As easy as ABC: Optimal (A)ccountable (B)yzantine (C)onsensus is easy!

It is known that the Byzantine consensus problem among 𝑛 processes cannot be solved in a non-synchronous system if the number of faulty processes exceeds 𝑡 0 , where 𝑡 0 = ⌈ 𝑛 / 3 ⌉ − 1 [15]. Indeed, if the number of faulty processes is greater than the 𝑡 0 threshold, correct processes might never decide or (even worse) correct processes might decide and disagree. We focus in this paper on the latter case, where disagreement occurs. Specifically, we investigate the accountable Byzantine consensus problem in non-synchronous systems: the problem of solving Byzantine consensus whenever possible (i.e., whenever the number of faulty processes does not exceed the 𝑡 0 bound) and otherwise allowing correct processes to obtain a proof of culpability of (at least) 𝑡 0 + 1 faulty processes whenever correct processes disagree. We present three complementary contributions: (i) We give a simple transformation named ABC that enables any Byzantine consensus protocol to obtain accountability. Besides being simple, ABC is also efficient: it induces an overhead of (1) two all-to-all communication rounds and 𝑂 ( 𝑛 2 ) exchanged bits of information in all executions with up to 𝑡 0 faults 1 , and (2) three all-to-all communication rounds and 𝑂 ( 𝑛 3 ) exchanged bits of information otherwise. Therefore, any protocol that solves the Byzantine consensus problem with quadratic (or greater) communication complexity retains its complexity in solving the problem after our transformation. (ii) We show that ABC , despite its simplicity, allows for optimal communication complexity in solving the accountable Byzantine consensus problem. That is, (1) we prove that any accountable Byzantine consensus incurs cubic communication complexity whenever disagreement occurs, and (2) we demonstrate that the lower bound is tight by applying ABC to any cubic Byzantine consensus protocol (e.g., binary DBFT [8]). (iii) We show that ABC is not limited to the Byzantine consensus problem. Specifically, we define a class of easily accountable agreement tasks and we prove that generalized ABC transformation indeed provides accountability for such tasks. Important distributed tasks, like Byzantine reliable [3] and Byzantine consistent broadcast [3], fall into this class.


INTRODUCTION
Ensuring both safety ("nothing bad ever happens") and liveness ("something good eventually happens") of a wide variety of distributed Byzantine problems is impossible if the number of Byzantine processes exceeds a certain predefined threshold [15].This limitation motivated researchers to investigate accountable variants of these problems.The accountable variant of a problem P consists in (1) solving problem P under the appropriate assumptions (e.g., whenever the number of Byzantine processes does not exceed the threshold), and (2) allowing all correct participants to detect some fraction of culprits if the safety of problem P is violated.Accountability in distributed systems is important since it discourages bad behavior.If malicious behavior is guaranteed to result in apprehension and punishment, malicious processes are much less likely to carry out an attack in the first place, thus strengthening the security of the system.This paper primarily focuses on obtaining accountability in Byzantine consensus protocols that operate in nonsynchronous systems.The Byzantine consensus problem [15] is defined among  processes while tolerating up to 2 Pierre Civit, Seth Gilbert, Vincent Gramoli, Rachid Guerraoui, and Jovan Komatovic  0 = ⌈/3⌉ − 1 Byzantine (malicious) processes.A process initially proposes a value and eventually decides a value such that the following properties hold: • (Liveness) Termination: Every correct process eventually decides.
• (Safety) Agreement: All correct processes decide the same value.
• (Safety) Validity: If all correct processes propose the same value, a correct process can decide only that value.
The conjunction of the aforementioned properties can only be ensured if the number of faulty processes does not exceed  0 [15].If indeed the faulty processes overpopulate the system, any of these properties might be violated.
This work focuses on cases when violation of the agreement property occurs.Specifically, we take a closer look at the accountable Byzantine consensus problem.A process initially proposes and later decides a value (as done in the Byzantine consensus problem) and detects some faulty processes.Formally, the accountable Byzantine problem is solved if and only if the following properties are ensured: • Termination: If the number of faulty processes does not exceed  0 , then every correct process eventually decides.
• Agreement: If the number of faulty processes does not exceed  0 , then all correct processes decide the same value.
• Validity: If the number of faulty processes does not exceed  0 and all correct processes propose the same value, a correct process can decide only that value.• Accountability: If two correct processes decide different values, then every correct process eventually detects at least  0 + 1 faulty processes and obtains a proof of culpability of all detected processes.The contributions of the paper are threefold: (i) We present a generic and simple transformation -ABC -that allows any Byzantine consensus protocol to obtain accountability.Our transformation is also efficient: it introduces an overhead of (1) only two all-to-all communication rounds and  ( 2 ) exchanged bits of information in all executions with at most  0 faulty processes (i.e., in the common case), and (2) three all-to-all communication rounds and  ( 3 ) exchanged bits of information otherwise (i.e., in the degraded case).Therefore, any protocol that solves the Byzantine consensus problem with quadratic (or greater) communication complexity retains its complexity in solving the problem after ABC.
