Phalanx component is asynchronous, so that, in addition to the network assumption of the original BFT protocol, we only need to satisfy the messages sent from one participant will reach the recipient(s) eventually. As asynchronous network assumption is the weakest one in BFT protocol groups’ network assumptions, the Phalanx component will not impact the robustness of the original BFT cluster.

Besides, there is another basic assumption called sending-receiving model that messages receiving order should always be the same as their sending order. For instance, $N_{1}$ is trying to send messages toward $N_{2}$ . If $N_{1}$ has sent $m_{1}$ before $m_{2}$ , $N_{2}$ must receive $m_{1}$ before $m_{2}$ . It could be achieved easily with the use of sequence numbers.

II-C Ordering Properties

In state-of-the-art leader-based BFT consensus protocols, the total ordering is determined by the leader and followers can only detect limited malicious behaviors. It doesn’t respect the collective preferences of each correct participant, and, because a leader has controlled the total ordering, there is a risk of suffering a manipulation attack, which means the adversaries make the transactions more likely to be committed according to their own wishes.

Byzantine ordered consensus protocol is used to tolerate Byzantine faults in ordering manipulation. To achieve it, we believe Byzantine ordered consensus protocol should have two essential properties, free will and fairness.

Free Will. Free will is a concept proposed by Zhang et al. [12]. Briefly, it means no one could manipulate the total ordering directly. For instance, here is a pair of commands $r_{1}$ and $r_{2}$ . If their context in each node’s partial ordering indicates $r_{1}\prec r_{2}$ (or $r_{2}\prec r_{1}$ ), their context in the total ordering must be the same that $r_{1}\prec r_{2}$ (or $r_{2}\prec r_{1}$ ). If some of the nodes prefer $r_{1}\prec r_{2}$ while others $r_{2}\prec r_{1}$ , in the total ordering of trusted node, the context between such a pair of commands should be determined by every participant’s preference which means both of them have an opportunity to be committed at first.

Fairness. The ordering in reality deserves some intuitive expectations as below. 1) The commands proposed by the same proposer may born with context that for $r_{1}.i=r_{2}.i$ , we have $r_{1}\prec r_{2}$ , iff $r_{1}.n<r_{2}.n$ . 2) The commands proposed by different proposers may deserve context because of the physical limitations. For instance, $P_{1}$ and $P_{2}$ are located in the same place. If $P_{1}$ has proposed $r_{1}$ several seconds earlier than $P_{2}$ proposing $r_{2}$ , $r_{1}$ deserves the context $r_{1}\prec r_{2}$ in the total ordering commitment. Although, the ordering can be affected by multiple factors that we cannot find the totally correct ordering, we can make the context in total ordering show the intuitive expectations to the maximum.

By using some reasonable ordering strategies, which take every node’s partial ordering into thought, we can always achieve certain free-will characteristics. To achieve better fairness, we need to aggregate the logical clock from each participant. However, the Condorcet Paradox prevents us to find distinct total ordering. Next, we would like to introduce our method to deal with the paradox.

II-D Anchor-Based Ordering

Definition 1 (Reliable Context).

For a pair of commands $r_{1}$ and $r_{2}$ , there is a reliable context $r_{1}\prec r_{2}$ (or $r_{2}\prec r_{1}$ ), iff at least one non-faulty node $N_{i}$ believes $r_{1}\prec_{i}r_{2}$ (or $r_{2}\prec_{i}r_{1}$ ).

Theorem 1.

Let $\prec_{r}$ denote the reliable context. For commands $r_{1}$ and $r_{2}$ , if there are $f+1$ nodes believe $r_{1}\prec r_{2}$ , then there is reliable context $r_{1}\prec_{r}r_{2}$ .

For the reliable context is generated by the non-faulty nodes, selecting it into the total ordering satisfy the free-will. If the context is not reliable, it means the context could be generated by a byzantine node, and might be the will of the adversaries. It is risky to select such a unreliable context into total ordering.

Linear Anchor. To prevent the Condorcet Paradox, we need to find something with linearity. Here, a series of commands with linear reliable context can help us commit the commands. We call such series of commands as anchor commands. Let $r_{a}$ denote a anchor command. With the reliable context between anchor commands, we find a partial ordering set $\langle\{r_{a}\},\prec_{r}\rangle$ .

Then we need to commit the anchor commands according to the partial ordering set. Each time when we commit an anchor command $r_{a}$ , we need to generate command set $F$ which is constructed with $r_{a}$ and the commands $\{r^{\prime}\}$ with reliable context $r^{\prime}\prec_{r}r_{a}$ . After that, the commands would be committed linearly, which has avoided the Condorcet Paradox, and make the ordering process more practical and conducive to implementation.

In the next section, we would like to introduce the protocol we design with the anchor-based ordering strategy.

III Phalanx

Phalanx is a Byzantine ordered consensus protocol that can be implemented as a modular component and combined with any state-of-the-art BFT consensus algorithms, without neither additional hardware support nor additional network assumptions. It could help the BFT protocols to achieve anchor-base ordering strategy, and not take much effect on the original protocol. In this section, we would like to introduce Phalanx and make proof of its basic properties.

III-A Overview

Phalanx has two types of roles: proposers and nodes. A proposer $P_{i}$ could propose command $c$ with given order. The non-faulty nodes $\{N_{i}\}$ are trying to reach consensus on the total ordering of commands.

Refer to caption — Figure 1: The workflow for Phalanx nodes.

