Federated Byzantine Agreement (FBA) Explained

Updated 14 November 2025

Federated Byzantine Agreement (FBA) is a decentralized consensus model where each node independently sets trusted quorum slices, enabling global agreement when trust overlaps.
It ensures safety through quorum intersection and liveness by guaranteeing intact quorums, thereby balancing fault tolerance with operational resilience.
Analyses of FBA cover computational challenges, empirical configuration insights, and cooperative game-theoretic methods for fair incentive distribution.

Federated Byzantine Agreement (FBA), formalized as the Federated Byzantine Agreement System (FBAS), generalizes classical quorum-based consensus protocols by decentralizing quorum construction: each participant independently specifies alternative trusted subsets of peers ("quorum slices"), and protocol-level agreement emerges only when enough local trust relations overlap to yield global quorums. This architecture underpins systems such as Stellar and MobileCoin, aiming to combine the open-membership and energy efficiency of permissionless protocols with fine-grained trust assignment. Theoretical exploration has established the correctness conditions for safety and liveness, the complexity of key computational problems, algorithmic solutions, and the challenges surrounding incentive design and system resilience.

1. Formal Model: Quorum Slices, Quorums, and Intersection

Let $V$ be a finite set of nodes. An FBAS is the pair $(V, Q)$ where each node $v$ specifies a nonempty family $Q(v) \subseteq 2^V \setminus \{\emptyset\}$ of quorum slices with $v \in q$ for all $q \in Q(v)$ . A quorum is a nonempty $U \subseteq V$ such that for every $v \in U$ , there exists $q \in Q(v)$ with $q \subseteq U$ . The set $U$ contains, for each of its members, at least one locally sufficient slice completely within $U$ .

The property of quorum intersection—that all pairs of quorums meet in at least one node ( $\forall U_1, U_2$ quorums, $U_1 \cap U_2 \neq \emptyset$ )—is central: it ensures global safety, in the sense that two disjoint correct groups cannot commit conflicting decisions. In contrast, liveness is maintained provided at least one entirely correct quorum exists.

FBAS generalizes threshold-based systems: in a classic $t$ -out-of- $n$ system, every node's only slice is a set of $t$ nodes, and all quorums are of size at least $t$ . In FBA, slices and quorums lack global symmetry and uniformity, enabling richer trust structures but complicating analysis (García-Pérez et al., 2018, Gaul et al., 2019, Florian et al., 2020, Lachowski, 2019, Ndolo et al., 2023).

2. Safety, Liveness, and Fault Tolerance

Safety in FBAS is guaranteed precisely when quorum intersection holds. No two disjoint quorums can ratify conflicting values, even under arbitrary Byzantine behavior. Conversely, liveness requires the continued existence of a quorum composed solely of correct nodes—meaning some subset persists through failures or misbehavior.

To quantify system robustness, the notions of safety buffer and liveness buffer are introduced (Florian et al., 2020):

Minimal blocking sets are minimal subsets $B \subseteq V$ intersecting every quorum; if all nodes in a minimal blocking set malfunction, no progress is possible.
Minimal splitting sets are minimal subsets $S \subseteq V$ whose removal destroys quorum intersection; their compromise endangers safety.

The system's liveness buffer $f_{\rm live}$ is the minimal cardinality among all minimal blocking sets minus one, and the safety buffer $f_{\rm safe}$ is the corresponding minimal splitting set size minus one. In symmetric $3f+1$ threshold systems, both buffers equal $f$ . Computation of these buffers enables direct comparison to threshold models and guides configuration towards target resilience by identifying structurally critical nodes (Florian et al., 2020).

3. Computational Complexity and Algorithms

Key computational problems for FBAS have been rigorously characterized. The Disjoint Quorums Problem (DQP)—detecting two quorums with empty intersection—is NP-complete, as is the Minimum-size Quorum Problem (MQP). In contrast, the Quorum Subset Problem (QSP), deciding whether a subset contains a quorum for a particular node, is P-complete and solvable in linear time relative to the sum of slice sizes (Lachowski, 2019, Gaul et al., 2019).

Practical algorithms are feasible for real-world instances (e.g., the Stellar network), leveraging structural properties such as strongly connected components of the trust graph. For example:

Quorum enumeration can be performed by recursive backtracking with polynomial delay per output.
Quorum intersection can be efficiently checked by restricting attention to minimal quorums up to $|V|/2$ , preceded by SCC reduction of the trust graph.
The set of intact nodes—those remaining unaffected by a given set of Byzantine nodes—can be computed iteratively using greatest quorum computations and intersection checks.