ABC owns its simplicity and efficiency to the observation that the composition presented in Algorithm 1 solves the Byzantine consensus problem.Indeed, if the number of faults does not exceed  0 , all processes eventually broadcast and receive  −  0 matching confirm messages.However, the important mechanism illustrated in Algorithm 1 is that faulty processes must send conflicting confirm messages in order to cause disagreement.Hence, whenever correct processes disagree, they only need to exchange received confirm messages to obtain accountability.
return  ′ (ii) We show that our ABC transformation, despite its simplicity, suffices for obtaining optimal communication complexity in accountable Byzantine consensus protocols.Namely, we prove that any accountable Byzantine consensus incurs cubic communication complexity whenever disagreement occurs and we demonstrate that the lower bound is tight by applying ABC to any cubic Byzantine consensus protocol (e.g., DBFT binary consensus [8]).
(iii) We prove that ABC is not limited to Byzantine consensus.Specifically, we define a class of easily accountable agreement tasks and we demonstrate that generalized ABC transformation indeed provides accountability for such tasks.Important distributed tasks, like Byzantine reliable [4] and Byzantine consistent [4] broadcast, fall into the class of easily accountable agreement tasks.
Related Work.The work on accountability in distributed systems was pioneered in [13].The authors presented PeerReview -a generic accountability layer for distributed systems.Same authors initiated the formal study of Byzantine failures in the context of accountability [14].Recently, with the expansion of blockchain systems, the interest in accountable distributed protocols resurfaced once again.Polygraph [7] -the first accountable Byzantine consensus protocol -was introduced by Civit et al.The Polygraph protocol solves Byzantine consensus [15] whenever possible (i.e., whenever the number of faulty processes is less than one third of all processes in the system) and enables accountability whenever two correct processes disagree.Casper [2] is another system designed around the goal of obtaining accountability.Most recently, authors of [18] investigated the possibility of obtaining accountability in protocols based on PBFT [5] in scenarios in which the system is not severely corrupted.The commonality between the discussed prior work is employing sophisticated mechanisms for obtaining accountability.In contrast, we give significantly simpler solution to the problem.
Roadmap.We present the system model in §2.We devote §3 to our ABC transformation.Specifically, we first introduce the novel accountable confirmer problem ( §3.1), the crucial building block of ABC.Then, we present ABC and prove its correctness ( §3.2).In §3.3, we demonstrate that ABC suffices for obtaining optimal communication complexity in accountable Byzantine consensus protocols.We define easily accountable agreement tasks and prove the applicability of generalized ABC to such tasks in §4.Finally, we conclude the paper in §5.

MODEL
We consider a system with a set { 1 , ...,   } of  processes that communicate by exchanging messages through a point-to-point network.The system is non-synchronous: there is no bound that always holds on message delays and relative speed of processes.Non-synchronous systems include: • asynchronous systems, where the bound does not exist, and • partially synchronous systems [11], where the bound holds only eventually.
All our results given in the present paper assume a non-synchronous system.
Each process is assigned its local protocol to execute.A local protocol of a process defines steps to be taken by the process during a run of the system.The collection of all local protocols assigned to processes is referred to as a distributed protocol (or simply a protocol).
A subset of all processes might be faulty: these processes may arbitrarily deviate from their local protocol, i.e., we consider the Byzantine failure model.If a process is not faulty, we say that the process is correct.We assume that any message sent by a correct process to a correct process is eventually received, i.e., we assume that communication is reliable.An execution of the system is a single run of the system, i.e., it is a sequence of sending and receiving events, as well as the internal events of processes.We denote by  the actual number of faulty processes in an execution.Finally, we denote by P( ) the power set of a set  .
Cryptographic Primitives.We assume an idealized public-key infrastructure (PKI): each process is associated with its own public/private key pair that is used to sign messages and verify signatures of other processes.A message  sent by Pierre Civit, Seth Gilbert, Vincent Gramoli, Rachid Guerraoui, and Jovan Komatovic a process   that is properly signed with the PKI private key of   is said to be properly authenticated.We denote by    a message  signed with the PKI private key of a process   .
Moreover, we assume a (, )-threshold signature scheme [16], where  =  − ⌈/3⌉ + 1.In this scheme, each process holds a distinct private key and there exists a single public key.Each process   can use its private key to produce a partial signature of a message  by invoking ShareSign  ().Moreover, a partial signature tsignature of a message  produced by process   could be verified with ShareVerify  (, tsignature).Finally, set  = {tsignature  } of partial signatures, where | | =  and, for each tsignature  ∈ , tsignature  = ShareSign  (), could be combined into a single digital signature by invoking Combine(); a combined digital signature tcombined of message  could be verified with Verify(, tcombined).In the rest of the paper, we assume that the cost of obtaining the threshold signature scheme is amortized and, thus, negligible.