As is shown in Fig. 1, a node is constructed with three main parts: mempool, consensus, and executor. Whenever node $N_{i}$ has received the command sent from proposers, firstly, put them into $N_{i}$ ’s partial ordering according to FIFO (First-In-First-Out) receiving the ordering. Then, pending logs for $N_{i}$ are created. After the process of order-protocol, verifiable logs are generated to notify others its own partial ordering. The mempool is a container of logs received from each node. In consensus module, using the logs in mempool, we generate order-batch to trigger consensus and get the same log stream for non-faulty nodes with the help of any state-of-the-art BFT protocols. Taking the log stream as material, in executor, the non-faulty nodes eventually find the same total ordering for commands. In particular, we list some basic notations as needed in Table I. As for the sets and vectors, unless otherwise specified, they do not have preset size. If the vector have preset size, every element in it should have a initial value.

TABLE I: Basic Notations.

Notation	Description
$r$	Command.
$\prec$	Context.
$\prec_{r}$	Reliable context.
$N$	Node.
$N_{i}$	The node with identifier $i$ .
$P$	Proposer.
$P_{i}$	The proposer with identifier $i$ .
$\bot$	Empty value.
$A$	A set or a vector
$A[i]$	The element in $A$ whose keyword is $i$ .
$\mathbb{A}$	FIFO queue.
$\mathbb{A}.front()$	Take out the front-log in the FIFO queue.
$\mathbb{A}.read\_front()$	Read the front-log without taking it out.
$\mathbb{A}.remove\_front()$	Remove the front-log in the FIFO queue.
$\mathbb{A}.push\_back(v)$	Add the element $v$ to the end of queue.
$\mathbb{A}.len()$	The number of elements in current queue.
$h(m)$	Calculate the hash of $m$ .
$\rho_{i}$	Partial signature generated with private key.
$psig_{i}(e)$	Generate partial signature for $e$ .
$pverify(\rho_{i})$	Verify the partial signature $\rho_{i}$ .
$agg(e,\{\rho_{i}\}_{i\in P})$	Aggregate the partial signatures $\{\rho_{i}\}_{i\in P}$ for $e$ .
$verify(sig)$	Verify the aggregated signature with public key.

III-B Cryptographic Notations

We use standard hash function (e.g., SHA256) to generate the digest of messages. Generate the digest of $m$ , $d\leftarrow h(m)$ , then $d$ could be regarded as the identifier of $m$ . If there is another message $m^{\prime}$ , we say that $m^{\prime}$ is the same as $m$ if and only if $h(m^{\prime})=h(m)$ .

We assume a public key infrastructure (PKI) of each participant in our system including proposers and nodes which means each of them is identified by its own public key. When proposer $P_{i}$ or node $N_{i}$ is trying to send message $m$ , the communication transmission will be carried out reliably through $\langle m\rangle_{i}$ .

Besides, we make use of ( $k,n$ )-threshold signature among nodes. There is a single public key and each $N_{i}$ holds a distinct private key. If event $e$ needs to be determined by the vote of the nodes. Sending a vote means approval, and not sending a vote means denial. Each time when $N_{i}$ sends a vote, it generates a partial signature with its private key $\rho_{i}\leftarrow psig_{i}(e)$ . We could verify the validation of partial signature with $\rho_{i}$ with $pverify(\rho_{i})$ . When there is a set of valid partial signatures $\{\rho_{i}\}_{i\in P}$ and $|P|=k$ , generate aggregated signature for $e$ , $sig\leftarrow agg(e,\{\rho_{i}\}_{i\in P})$ . Every node could verify the aggregated signature with the single public key that $verify(sig)$ . If it is a valid aggregated signature, the function should return $true$ value.

The aggregated signature could be regarded as a kind of certificate, denoted as $cert$ . If $cert$ is valid, then it means there are $k$ nodes have voted on event $e$ . Make use of $(2f+1,n)$ -threshold signature to generate $cert$ for $e$ in BFT consensus algorithm, and we could verify the $cert$ to check the quorum agreement on $e$ .

III-C Mempool

Each node $N_{i}$ has its own mempool. Let $\mathrm{mempool}_{i}$ denote it. Whenever $N_{i}$ receives commands from proposers, the $\mathrm{mempool}_{i}$ would receive them and generate $N_{i}$ partial ordering according to FIFO receiving ordering. At the same time, certified logs would be generated with ordering protocol and notify other participants.

TABLE II: Structures Notations for Mempool.

Notation	Description
$\mathrm{mempool}_{i}$	The mempool module for node $N_{i}$ .
$o$	The verifiable log to describe ordering preference.

Structures. The structure notion for mempool is shown in Table II. To make the log verifiable, we upgrade the structure of $o$ in section 3. The verifiable $o$ is $\langle i,n,t,d_{r},d_{pre},d_{cur},cert\rangle$ , in which $t$ is the timestamp when we generate current log, $d_{pre}$ is the digest of previous log, which refers to the log with sequence number $n-1$ (if $n$ is equal to 1, then $d_{pre}$ is empty), $d_{cur}$ is the digest of current log that $d_{cur}\leftarrow h(\langle i,n,t,d_{r},d_{pre}\rangle)$ , $cert$ is a certificate generated by ordering protocol with $2f+1$ nodes and it could be used to verify the validation of current log.

TABLE III: States Notations for Mempool.

Notation	Description
$seq$	An integer, initialized to 0, is used to track the latest log
	generated by $N_{i}$ that it is $N_{i}$ logical clock.
$o_{pending}$	A log type element, initialized to $\bot$ , which is used to track
	the log without certificate.
$H$	An $n$ -sized vector of log, where $H[j]$ , initialized to $\bot$ ,
	is used to track the latest verifiable log from $N_{j}$ .
$\mathbb{R}_{F}$	A FIFO queue command, is used to receive the commands
	from proposers.

States. To operate the ordering protocol, $N_{i}$ needs to maintain local states as is shown in Table III. The $seq$ is used to track the latest log. The $o_{pending}$ is used to track the log without certificate. The $n$ -sized vector $H$ is used to track the latest verifiable log. The $\mathbb{R}_{F}$ is used to receive the commands from proposers.

