Web3

Why 2/3?

... is the minimum number of honest voters in PoS / BFT consensus protocols?

Alexandr Fadeev

5 min read
Why 2/3?

In Proof-of-Stake (PoS) consensus protocols, at least 2/3 of validator nodes must be honest to reach quorum, so no more than 1/3 of faulty nodes are typically tolerated.

Why not 51%, 66%, maybe 90%, or even 100%?

Setup

In PoS, a single node serves as the proposer (the leader). The reason is to avoid situations in which multiple blocks legally compete for the same time slot. This makes the system simpler and easier to analyze against a wide range of attacks.

PoS protocols try to synchronize voting for a block, which gives fast finalization. But at least 2/3 of the stake must be honest for system safety, and roughly 2/3 must be online for liveness.

In Proof-of-Work (PoW), there are no time slots, and finalization is probabilistic - ~51% of hash power on the longest chain fork "generally wins".

πŸ’‘
PoW's 51% races the chain - it gives you probabilistic safety.
PoS's 67% gives you a block that's final forever with math.

Quorum Q is how many nodes out of N are needed to vote for a block to accept it.

(More generally, how much of the stake is needed to vote... 2/3! But why, right?)

In decentralized systems, 100% is unrealistic to achieve: some nodes may go offline, receive delayed notifications, or be dishonest (Byzantine nodes). So, in other words, how many faulty nodes f can be tolerated without the system being compromised (...1/3 πŸ˜‰)?

πŸ’‘
Q may include the "bad guys"
f is just the "bad guys"

Equivocation Attack

However, a leader can be malicious and may produce 2 conflicting blocks or send a single block to a particular set of voters.

A leader produces two blocks which go to different voters
An equivocation attack occurs when a validator or node in a distributed network presents conflicting, inconsistent information to different parts of the network, breaking consensus rules to gain an advantage.

Two blocks go to different voters, and not to the same ones, because this is detectable and slashable – the proposer risks losing their stake. (An honest voter can use two signed blocks from a single proposer as evidence of a crime).

The attacker has the best chances by splitting the voters into separate groups and controlling what each group sees. This can be thought of as producing two blocks and sending them to different groups, but in practice, it’s enough to send a block to one group while withholding it from another.

πŸ’‘
It turns out that with 3 or more blocks (or voter groups), an attacker needs more faulty nodes f to break the system, not fewer.
Therefore, it's enough to consider the case of 2 blocks for simplicity.

Attack Variation: No double-voting is assumed

Let's consider an attack where all faulty nodes try to push block A to be voted for.

The honest nodes are maximally split:

  • (N-f)/2 votes for A,
  • (N-f)/2 votes for B.

Byzantine nodes don't reveal themselves – they all pile onto A, silently voting with(N-f)/2 + f = (N+f)/2.

Safety: (N+f)/2 < Q – we need the faulty nodes to FAIL to push a block A over quorum.

Liveness: N-f β‰₯ Q – honest votes should be enough to reach a quorum.

πŸ’‘
Two constraints must hold at once

Liveness & Safety

Liveness: a count of honest nodes must be enough for a quorum.

N - f β‰₯ Q

It's like the House of Representatives voting on a law: the system should work even if some legislators get sick or are absent.

So, if there are f faulty nodes, we need a system that can still reach quorum Q out of N total nodes to agree on a new state (a block). It's liveness.

Safety: faulty nodes must fail to finalize a block.

f < Q

With an equivocation attack, faulty + half of the honest ones must fail to finalize a block.

(N - f) / 2 + f < Q

The only question is – what exact numbers Q and f should be?

We need to combine two conditions – safety and liveness – to derive the numbers f and Q. Let's do it.

Solving the System

N+f < 2Nβˆ’2f
3f  < N
f   < N/3

The result is that the protocol works as long as no more than 1/3 of the nodes are faulty (broken, dishonest, or offline), and at least 2/3 are honest.

Q β‰₯ 2/3 N

Intuitively, in this particular case, it actually means this:

  1. Block B does not have enough votes to reach a quorum - (N-f)/2 is less than half of the nodes.
  2. Block A might have enough votes, but only if there are "too many" faulty nodes (more than 1/3).

Attack Variation: Overlapping Quorums

If two conflicting blocks both finalize, their voter sets must overlap.

Double-voted nodes are ALL byzantine. There are two reasons:

  1. An honest node won't vote for two conflicting blocks, so it is never part of the overlap.
  2. If an honest node were in the overlap, it would reveal the double voting.

Now, important:

πŸ’‘
1. overlap ≀ f is the attacker-friendly case (the overlap could be all Byzantine).
2. For safety, we require overlap > f, so at least one honest node is in the overlap.

And let's go through some calculations:

  • 2Q - two quorums;
  • 2Q > N - when two quorums overlap, their total count is greater than the total number of nodes;
  • 2Q-N = overlap - the count of overlapped nodes is the difference between 2Q and N;
  • overlap > f is needed for safety because there must NOT be honest nodes in the overlap;
  • therefore, 2Q-N > f

Safety: 2Q-N > f – we need the overlap to contain at least one honest node, so the double-voting FAILS.

Liveness: N-f β‰₯ Q – honest votes should be enough to reach a quorum.

Two constraints must hold at once.

Solving the System

N+f < 2Q ≀ 2(Nβˆ’f)
N+f < 2N βˆ’ 2f
3f  < N
f   < N/3

We reached the same conclusion!

πŸ’‘
If a block gets β‰₯ 2/3 of N votes, and f < N/3, then we’re good.

Typically, we can see the 2/3 principle looks like this:

Infographics