Crucially, we assume that the PKI private key of a correct process is never revealed (irrespectively of the number of faulty processes in the system).Therefore, if a message  is signed with the PKI private key of a process   and   is correct, then the message  was certainly sent by   .On the other hand, if the number of faulty processes does exceed  − , then the threshold private key of a process can be revealed and faulty processes might forge a partial signature of a correct process.
Proof of Culpability.We say that a set S of properly authenticated messages sent by a process   is a proof of culpability of   if and only if there does not exist an execution  of the system where (1)   sends all the messages from the S set, and (2)   is correct.Observe that a proof of culpability of a process contains messages signed by the process with its PKI private key.Indeed, the PKI private key of a correct process is never revealed (as opposed to the threshold private key of a correct process that might be revealed if the number of faults exceeds  − , where  =  − ⌈/3⌉ + 1) which implies that a proof of culpability of a correct process can never be obtained.
Complexity Measure.In this work, as in many in distributed computing, we care about the communication complexity which is the maximum number of authenticators sent by all correct processes combined across all executions of the system.An authenticator is either a partial signature or a signature.

ABC TRANSFORMATION
This section presents ABC, our transformation that enables any Byzantine consensus protocol to obtain accountability.
To this end, we first introduce the accountable confirmer problem and give its implementation ( §3.1).Then, we construct our ABC transformation around accountable confirmer ( §3.2).In §3.3, we prove that ABC allows for obtaining optimal communication complexity in accountable Byzantine consensus protocols.Finally, we conclude the section with a brief discussion about the applicability of ABC and communication optimality it provides ( §3.4).

Accountable Confirmer
The accountable confirmer problem is a distributed problem defined among  processes.The problem is associated with parameter  0 = ⌈/3⌉ − 1 emphasizing that some properties are ensured only if the number of faulty processes does not exceed  0 2 .Accountable confirmer exposes the following interface: (1) request submit () -a process submits value , (2) indication confirm( ′ ) -a process confirms value  ′ , and (3) indication detect (, proof ) -a process detects 2 Recall that  0 = ⌈/3⌉ − 1 is the number of faulty processes tolerated by the Byzantine consensus problem.
processes from the set  such that proof represents a proof of culpability of all processes that belong to  .The following properties are ensured: • Terminating Convergence: If the number of faulty processes does not exceed  0 and all correct processes submit the same value, then that value is eventually confirmed by every correct process.• Agreement: If the number of faulty processes does not exceed  0 , then no two correct processes confirm different values.
• Validity: Value confirmed by a correct process is submitted by a correct process.
• Accountability: If two correct processes confirm different values, then every correct process eventually detects at least  0 + 1 faulty processes and obtains a proof of culpability of all detected processes.
Terminating convergence ensures that, if (1) the number of faults does not exceed  0 , and (2) all correct processes submit the same value, then all correct processes eventually confirm that value 3 .Agreement stipulates that no two correct processes confirm different values if the system is not corrupted (even if submitted values of correct processes differ).
Validity ensures that any confirmed value is submitted by a correct process.Finally, accountability ensures detection of  0 + 1 faulty processes by every correct process whenever correct processes confirm different values.
Implementation.We now give an implementation of the accountable confirmer problem (Algorithm 2).The implementation takes advantage of threshold signatures (see §2) in order to obtain quadratic communication complexity in the common case (i.e., in executions with up to  0 faulty processes).In the degraded case (i.e., in executions with more than  0 faulty processes), the communication complexity is cubic.
Each process initially broadcasts the value it submitted in a submit message (line 17): the submit message contains the value and the partial signature of the value.Moreover, the entire message is signed with the PKI private key of the sender.Once a process receives such a submit message, the process (1) checks whether the message is properly signed (line 6), ( 2) verifies the partial signature (line 19), and (3) checks whether the received value is equal to its submitted value (line 19).If all of these checks pass, the process stores the received partial signature (line 20) and the entire message (line 21).Once a process stores partial signatures from (at least)  −  0 processes (line 23), the process confirms its submitted value (line 25) and informs other processes about its confirmation by combining the received partial signatures into a light certificate (line 26).The role of threshold signatures in our implementation is to allow a light certificate to contain a single signature, thus obtaining quadratic overall communication complexity if  ≤  0 .