Protocol. As is shown in Fig. 2, nodes run order-protocol to generate verifiable logs. The steps are as follows.

Step 1: Pre-Order. If the FIFO queue $\mathbb{R}_{F}$ isn’t empty and there isn’t a pending log that $o_{pending}=\bot$ , $N_{i}$ would take the front element $r\leftarrow\mathbb{R}_{F}.front()$ and then try to generate verifiable log for it. $N_{i}$ advances its local logical clock $seq\leftarrow seq+1$ , and generates the order tuple without certificate $o\leftarrow\langle i,n,d_{c},d_{pre},d_{cur}\rangle$ , $o.n\leftarrow seq$ , $o.d_{c}\leftarrow c.d$ , $o.d_{pre}\leftarrow H[i].d_{cur}(o.n>1)$ . Store the tuple $o$ as a pending log that $o_{pending}\leftarrow o$ . Then, $N_{i}$ broadcasts pre-order message $\langle$ PRE_ORDER $o\rangle_{i}$ and starts to wait for the responses from $2f+1$ nodes (including itself).

Step 2: Vote. A node $N_{j}$ (including $N_{i}$ itself) receives the pre-order message sent from $N_{i}$ and tries to verify the tuple $o$ with $N_{i}$ ’s latest verifiable log that $o_{h}\leftarrow H[i]$ . First, $o$ should have a valid digest. Next, if $o_{h}$ is $\bot$ , then $o.n$ should be equal to 1. If $o_{h}$ is not $\bot$ , then $o$ should be the next log of $o_{h}$ that $o.n=o_{h}.n+1$ and $o.d_{pre}=o_{h}.d_{cur}$ . If $o$ satisfies these requirements above, it could be regarded as a valid tuple. Then, the node $N_{j}$ would respond with $\langle$ VOTE $d,\rho_{j}\rangle_{j}$ , where $d$ is the digest of $o$ that $d\leftarrow o.d_{cur}$ , and $\rho_{j}$ is a partial signature generated by $N_{j}$ for digest $d$ that $\rho_{j}\leftarrow psig_{j}(d)$ . Whenever $N_{j}$ has voted log $o$ from $N_{i}$ , $N_{j}$ will not vote for another log $o^{\prime}$ from $N_{i}$ that $o^{\prime}.n=o.n$ .

Step 3: Order. Whenever $N_{i}$ receives response $v_{j}$ from $N_{j}$ , it verifies the partial signature with $pverify(v_{j}.\rho_{j})$ . If it is valid, accept it. When $N_{i}$ has received valid responses from $2f+1$ nodes (including itself), there is a set of valid partial signatures $\{\rho_{j}\}$ and $|\{\rho_{j}\}|$ is equal to $2f+1$ . Generate aggregated signature with the set and complete log that $o.cert\leftarrow agg(o.d_{cur},\{\rho_{j}\})$ . Next, $N_{i}$ broadcasts partial order message $\langle$ ORDER $o\rangle_{i}$ to notify others with its latest verifiable partial order. When node $N_{j}$ receives the log $o$ from $N_{i}$ , verify it with $verify(o.cert)$ . If it’s valid, then update the latest log of $N_{i}$ in local states that $H[i]\leftarrow o$ .

At last, the logs generated by $N_{i}$ is constructed like Fig. 3. The subscript of $o_{k}$ in the figure indicates the log’s serial number. The digests of logs construct a chained structure and the certificate could be used to verify the validation of each log. Besides, $\mathrm{mempool}_{i}$ stores the commands and verifiable logs $N_{i}$ has received. Every time trying to use them, we could get the command $r$ according to its digest and get log $o$ according to tuple $\langle i,n\rangle$ , where $i$ is the author of partial order and $n$ is the sequence number.

III-D Consensus

Let $\mathrm{consensus}_{i}$ denotes the consensus module for node $N_{i}$ . It is used to find the same log stream for each non-faulty node. To achieve this goal, Phalanx could employs any state-of-the-art BFT protocols, such as PBFT, HotStuff, and even HoneyBadgerBFT, an asynchronous protocol. The primitive BFT protocol could help the non-faulty node reach consensus on the order of $tx$ -batch. Here, in Phalanx, the contents of consensus batch are replaced by the latest logs for each node. We call it order-batch. After the consensus process of primitive BFT protocol, we can find the consistent logs set to generate total ordering in the executor module.

TABLE IV: Structure Notations for Consensus.

Notation	Description
$\mathrm{consensus}_{i}$	The consensus module for node $N_{i}$ .
$b$	An order-batch, which is constructed with element $H$ .
$H$	An $n$ -sized vector of log, where $H[i]$ , initialized to $\bot$ ,
	stores the latest verifiable log from $N_{i}$ .
$S$	A set of logs $\{o\}$ , in which the elements are the logs
	from every node.

Structures. The consensus module takes use of some basic data structures as is shown in Table IV. We take the order-batch $b$ into the primitive BFT consensus process. After the consensus agreement of the ordering to submit $b$ , non-faulty nodes can generate the same logs set $S$ . In addition, the elements in $S$ should be sorted by the strategy that sort the logs in ascending order according to the sequence number $o.n$ , and if logs have the same sequence number, sort them in ascending order according to the generators’ identifier $o.i$ .

TABLE V: States Notations for Consensus.

Notation	Description
$V$	An $n$ -sized vector of integers where $V[i]$ , initialized with 0,
	tracks the sequence number of logs which is committed in
	consensus module from $N_{i}$ , and we could regard $V$ as
	a kind of vector clock
$\mathbb{S}$	A FIFO queue for sets of logs $S$ .

States. Each node $N_{i}$ ’s consenter maintains the basic local states as is shown in Table V. The $n$ -sized verctor $V$ is used to track the sequence number of committed logs. The FIFO queue $\mathbb{S}$ is used to store the logs.