These algorithms are implemented in the Stellar Observatory Python package and have been empirically validated on synthetic and real FBAS data (Gaul et al., 2019).

4. Incentive Structure and Fair Reward Distribution

Unlike proof-of-work or proof-of-stake blockchains, FBAS-based protocols typically lack protocol-level rewards for validators. This absence of explicit incentives results in only a handful of organizations running validating nodes, raising concerns around centralization and system resilience (Ndolo et al., 2023).

A principled answer to reward assignment is given via cooperative game theory. Each node’s contribution to consensus is modeled through a simple cooperative game whose characteristic function $v(C)$ equals $1$ iff $C$ contains a quorum. The Shapley–Shubik power index assigns to each node $i$ the probability that $i$ 's addition to a random coalition renders it quorate:

$\phi_i = \sum_{C \in W^i} \frac{(|C|-1)!(n-|C|)!}{n!}$

where $W^i$ is the set of coalitions $C$ with $v(C)=1$ and $v(C\setminus\{i\})=0$ .

The unique fair reward distribution $R_i = \phi_i$ satisfies symmetry, dummy-player-freeness, additivity, efficiency, and individual rationality. Exact computation of $\phi_i$ is tractable for typical top-tier sizes ( $n \approx 20$ –$23$), while Monte Carlo sampling yields errors below $1.6\%$ in seconds for $n=30$ . Only top-tier nodes—those in some minimal quorum—receive nonzero rewards (Ndolo et al., 2023).

5. System Structure, Top Tier, and the Limits of Open Membership

FBAS permits all nodes to propose slices and potentially enter quorums. However, empirical and theoretical analyses establish that the actual set of nodes critical to system liveness and safety—termed the “top tier”—is typically small and persistent (Florian et al., 2020). The top tier is defined as the union of all minimal quorums. All minimal blocking sets and all nodes appearing in any such set are confined to the top tier.

Critically, the composition of the top tier is under the strict control of current members: if the system is engineered to maintain safety (quorum intersection), merely changing the slices of non–top-tier nodes is insufficient to alter the top tier. Admission of new nodes to the set of decisive actors requires the cooperation of at least one current top-tier node, limiting the bottom-up flexibility of the model and distinguishing real-world FBA instantiations from fully open consensus. This suggests that, despite the formal open-membership policy, the effective control is highly permissioned in practice (Florian et al., 2020).

6. Broadcast Protocols and Handling of Subjectivity

Reliable broadcast over FBAS is achieved with a two-phase Bracha-style protocol, adapted to the federated setting. Each server tracks states ("echoed," "ready," and "delivered") and transitions based on message receipts from quorums or "blocking sets" as determined by its slice structure.

In subjective FBA, where Byzantine nodes may equivocate about their slices, each correct server maintains its own view of the system (agreeing only on the slices of correct servers). The protocol still achieves weakly reliable Byzantine broadcast, because (i) there always exists a globally defined set of intact servers, (ii) the intersection property generalizes to quorums from distinct subjective views, and (iii) blocking sets among befouled nodes cannot affect the intact servers. Hence, the safety and liveness proofs carry over to the subjective model (García-Pérez et al., 2018).

7. Quantitative and Empirical Analysis of FBAS Configurations

System robustness is governed not only by theoretical buffers but also by network configuration strategies. Comparing hierarchical and symmetric simple FBAS arrangements—given identical failure probabilities—the symmetric simple configuration yields notably higher intactness probabilities. For instance, with 12 nodes partitioned into 4 organizations, each with 3 nodes, and reasonable node (0.1) and organizational (0.01) failure probabilities, symmetric simple FBAS achieves $P[\text{intact}] \approx 0.86$ , compared to $0.65$ for the hierarchical case.

Empirical studies using real Internet AS-level graphs and the Stellar network topologies demonstrate that naive, purely local construction of quorum sets can result in fragile systems with low liveness and safety buffers. In contrast, introducing minimal "tier awareness" (e.g., thresholding based on network centrality) significantly improves robustness—though at the cost of centralizing control in a persistent top tier (Gaul et al., 2019, Florian et al., 2020).

Federated Byzantine Agreement combines localized trust assignment with global safety through quorum intersection, but the resulting systems exhibit complex computational challenges, subtle resilience properties, and incentive alignment needs. Quantitative tools and cooperative game-theoretic analyses enable fine-grained assessment and reward allocation, while empirical work informs practical configuration and highlights the persistent role of structural centrality even in open membership environments.