Once a process receives two conflicting light certificates (line 31), the process concludes that correct processes might have indeed confirmed different values 4 .If the process has already confirmed its value, the process broadcasts the set of (at least)  −  0 properly authenticated [submit, , * ] messages (line 33), where  is the value confirmed (and submitted) by the process; such set of messages is a full certificate for value .Finally, once a process receives two conflicting full certificates (line 38), the process obtains a proof of culpability of (at least)  0 + 1 faulty processes (line 41), which ensures accountability.Indeed, each full certificate contains  −  0 properly authenticated messages: every process whose message is in both full certificates is faulty and these messages represent a proof of its misbehavior (recall that no faulty process ever obtains the PKI private key of a correct process).
Theorem 1. Algorithm 2 solves the accountable confirmer problem with: •  ( 2 ) communication complexity in the common case, and •  ( 3 ) communication complexity in the degraded case.
Proof.We start by proving the terminating convergence property.Indeed, if  ≤  0 and all correct processes submit the same value , then the rule at line 23 eventually triggers at each correct process.Since each correct process confirms only the value it has submitted (line 25), the property is satisfied by Algorithm 2.
We prove agreement by contradiction.Let a correct process   confirm value , let another correct process   confirm value  ′ ≠  and let  ≤  0 .Hence,   (resp.,   ) has received  −  0 submit messages for value  (resp.,  ′ ).Given that  0 < /3, we conclude that number of processes that have sent the submit message for both values must be greater than  0 .This implies that there are more than  0 faulty processes, which contradicts the fact that  ≤  0 .Therefore, the agreement property is ensured.
Validity trivially follows from the fact that each correct process confirms only the value it has submitted (line 25).
We now prove accountability.Let a correct process   confirm value  and let another correct process   confirm value  ′ ≠ .The rule at lines 31 and 32 is eventually triggered at each correct process that confirms a value.Once the rule is triggered at   (resp.,   ), the process broadcasts its full certificate to all processes (line 33).Eventually, the rule at line 38 is triggered at each correct process, which ensures accountability.
Finally, we prove the claimed communication complexity: • If  ≤  0 , the communication complexity of the algorithm is quadratic because (1) light certificates are sent only once and they contain a single signature, and (2) no correct process ever sends its full certificate.• If  >  0 , the communication complexity is cubic.Indeed, broadcasting of a full certificate (that contains  () authenticators) dominates the communication complexity in this case.Therefore, each correct process sends  () authenticators to all processes (line 33), which results in cubic overall communication complexity.
The proof of the communication complexity concludes the theorem.□ Algorithm 2 Accountable Confirmer -Code for Process   1: Implements: Accountable Confirmer, instance ac 3: Uses: Best-Effort Broadcast [3], instance beb ⊲ Simple broadcast without any guarantees if the sender is faulty.
5: Rules: 1) Any submit message that is not properly authenticated is discarded. 7: 2) Rules at lines 23, 31, 32 and 38 are activated at most once.Accountable Byzantine Consensus, instance abc 3: Uses: Byzantine Consensus, instance bc ⊲ Byzantine consensus protocol to be transformed 5: Accountable Confirmer, instance ac 6: upon event ⟨abc, Propose | proposal⟩ do The following theorem shows that Algorithm 3 solves the accountable Byzantine consensus problem, which implies that ABC indeed allows Byzantine consensus protocols to obtain accountability.Theorem 2. Algorithm 3 solves the accountable Byzantine consensus problem.
Proof.Consider an execution where  ≤  0 .All correct processes eventually decide the same value  from Byzantine consensus at line 8 (by termination and agreement of Byzantine consensus).Moreover, if all correct processes have proposed the same value (line 6), then the proposed value is indeed  (ensured by validity of Byzantine consensus).
Terminating convergence of accountable confirmer ensures that all correct processes eventually confirm  (line 10) and decide from the accountable Byzantine consensus (line 11).Hence, Algorithm 3 satisfies termination, agreement and validity if  ≤  0 .
If correct processes disagree (i.e., decide different values at line 11), then these processes have confirmed different values from accountable confirmer (line 10).Thus, accountability is ensured by Algorithm 3 since accountability is ensured by accountable confirmer, i.e., every correct process eventually detects faulty processes from accountable confirmer (line 12).Thus, accountability is satisfied by Algorithm 3, which concludes the theorem.□ Finally, we note that ABC does not worsen the communication complexity of a Byzantine consensus protocol that solves Byzantine consensus optimally.It is well-known that any protocol that solves the Byzantine consensus problem incurs quadratic communication complexity due to the lower bound set by Dolev et al. [10].Given the fact that accountable confirmer has quadratic communication complexity in the common case (Theorem 1), any Byzantine consensus protocol with quadratic communication complexity retains its complexity after our transformation.In other words, any optimal Byzantine consensus protocol still matches the Dolev-Reischuk lower bound after our transformation 5 .
Corollary 1.ABC applied to any quadratic Byzantine consensus protocol gives an accountable Byzantine consensus protocol with quadratic communication complexity in the common case.