Actions. If we employ leader-based BFT protocol, such as PBFT or HotStuff, the order-batch could be always generated by the leader in the current view (or round), so that we could provide a standard interface to generate order-batch. Whenever the leader has found a latest log for $N_{i}$ in mempool which has a larger sequence number than $V[i]$ , it could try to generate order-batch $b$ and trigger the BFT protocol. The content in $b$ could be generated from mempool that $b.H\leftarrow\mathrm{mempool}_{i}.H$ . After the process of BFT protocol, every non-faulty node will find $\{b_{1},b_{2},...,b_{m},...\}$ , in which there are a series of order-batches in the same order.

Next, commit the order-batches in $\{b_{m}\}$ one by one. Whenever trying to commit $b_{m}$ , a set of logs $S$ would be generated. The steps are as follows.

Step 1. Verify the certificates of logs in $b_{m}.H$ . If there is an invalid log, stop the process and change the leader in BFT protocol. If they are valid, initialize an empty log set $S$ . For each logs in $b_{m}.H$ , we should process it according to step 2.

Step 2. Let $n_{h}\leftarrow b_{m}.H[j].n$ and $n_{c}\leftarrow V[j]$ . If $n_{h}\leq n_{c}$ , just return. If $n_{h}>n_{c}$ , then (1) update $V[i]$ with $n_{h}$ , (2) add $b_{m}.H[j]$ into $S$ , (3) get the logs generated by $N_{j}$ with sequence number belonging to $(n_{c},n_{h})$ from mempool and add them into $S$ . If we cannot find the expected logs from mempool, request other nodes for it and verify the digests and certificates.

Step 3. After the process of each log in $b_{m}.H$ , add $S$ into the end of $\mathbb{S}$ .

As for employing leadless BFT protocols, the generation of order-batch depends on the generation strategy of the primitive protocol. For instance, in HoneyBadger-BFT (HB-BFT), each node would generate a slice of the proposal, and the final committed block is constructed by part of them. So that, if we employ Phalanx in HB-BFT, node $N_{i}$ would just propose its latest log to trigger BFT protocol. After each time the BFT protocol consensus process is finished, an order-batch could be constructed. At last, we could find a series of order-batches in the same order and commit them one by one to generate the log sets to update $\mathbb{S}$ .

After the process of consensus module, each non-faulty node would find the same FIFO queue $\mathbb{S}$ . The FIFO queue $\mathbb{S}$ is going to be used in executor module to generate total ordering.

III-E Executor

The executor module aims to get the final ordering (total ordering) according to the log stream in $\mathrm{consensus}_{i}.\mathbb{S}$ . To achieve anchor-based ordering, we need to find the anchor commands with specific ordering rules. In this part, we would like to introduce the generation of final ordering.

TABLE VI: Structures Notations for Executor.

Notation	Description
$\mathrm{executor}_{i}$	The executor module for node $N_{i}$ .
$c$	A command info to collect essential information for
	one command’s commitment.

Structures. The command $r$ is the basic unit for Byzantine ordered consensus. Here, as is shown in Table VI, we take command info $c$ to collect essential information for command’s commitment. We say that $c\to r$ if and only if $c$ is used to collect essential information for command $r$ . The command info $c$ that $c\to r$ contains: (1) $d$ , the digest of command that $d\leftarrow r.d$ . (2) $O$ , An $n$ -sized vector of logs where $O[i]$ , initialized to $\bot$ , tracks the log $o$ from $N_{i}$ that $o\to r$ , and the method $|c.O|$ would return the number of element in $O$ which is not $\bot$ . (3) $T$ , a set that is used to store the timestamps. Whenever $o$ is added into $c.O$ , $o.t$ would be added into $T$ . The timestamps in $T$ are sorted in ascending numerical order. If the length of $c.T$ is greater or equal to $2f+1$ , then the $(f+1)$ -th one would be recognized as trusted timestamp.

TABLE VII: States Notations for Executor.

Notation	Description
$D$	A set of strings, tracks the digests of commands
	which have been committed.
$C$	A vector of command info, where $C[d]$ refers
	to the command info $c$ whose digest is equal to $d$ .
$Q$	An $n$ -sized vector of FIFO queues, where $Q[j]$ is the
	FIFO queue $\mathbb{Q}_{j}$ .
$\mathbb{Q}_{j}$	The queue used to record the logs from $N_{j}$
	according to the commitment order into executor.
$\theta_{j}$	The front-log in $\mathbb{Q}_{j}$ that $\theta_{j}\leftarrow Q[j].read\_front()$ .
	If $\mathbb{Q}_{j}.len()=0$ , then $\theta_{j}\leftarrow\bot$ .
$\Theta$	An $n$ -sized vector of front-logs, where $\Theta[j]$ tracks
	the front-log $\theta_{j}$ .

States. Each node $N_{i}$ ’s executor maintains the states as is shown in Table VII. The set $D$ is used to track the committed commands. The vector $C$ is used to track the command info in executor module. The $n$ -sized vector $Q$ is used to store the commands submitted from consensus module. The $Q[j]$ refers to the FIFO queue $\mathbb{Q}_{j}$ , which is used store the logs of $N_{j}$ . The $\theta_{j}$ refers to the front-log in $\mathbb{Q}_{j}$ . And we use an $n$ -sized vector $\Theta$ to track the $\theta_{j}$ .

Actions. Whenever $\mathrm{consensus}_{i}.\mathbb{S}$ is not empty, take the front element in it that $S\leftarrow\mathrm{consensus}_{i}.\mathbb{S}.front()$ and try to process $S$ with the ordering process as follows.