ABC Suffices For Optimal Accountability
This subsection proves that any distributed protocol that solves the accountable Byzantine consensus problem incurs cubic communication cost.Moreover, we show that the lower bound is tight by applying ABC ( §3.2) to any cubic (or sub-cubic) Byzantine consensus protocol (Corollary 2).Therefore, we show that our simple transformation allows Byzantine consensus protocols to obtain accountability optimally with respect to the communication complexity.
Let Π  be a distributed protocol that solves the accountable Byzantine consensus problem among  processes.If up to  0 = ⌈/3⌉ − 1 processes are faulty, Π  ensures termination, agreement and validity; if disagreement occurs, each correct process eventually detects at least  0 + 1 faulty processes (and obtains a proof of culpability of all detected processes).Without loss of generality, we assume that  = 3 0 + 1.
We start by separating processes that execute Π  into three disjoint groups: (1)  • All messages between processes from group  and group  are delayed until time max ( 1 ,  2 ).
Execution  is indistinguishable from execution  1 to processes from group , which implies that all processes from group  decide value  by time  1 .Similarly, all processes from group  decide value  ′ ≠  by time  2 .
Finally, we denote by partitioningExecution the prefix of execution  up to time max ( 1 ,  2 ) (Part (a) of Figure 1 depicts partitioningExecution).Observe that the following holds for execution partitioningExecution: • All processes from group  decide  in partitioningExecution.
• All processes from group  decide  ′ ≠  in partitioningExecution.
• No message is exchanged between any two processes ( ∈ ,  ∈ ).
We are now ready to prove the cubic lower bound on communication complexity for solving the accountable Byzantine consensus protocol.
Proof.The proof is built on top of partitioningExecution we constructed above.Namely, partitioningExecution is convenient for proving the cubic lower bound since the only way for correct processes (i.e., processes from the  ∪  set) to ensure accountability is to exchange information among themselves.Indeed, faulty processes (i.e., processes from group ) appear correct to all processes from group  (resp., group ).Therefore, no faulty process is detected in partitioningExecution because of the fact that no communication is established between groups  and .
Recall that each correct process needs to obtain a proof of culpability of (at least)  0 + 1 =  () faulty processes.If processes  ∈  and  ∈  aim to collaboratively obtain a proof of culpability of  0 + 1 processes, both  and  need to send (at least)  0 + 1 = Ω() authenticators.Moreover, a proof of culpability of  0 + 1 processes must contain (at least) Ω() authenticators.
We now devise a continuation of partitioningExecution which ensures that correct processes do send Ω( 3 ) authenticators.We start by stating that there is a single correct process in group  -we denote this process by .Other processes from group  are Byzantine and they do not send any message to  in the continuation of partitioningExecution.All processes from group  are correct and all processes from group  are faulty and silent.Finally, all messages sent between processes from group  are delayed in the continuation of partitioningExecution.
Let  1 ∈  be a process from group ; recall that  1 is correct.In the continuation of partitioningExecution,  1 eventually obtains a proof of culpability Σ of  0 + 1 processes by communicating with a single process  1 ∈ .Specifically, no message is received by  1 from any process that belongs to group  before  1 obtains Σ by communicating with  1 .Importantly,  1 cannot distinguish the current execution from one in which only correct processes are  1 and  1 (recall that accountability must be ensured even in the scenario with only two correct processes).However, after the communication with  1 , process  1 cannot distinguish the current execution from one in which (1)  1 is faulty (and just behaves correctly towards  1 ), and (2) there exist other processes from group  that are correct, disagree with  1 and need to detect faulty processes.Therefore,  1 needs to communicate with other processes from group .The aforementioned construction of the continuation of partitioningExecution is repeated for all processes   ∈ : (1) process  1 sends Ω() authenticators in order to allow process   ∈  to obtain Σ, and (2) before process   obtains Σ, process  1 does not hear from any other process from group  from which it has not heard yet (i.e., process  1 communicates with processes from group  in "one-by-one" fashion).Recall that process  1 does not hear from any process from group  until  1 has "helped" each process from group  to obtain Σ (i.e., all processes from group  might be faulty as seen from the perspective of  1 ).Finally, we conclude that  1 communicates quadratic number of authenticators in the execution (Ω() authenticators per  0 =  () processes).
We apply the same reasoning for correct process  2 ∈ .First, process  2 hears from any process from group  only after  1 has already ensured that all processes from group  obtain Σ.All  0 − 1 faulty processes from group  behave towards  2 as if they receive the information from group  for the first time.Moreover,  2 communicates with all processes from group  in "one-by-one" fashion.Note that , the only correct process from group , might not behave towards  2 as if it hears the information from group  for the first time.However, process  2 cannot be certain that  is indeed correct; the reason is that  has previously received information only from other processes from group  in the continuation of partitioningExecution and it is possible that all of these processes are faulty (as seen from the perspective of  2 ; recall that  2 has not heard from other processes from group  thus far), which implies that  might be faulty.Hence,  2 also needs to ensure that each process from group  obtains a proof of culpability, which results in the fact that  2 also sends quadratic number of authenticators.
Finally, the construction mechanism we presented for  2 is repeated for all other processes from group .Therefore, each process from group  sends quadratic number of authenticators.Since | | =  0 =  (), the total communication complexity of Π  is Ω( 3 ) (Part (b) of Figure 1 provides a visual depiction of the execution considered in the proof).□ The consequence of theorems 1 and 3 is that ABC allows any cubic (or sub-cubic) Byzantine consensus protocol (e.g., DBFT binary consensus [8]) to solve the accountable Byzantine consensus problem optimally.
(a) The partitioningExecution execution in which processes from groups  and  disagree.
(b) The continuation of partitioningExecution that incurs cubic number of authenticators sent by correct processes (the communication pattern of a single process from group  is depicted).Corollary 2. ABC applied to any cubic (or sub-cubic) Byzantine consensus protocol gives an accountable Byzantine consensus protocol with the asymptotically optimal cubic communication complexity.
Direct consequence of corollaries 1 and 2 is that ABC, when applied to any quadratic Byzantine consensus, obtains a protocol that: • solves the Byzantine consensus problem with quadratic communication complexity, which matches the lower bound given by Dolev et al. [10], and • solves the accountable Byzantine consensus problem with cubic communication complexity, which matches the lower bound given in the paper (Theorem 3).

Discussion
The (accountable) Byzantine consensus problem (as defined in §1) specifies the validity property which ensures that, if all correct processes propose the same value, then only that value could be decided by a correct process.In the literature, there are many variants of the validity property; the one we use is traditionally called strong validity.Throughout the rest of this subsection, we refer to "our" validity property as strong validity.Other most notable variants of the validity property include: • Weak Validity: If all processes are correct and if a correct process decides value , then  is proposed by a (correct) process [1,17,19].
• External Validity: A value decided by a correct process satisfies the predefined valid predicate [4].
Importantly, the correctness of ABC does not depend on the specific variant of the validity property.
However, the specific variant of the considered validity property plays a role in showing that our transformation allows for optimal solution to the accountable Byzantine consensus problem.As seen in §3.3, our proof of the cubic lower bound relies on the possibility of devising partitioningExecution.Indeed, partitioningExecution could be obtained as a consequence of the strong validity property (see §3.3).Still, if one assumes weak or external validity, there is no guarantee that such execution exist.Thus, the lower bound presented in §3.3 does not apply to Byzantine consensus problems that does not ensure strong validity, but some other variant of the property.

GENERALIZED ABC TRANSFORMATION
We have shown that ABC enables Byzantine consensus protocols to obtain accountability.This section generalizes our ABC transformation and defines its applicability.Namely, we specify a class of distributed computing problems named easily accountable agreement tasks and we prove that generalized ABC enables accountability in such tasks.
We introduce agreement tasks in §4.1.Then, we define the class of easily accountable agreement tasks ( §4.2) and prove the correctness of generalized ABC transformation applied to such agreement tasks ( §4.3).

Agreement Tasks
Agreement tasks represent an abstraction of distributed input-output problems executed in a Byzantine environment.Specifically, each process has its input value.We assume that "⊥" denotes the special input value of a process that specifies that the input value is non-existent.A process may eventually halt; if a process halts, it produces its output value.The "⊥" output value of a process means that the process has not yet halted (and produced its output value).We denote by   (resp.,   ) the input (resp., output) value of process   .We note that some processes might never halt if permitted by the definition of an agreement task (we provide the formal explanation in the rest of the subsection).
An agreement task A is parameterized with the upper bound  A on number of faulty processes that are tolerated.In other words, the specification of an agreement task assumes that no more than  A processes are faulty in any execution.
Any agreement task could be defined as a relation between input and output values of processes.Since we assume that processes might fail, we only care about input and output values of correct processes.Hence, an agreement task could be defined as a relation between input and output values of correct processes.Finally, we define an agreement task A as tuple (I, O, Δ,  A ), where:

An input configuration of an agreement task
• I denotes the set of all possible input configurations of A.
• O denotes the set of all possible output configurations of A such that, for every   ∈ O,  (  ) ≤ 1.
• Δ : I → 2 O , where   ∈ Δ(  ) if and only if the output configuration   ∈ O is valid given the input configuration   ∈ I. •  A ≤ ⌈/3⌉ − 1 denotes the maximum number of faulty processes the task assumes.