Step 1. Commit logs in $S$ one by one into executor module. For each log $o$ in $S$ , read the command info $c$ from $C$ at first that $c\leftarrow C[o.d_{r}]$ (if there doesn’t exist such a command info, initiate it). Update $c.O[o.i]$ with $o$ and add $o$ into the end of FIFO queue $Q[o.i]$ .

Step 2. Find the anchor-set. Initialize an empty anchor-set $F$ . Read every FIFO queue in $Q$ . While reading $\mathbb{Q}_{i}$ , if the front-log $\theta_{i}$ points to a committed command that $\theta_{i}.d_{r}\in D$ , then remove it and read the latest front-log. Repeat the process till the front-log $\theta_{i}$ is $\bot$ or points to uncommitted command. Add each $\theta_{i}$ into a vector $\Theta$ that $\Theta[i]$ tracks the front-log $\theta_{i}\leftarrow Q[i].read\_front()$ . If there exists commands $\{r\}$ that at least $f+1$ front-logs point to $r$ , then put all these command info $c\to r$ into $F$ , return the anchor-set $F$ . If not, jump into alter path.

alter path. For all the command info with $|c.O|\leq 2f+1$ , get the command info $c$ with the lowest trusted timestamp. Then regard the command $c\to r$ as anchor command $r_{a}$ . If $c\to r_{a}$ , that we can find $c^{\prime}$ , $c^{\prime}\to r^{\prime}$ , that there is not a reliable context $r_{a}\prec r^{\prime}$ , then add $r^{\prime}$ into $F$ . Repeat this process until no such a $c^{\prime}$ can be found or the $c^{\prime}$ added into $F$ has $|c^{\prime}.O|<2f+1$ .

Step 3. Check the front set. For each command info $c$ in $F$ , if $|c.O|<f+1$ , then remove $c$ from $F$ . If $\exists c\in F$ that there are at least $f+1$ non-empty values in $c.O$ but $|c.O|$ is less than $2f+1$ , then directly return an empty anchor-set.

Step 5. Commit the commands according to $F$ . First of all, sort the command info {c} in anchor-set $F$ according to the in ascending order by trusted timestamp of $c$ . If the trusted timestamps are the same, then sort the command info alphabetically. After that, according to the sorted command info set $\{c\}$ , we would commit the command $r$ that $c\to r$ one by one. To obtain the command $r$ , we could read the mempool or request it from others.

As is shown in Fig 4, it is the journey for non-faulty nodes to create total ordering after each participant has generated partial ordering in its mempool.

After the commitment of commands, each non-faulty node gets the same total ordering to execute them. After the execution of the command, nodes would feedback the results to proposers. If the proposer has received $f+1$ the same response for one command, accept the execution result for it.

III-F Proof

Theorem 2 (Validity).

If a non-faulty node appends $r$ into its final ordering, then at least one non-faulty node has selected $r$ into its partial ordering.

Proof:

Before command $r$ has been committed into final ordering, the node should collect at least $2f+1$ logs from different participants pointing to it. The logs are related to nodes’ partial ordering. As the adversary can only control up to $f$ nodes, $r$ has been selected at least one non-faulty node. ∎

Theorem 3 (Consistency).

For logs $o_{1}$ and $o_{2}$ from the same node, if their certificates are valid, then $o_{1}.n\neq o_{2}.n$ .

Proof:

For logs $o_{1}$ and $o_{2}$ both generated by $N_{i}$ , assume that they have valid certificates and $o_{1}.n=o_{2}.n=k$ . So that, $2f+1$ nodes have voted for $o_{1}$ and $o_{2}$ which means at least $f+1$ nodes have voted for logs from $N_{i}$ on sequence number $k$ twice. But the adversary can only control up to $f$ nodes. Therefore, here is a paradox. ∎

Theorem 4 (Consistency).

For non-faulty nodes $N_{1}$ and $N_{2}$ , let $I_{1}$ and $I_{2}$ denote their total ordering. If there is context $r_{1}\prec r_{2}$ in $I_{1}$ , then we could eventually find $r_{1}\prec r_{2}$ in $I_{2}$ .

Proof:

In consensus module, every non-faulty node will find the same log stream. While generating the total ordering, non-faulty node should process the log stream by order. Because of the strategy of SMR, if the log stream is the same, the state on each node would be the same. So that, the final ordering on each non-faulty node is the same. ∎

Theorem 5 (Consistency).

For nodes $\forall N_{1}\in N$ and $\forall N_{2}\in N$ , regard their final order decision as $O_{1}$ and $O_{2}$ . If $\exists c_{1},c_{2}\in O_{1}\land c_{1}\prec c_{2}$ , then $\exists c_{1},c_{2}\in O_{2}\land c_{1}\prec c_{2}$ .

Theorem 6 (Finality).

For valid verifiable logs $o_{1}$ and $o_{2}$ from the same node that $o_{2}.n=o_{1}.n+1$ , if there is a committed order-batch $b$ that $o_{2}\in b.H$ , then each non-faulty node can receive the consistent $o_{1}$ .

Proof:

For the verifiable logs $o_{1}$ and $o_{2}$ from $N_{i}$ , $n_{1}\leftarrow o_{1}.n$ , $n_{2}\leftarrow o_{2}.n$ , $n_{2}=n_{1}+1$ . Because of the validation of $o_{2}$ , $2f+1$ nodes have voted for it, which means they have already received $o_{1}$ . While the commitment of logs in executor, we could request $o_{1}$ from others, since there are at most f malicious nodes, everyone could receive the valid $o_{1}$ at last. ∎

Theorem 7 (Anchor Linearity).

Let $R_{a}$ denote the set of anchor commands generated by Phalanx. There is a partial ordering set $\langle R_{a},\prec_{r}\rangle$ .