As seen from the definition, correct processes that halt always output the same value in agreement tasks.Moreover, we define agreement tasks to tolerate less than /3 faults.Without loss of generality, we assume that Δ(  ) ≠ ∅, for every input configuration   ∈ I.Moreover, for every   ∈ O, there exists   ∈ I such that   ∈ Δ(  ).
We note that some problems that are traditionally considered as "agreement" problems do not fall into our classification of agreement tasks.For instance, Byzantine lattice agreement [9] or -set agreement [6] are not agreement tasks per our definition since the number of distinct non-⊥ values that can be outputted is greater than 1.
Solutions.We say that a distributed protocol Π A solves an agreement task A = (I, O, Δ,  A ) if and only if there exists (an unknown) time   such that   ∈ Δ(  ), where   ∈ I denotes the input configuration that consists of input values of all correct processes and   ∈ O denotes the output configuration that (1) consists of output values (potentially ⊥) of all correct processes, and (2) no correct process   with   = ⊥ updates its output value after   .
Finally, we say that a distributed protocol Π  A solves an accountable agreement task A = (I, O, Δ,  A ) if and only if the following holds: • A-Solution: If  ≤  A , Π  A solves A. • Accountability: If two correct processes output different values, then every correct process eventually detects at least  A + 1 faulty processes and obtains a proof of culpability of all detected processes.

Easily Accountable Agreement Tasks
Fix an agreement task A = (I, O, Δ,  A ).We say that A is an easily accountable agreement task if and only if one of the following conditions is satisfied: (1) "All-or-None-Decidability": There does not exist   ∈ O such that (  ,   ≠ ⊥) ∈   and (  ,   = ⊥) ∈   ; or "All-or-None-Decidability" characterizes all the problems in which either every process halts or none does.For instance, Byzantine consensus [15] and Byzantine reliable broadcast [3] satisfy "All-or-None-Decidability".
On the other hand, some agreement tasks permit that some processes halt, whereas others do not.We say that these tasks satisfy "Partial-Decidability" if and only if it is allowed for any subset of correct processes to halt (and output a value).Note that "Partial-Decidability" covers the case in which no correct process ever halts.Byzantine consistent broadcast [3] is the single agreement task we are aware of that satisfies "Partial-Decidability".However, the significance of Byzantine consistent broadcast (e.g., for implementing cryptocurrencies [12]) motivated us to consider the "Partial-Decidability" property.

Correctness of Generalized ABC Transformation
We now prove the correctness of our generalized ABC transformation (Algorithm 4).First, we show that Algorithm 4 solves an easily accountable agreement problem A when  ≤  A if A satisfies the "All-or-None-Decidability" property.
Lemma 1.Let A = (I, O, Δ,  A ) be an easily accountable agreement task that satisfies "All-or-None-Decidability".
Then, Algorithm 4 solves A if  ≤  A .
Proof.In no correct process ever outputs a value at line 8, then the lemma trivially holds.
Algorithm 4 Generalized ABC Transformation -Code For Process   1: Implements: Accountable Agreement Task A, instance  − A 3: Uses: Protocol that solves agreement task A, instance Π A ⊲ Protocol to be transformed Otherwise, each correct process eventually outputs a value at line 8.Moreover, all correct processes output the exact same value  (since A is an agreement task).Therefore, all correct process submit the same value  to accountable confirmer (line 9).By terminating convergence of accountable confirmer, all correct processes eventually confirm value  (line 10) and output it (line 11).Once this happens, the agreement task A is solved, which concludes the lemma.□ Now, we prove that Algorithm 4 solves an easily accountable agreement task A when  ≤  A if A satisfies the "Partial-Decidability" property.Proof.Let   denotes the specific input configuration of A. We consider two cases: • There does not exist   ∈ Δ(  ) such that (  ,   ≠ ⊥) ∈   and (  ,   = ⊥) ∈   : In this case, the proof is identical to the proof of Lemma 1. • Otherwise: Since A is an easily accountable agreement task, we conclude that all processes that output a value at line 8 output the same value .Therefore, any process that outputs a value at line 11 outputs the value  (ensured by validity of accountable confirmer).Finally, once the system stabilizes at time   (the system stabilizes at time   if and only if no correct process   with   = ⊥ updates its output value after   ), the fact that any subset of processes could halt and the fact that all halted processes output  imply that Algorithm 4 solves A.
The lemma holds since it is satisfied in both possible cases.□ Finally, we are ready to prove that Algorithm 4 solves an accountable agreement task A, where A is an easily accountable agreement task, which means that generalized ABC is correct.
Theorem 4. Let A = (I, O, Δ,  A ) be an easily accountable agreement task.Then, Algorithm 4 solves the accountable agreement task A.