Proof:

For $\forall r_{1},r_{2}\in R_{a}$ and $r_{1}$ is committed before $r_{2}$ , make an assumption that there isn’t reliable context that $r_{1}\prec_{r}r_{2}$ . If $r_{1}$ is selected by normal path, then at least $f+1$ nodes believe we should commit $r_{1}$ at first, so that there is $r_{1}\prec_{r}r_{2}$ . If $r_{1}$ is selected by alter path, then the commands $\{r^{\prime}\}$ without $r_{1}\prec_{r}r^{\prime}$ are committed at the same anchor-set, so that for the uncommitted $r_{2}$ , there is reliable context that $r_{1}\prec_{r}r_{2}$ . ∎

As for the commands belonging to the same anchor-set, the timestamp-based strategy can be taken to decide their ordering. For there are at most $f$ faulty nodes, the $(f+1)$ -th largest timestamp is most likely sent from a non-faulty node, when we have received at least $2f+1$ logs pointing to specific command from different nodes.

IV Implementation

We implement Phalanx as a modular component in Go and should employ it with state-of-the-art BFT protocol. Bamboo[15] is an evaluation framework for chained-BFT protocols in Go. It has implemented multi kinds of chained-BFT protocols, e.g. chained HotStuff, StreamLet and etc.. Here, we complete Phalanx system on Bamboo chained-BFT implementations. The following experiments concentrate on the Phalanx system employed on HotStuff in Bamboo. Refer to HotStuff as HS. Refer to the extended protocol from HS as Phalanx-HS.

To amortize the cost of protocol, batching is a common optimization for performance improvement. In our implementation of Phalanx, we would like to make use of batching strategy. Each proposer could propose a command batch with $b$ requests in it. Each node could generate one batched log to declare its ordering preference for a series of commands that node could request ordering phase every $\Delta_{o}$ interval to declare its partial ordering in that duration. As for the performance, the batching strategy amortize the cost of hash calculation and signature verification, and Phalanx could achieve a more satisfying performance with batching strategy.

V Experiment and Evaluation

In this section, we evaluate the performance and reliability of Phalanx system which is employed in BFT protocol implementations on Bamboo. The main concern is about the impact of Phalanx component on latency and throughput in our system. To analyze it, we compare Phalanx system with its baseline BFT protocols in both LAN and WAN environments. Next, we concentrate on the fair ordering functionality of Phalanx. After that, we compare the robustness of anchor-based Phalanx with timestamp-based strategy.

V-A Performance Evaluation

Baseline and Metrics. We take HS as the baseline of our performance evaluation. We would like to compare the throughput and latency between HS and Phalanx-HS in both LAN and WAN environment. In this part, we concentrate on the performance loss caused by Phalanx component and some other factors which could affect performance. The latency has ignored the transmission delay of commands.

LAN Deployment and Performance. We deployed our evaluation on 4 instances in the same datacenter to compare the performance of baseline and Phalanx. Each Phalanx node ran on Aliyun ECS c7 with 8vCPU (Intel Xeon 8369B) and 16GiB memory.

For each datacenter, we use the default batch size $b=200$ and the ordering interval $\Delta_{o}=50$ ms. The results are shown in Table VIII. If there is only 1 proposer ( $p=1$ ) to propose commands in Phalanx-HS, the throughput of it is almost the same as HS while the latency of Phalanx-HS is 15.3% higher than HS. If we increase the number of proposers from 1 to 4, the throughput of Phalanx-HS increases in direct proportion to the number of proposers, while the latency of Phalanx-HS has barely changed. Then, we evaluate the performance of HS with $b=800$ , and we found that its performance is almost the same as Phalanx-HS with $b=200$ and $p=4$ .

TABLE VIII: Performance of Phalanx in LAN.

	throughput (txs/s)	latency (ms)
HS(b=200)	38,680	54.1
Phalanx-HS(b=200, p=1)	35,956	62.4
Phalanx-HS(b=200, p=2)	51,815	63.8
Phalanx-HS(b=200, p=3)	72,197	62.3
Phalanx-HS(b=200, p=4)	100,564	63.6
HS(b=800)	119,499	57.4

WAN Deployment and Performance. We deployed our evaluation on 4 geo-distributed nodes to compare the performance of baseline and Phalanx. Each Phalanx node ran on Aliyun ECS c5e with 8vCPU (Intel Xeon 8269CY) and 16GiB memory. Servers are located in Silicon Valley, Frankfurt, London, and Tokyo.

For each geo-distributed node, we use the default batch size $b=200$ and the ordering interval $\Delta_{o}=200$ ms. The results are as shown in Table IX. If there is only 1 proposer ( $p=1$ ) to propose commands in Phalanx-HS, the throughput of it is almost the same as HS. However, the latency of Phalanx-HS is 5.57% lower than HS, which is satisfying. It is mainly because that the main bottleneck of geo-distributed system is network communication and the order-batch which only contains the latest logs of each participant has reduced the volume of HS consensus proposal. Besides, each part of Phalanx (mempool, consensus, and executor) are running concurrently, which can make full use of computing resources. Then, we increase the number of proposers from 1 to 4, and also find that the throughput of Phalanx-HS increases in direct proportion to the number of proposers with barely changed latency in geo-distributed environment.

TABLE IX: Performance of Phalanx in WAN.

	throughput (txs/s)	latency (ms)
HS(b=200)	1,288	1,324.6
Phalanx-HS(b=200, p=1)	1,294	1,250.8
Phalanx-HS(b=200, p=2)	2,515	1,264.8
Phalanx-HS(b=200, p=3)	3,781	1,142.5
Phalanx-HS(b=200, p=4)	5,196	1,252.1

Evaluation. Compared to the baseline, Phalanx incurs signatures and more network communications to process verifiable logs. However, the order-batch reduces the volume of the state-of-the-art BFT proposals. Then, as for the latency for Phalanx, it is about 15% higher than HS in LAN and could be slightly lower than HS in WAN environment. As for throughput, Phalanx is almost the same as HS if there is only 1 proposer, and the throughput of Phalanx increases in direct proportion to the number of proposers, while the latency of Phalanx-HS has barely changed. It can be considered that Phalanx does not bring too much performance loss, and it has advantages in some situations.

V-B Fault-Tolerance Functionality

Simulation for Ordering Manipulation. In this part, we simulate the ordering manipulation to verify the ability for Phalanx to resist attacks. For the commands generated by the same proposer, there should be an intuitively distinct ordering that we need to commit the earlier proposed command at first. So that, we add sequence number on commands proposed to note the intuitive distinct ordering. To simulate the Byzantine behaviour, we inject some codes to make the adversary disorder the commands it has received and generate wrong partial ordering. With the monitoring on whether the commands are committed according to the sequence number, we can evaluate the ability to resist ordering manipulation.

TABLE X: Fault Tolerance on Ordering.

	reordered commands ratio
following byzantine	99.8%
$f=0$	0%
$f=1$	0%
$f=2$	21.1%

Table X shows the change of reordered commands ratio with the number of Byzantine nodes. If there is no adversary that $f=0$ , no intuitively distinct context is broken. If there is one Byzantine node and follow the attacker’s ordering, then almost all the intuitively distinct contexts are destroyed. However, after the activation of Phalanx strategy, only almost every intuitively distinct context has been resisted. If the number of adversarial nodes is larger than the fault-tolerance threshold, we can find there are part of command pairs with intuitively distinct context have been reordered.

V-C Adversary Resistance

In this part, we compare the adversarial attack resistance ability between timestamp-based strategy and Phalanx. For Byzantine fault tolerance protocols, if the number of Byzantine nodes is no larger than the fault-tolerance threshold, we expect the intuitively distinct contexts should be preserved. Here, we do not implement a timestamp-based protocol[12][13]. We compare the Phalanx with timestamp-based strategy directly.

TABLE XI: Adversarial Attack Resistance Comparison.

$f$	Phalanx	Timestamp-based
0	✓	✓
1	✓	✓
2	✓	✓
3	✓	$\times$
4	✓	$\times$
5	✓	$\times$

We deployed our evaluation on 16 nodes. Each Phalanx node ran on Aliyun ECS c7 with 8vCPU (Intel Xeon 8369B) and 16GiB memory. We inject codes to make some of them malicious and set 2 proposers. Increase the byzantine node number from 0 to threshold ( $f=5$ ) and detect the ratio of commands which have been reordered. Here, let us consider that the system has resisted manipulation attack if the ratio of reordered commands is less than 0.5%. As is shown in Table XI, both Phalanx and timestamp-based strategy could reserve the intuitively distinct context without any Byzantine nodes. However, if there exists Byzantine nodes in current situation, the timestamp-based strategy sometimes cannot prevent manipulation attack, while Phalanx could still reverse intuitively distinct contexts.

To take further evaluation on adversary resistance, we deployed our evaluation on 34 nodes. Each Phalanx node ran on Aliyun ECS c7 with 4vCPU (Intel Xeon 8369B) and 8GiB memory. We also inject codes to make some of them malicious and set 2 proposers. Increase the byzantine node number from 0 to threshold ( $f=11$ ) and detect the reordered commands ratio. As is shown in Fig 5, the probability of timestamp-based strategy causing command reordered which has destroyed intuitively distinct context is significantly higher than Phalanx. As the number of Byzantine nodes increases within the threshold, the commands ordered by timestamp-based strategy will be much easier to be attacked, while the reordered commands ratio through Phalanx does not increase rapidly. We found that the Phalanx performs better in resisting ordering manipulation than timestamp-based strategy.

Besides, we find that, whenever reordered commands ratio of Phalanx goes up, there are more anchor-sets selected through alter path. It is an attention-worth problem that can be further studied in the future.

VI Related Works

Aequitas[10] proposed by Kelkar et al. in 2020 are the first class of protocols which have achieved weak order-fairness in both synchronous and asynchronous situations. To deal with Condorcet Paradox, Aequitas construct a relation graph of transactions and find out all of the strongly connected components (SCCs) and the transactions in the same SCC would constitute Condorcet Paradox. After that Aequitas could find deterministic ordering to execute each SCC, and the transactions in the same SCC would be applied in the same batch. It could be considered as a batch-based ordering protocol. In 2021, Themis[11] was proposed by Kelkar et al.. It is the upgraded batch-based ordering protocol from Aequitas. It has resolved the liveness problem and has reduced communication complexity. However, to detect SCCs in relation graph, the commonly used algorithm such as Tarjan[16] and Kosaraju[17] have high computation complexity which is related to the number of transactions and their context. It is an obvious system bottleneck. The experiment of Themis shows that its throughput is about 20% of HS with the same batch-size in LAN.

Pompe[12] proposed by Zhang et al. has also proposed a practical protocol to deal with ordering manipulation. Here, transactions are ordered according to the medium timestamp that it is a naturally linear ordering indicator which could avoid Condorcet Paradox. With this simplified ordering strategy, Pompe has achieved higher throughput at competitive latencies compared with the state-of-the-art BFT protocols. As the indicator is constructed by timestamps, the ordering strategy in Pompe could be regarded as a timestamp-based ordering protocol. In the same year, Wendy[13] proposed by Kursawe et al. has also achieved order-fairness with medium timestamp similar to Pompe.