Proof.Algorithm 4 satisfies A-solution by lemmas 1 and 2. Furthermore, Algorithm 4 ensures accountability because of the fact that accountable confirmer ensures accountability and  A ≤  0 .Thus, the theorem holds.□
A is   = {(  ,   ) with   is correct}, where |  | ≥  −  A : an input configuration consists of input values of (all and exclusively) correct processes.Similarly, an output configuration of an agreement task is denoted by   = {(  ,   ) with   is correct}, where |  | ≥  −  A : it contains output values of correct processes.We denote by  (  ) = |{  | (  ,   ) ∈   ∧   ≠ ⊥}| the number of distinct non-⊥ values in the   output configuration.
Accountable Confirmer -Definitions for Algorithm 2 1) A combined digital signature tsig is a valid light certificate for value  if and only if Verify(, tsig) = ⊤.2) A set S of properly authenticated [submit, , * ]  * messages is a valid full certificate for value  if and only if: a) |S| ≥  −  0 b) Each message  is sent (i.e., signed) by a distinct process.3) Let tsig  be a valid light certificate for value  and let tsig  ′ be a valid light certificate for value  ′ .tsig  conflicts with tsig  ′ if and only if  ≠  ′ .4) Let S  be a valid full certificate for value  and let S  ′ be a valid full certificate for value  ′ .S  conflicts with S  ′ if and only if  ≠  ′ .5) Let ( 1 ,  2 ) be a pair of properly authenticated messages sent by the same process   .( 1 ,  2 ) is a proof of culpability of   if and only if: upon certificate 1 , certificate 2 ∈ obtainedFullCertificates  where certificate 1 conflicts with certificate 2 do 39:proof ← extract a proof of culpability of (at least)  0 + 1 processes from certificate 1 and certificate 2 Byzantine Consensus + Accountable Confirmer = Accountable Byzantine ConsensusWe now define our ABC transformation (Algorithm 3), the main contribution of our work.ABC is built on the observation that any Byzantine consensus protocol paired with accountable confirmer solves the accountable Byzantine consensus problem.Algorithm 3 ABC Transformation -Code For Process 8: upon event ⟨ac, Init⟩ do 15: upon event ⟨ac, Submit | ⟩ do 16: value  ←  17: trigger ⟨beb, Broadcast | [submit, , ShareSign  ()]   ⟩ 18: upon event ⟨beb, Deliver |   , [submit, value, share]   ⟩ do 19: if ShareVerify  (value, share) = ⊤ and value = value  then 20: lightCertificate  ← lightCertificate  ∪ {share} 21: fullCertificate  ← fullCertificate  ∪ {[submit, value, share]   } 22: end if 23: upon |lightCertificate  | ≥  −  0 do 24: confirmed ← true 25: trigger ⟨ac, Confirm | value  ⟩ 26: trigger ⟨beb, Broadcast | [light-certificate, value  , Combine(lightCertificate  )]⟩ 27: upon event ⟨beb, Deliver |   , [light-certificate, value  , lightCertificate  ]⟩ do 28: if lightCertificate  is a valid light certificate then 29: obtainedLightCertificates  ← obtainedLightCertificates  ∪ {lightCertificate  } 31: upon certificate 1 , certificate 2 ∈ obtainedLightCertificates  where certificate 1 conflicts with certificate 2 32: and confirmed = true do 33: trigger ⟨beb, Broadcast | [full-certificate, value  , fullCertificate  ]⟩ 34: upon event ⟨beb, Deliver |   , [full-certificate, value  , fullCertificate  ]⟩ do 35: if fullCertificate  is a valid full certificate then 36: obtainedFullCertificates  ← obtainedFullCertificates  ∪ {fullCertificate  } 40:  ← set of processes detected via proof 41: trigger ⟨ac, Detect | , proof ⟩ 3.2 ABC: 1: Implements: 2: group , where || =  0 , (2) group , where || =  0 + 1, and (3) group , where | | =  0 .Given that Π  solves the Byzantine consensus problem, the following two executions exist:•  1 : All processes from group  are faulty and silent throughout the entire execution.Moreover, all processes from the  ∪  set propose value .Since | | =  0 , Π  ensures that all processes from the  ∪  set eventually decide the same value  (because of the validity property) by some global time  1 .•  2 : All processes from group  are faulty and silent throughout the entire execution.Moreover, all processes from the  ∪  set propose value  ′ ≠ .Since || =  0 , Π  ensures that all processes from the  ∪  set eventually decide the value  ′ ≠  (because of the validity property) by some global time  2 .Processes from group  behave towards processes from group  as in execution  1 and processes from group  behave towards processes from group  as in execution  2 .
Now, we can devise another execution  in the following manner:• Processes from group  and processes from group  are correct, whereas processes from group  are faulty.Moreover, all processes from group  propose , whereas all processes from group  propose  ′ ≠ .•