Although, without detecting SCCs, timestamp-based ordering strategy seems like to have resolved the bottleneck of Byzantine ordered protocols, it just provides each node an opportunity to decide the final order, which reduces the impact of the adversary but cannot prevent arbitrary behavior of manipulating ordering. As is shown in Table XII. There are 4 nodes that $N_{3}$ is a malicious node. Here is a pair of commands $c_{1}$ and $c_{2}$ with intuitively distinct context $c_{1}\prec c_{2}$ that they are proposed by the same proposer and $c_{1}$ is proposed several seconds before $c_{2}$ . $N_{2}$ and $N_{4}$ receive these commands slightly later, while $N_{1}$ received these commands earlier. If we select $N_{1}$ , $N_{2}$ , and $N_{3}$ as the final set, then $c_{1}$ ’s medium timestamp 2 would be smaller than $c_{1}$ that such pair of commands would be reserved.

TABLE XII: Medium timestamp failure.

	$N_{1}$	$N_{2}$	$N_{3}$	$N_{4}$
$c_{1}$	0	3	3	3
$c_{2}$	1	4	2	4

Fiary[18], proposed by Stathakopoulou et al. is an ordering system with the assistance of TEE to prevent front-running attacks. Fairy needs to introduce specific hardware to support the operation of the protocol, and its correctness depends on the reliability of the TEE itself. So that, the scope of its application is relatively limited. In 2021, Cachin et al. also theoretically proposed a quick order fairness atomic broadcasting protocol [19], which can ensure that messages are delivered in different fair orders. However, it has not been implemented.

VII Conclusion

To propose an efficient Byzantine ordered consensus protocol, we propose anchor-based ordering strategy and design a protocol called Phalanx based on it. Phalanx is a practical Byzantine ordered protocol, which can be employed in each state-of-the-art BFT protocol. The ordering phase in Phalanx does not take too much performance loss that only 15% more latency and slightly decrease of throughput in LAN. Because of the optimization of communication, the latency of Phalanx is lower than HS in WAN. As for resisting ordering manipulation, Phalanx is better than the timestamp-based strategy. Besides, the ratio of anchor-sets generated through alter path seems to be taken to track the reliability of Phalanx, which could be further studied in the future.

References

[1] M. Castro, B. Liskov et al., “Practical byzantine fault tolerance,” in OSDI, vol. 99, no. 1999, 1999, pp. 173–186.
[2] M. Castro and B. Liskov, “Practical byzantine fault tolerance and proactive recovery,” ACM Transactions on Computer Systems (TOCS), vol. 20, no. 4, pp. 398–461, 2002.
[3] M. Yin, D. Malkhi, M. K. Reiter, G. G. Gueta, and I. Abraham, “Hotstuff: Bft consensus with linearity and responsiveness,” in Proceedings of the 2019 ACM Symposium on Principles of Distributed Computing, 2019, pp. 347–356.
[4] P. Daian, S. Goldfeder, T. Kell, Y. Li, X. Zhao, I. Bentov, L. Breidenbach, and A. Juels, “Flash boys 2.0: Frontrunning in decentralized exchanges, miner extractable value, and consensus instability,” in 2020 IEEE Symposium on Security and Privacy (SP). IEEE, 2020, pp. 910–927.
[5] V. Buterin et al., “Ethereum white paper,” GitHub repository, vol. 1, pp. 22–23, 2013.
[6] M. Lewis, Flash boys: a Wall Street revolt. WW Norton & Company, 2014.
[7] R. Shostak, M. Pease, and L. Lamport, “The byzantine generals problem,” ACM Transactions on Programming Languages and Systems, vol. 4, no. 3, pp. 382–401, 1982.
[8] F. Brandt, V. Conitzer, U. Endriss, J. Lang, and A. D. Procaccia, Handbook of computational social choice. Cambridge University Press, 2016.
[9] M. d. Condorcet, “Essay on the application of analysis to the probability of majority decisions,” Paris: Imprimerie Royale, 1785.
[10] M. Kelkar, F. Zhang, S. Goldfeder, and A. Juels, “Order-fairness for byzantine consensus,” in Annual International Cryptology Conference. Springer, 2020, pp. 451–480.
[11] M. Kelkar, S. Deb, S. Long, A. Juels, and S. Kannan, “Themis: Fast, strong order-fairness in byzantine consensus,” Cryptology ePrint Archive, 2021.
[12] Y. Zhang, S. Setty, Q. Chen, L. Zhou, and L. Alvisi, “Byzantine ordered consensus without byzantine oligarchy,” in 14th $\{$ USENIX $\}$ Symposium on Operating Systems Design and Implementation ( $\{$ OSDI $\}$ 20), 2020, pp. 633–649.
[13] K. Kursawe, “Wendy, the good little fairness widget: Achieving order fairness for blockchains,” in Proceedings of the 2nd ACM Conference on Advances in Financial Technologies, 2020, pp. 25–36.
[14] M. Kelkar, S. Deb, and S. Kannan, “Order-fair consensus in the permissionless setting.” IACR Cryptol. ePrint Arch., vol. 2021, p. 139, 2021.
[15] F. Gai, A. Farahbakhsh, J. Niu, C. Feng, I. Beschastnikh, and H. Duan, “Dissecting the performance of chained-bft,” arXiv preprint arXiv:2103.00777, 2021.
[16] R. Tarjan, “Depth-first search and linear graph algorithms,” SIAM journal on computing, vol. 1, no. 2, pp. 146–160, 1972.
[17] M. Sharir, “A strong-connectivity algorithm and its applications in data flow analysis,” Computers & Mathematics with Applications, vol. 7, no. 1, pp. 67–72, 1981.
[18] C. Stathakopoulou, S. Rüsch, M. Brandenburger, and M. Vukolić, “Adding fairness to order: Preventing front-running attacks in bft protocols using tees,” in 2021 40th International Symposium on Reliable Distributed Systems (SRDS). IEEE, 2021, pp. 34–45.
[19] C. Cachin, J. Mićić, and N. Steinhauer, “Quick order fairness,” arXiv preprint arXiv:2112.06615, 2021.