Papers
Topics
Authors
Recent
Search
2000 character limit reached

Simple-IT: Signature-Free BFT Consensus

Updated 5 July 2026
  • Simple-IT is a signature-free, leader-based BFT consensus protocol that uses symmetric cryptography and authenticated channels to achieve post-quantum security.
  • It adapts the simple round structure of Simplex by replacing quorum certificates with Reliable Broadcast and Reliable Notification to ensure convergence and safety.
  • Empirical evaluations show Simple-IT matching state-of-the-art throughput and latency, with a theoretical best-case of 4 message delays and enhanced resilience against quantum attacks.

Searching arXiv for the exact topic and closely related variants to ground the article in the relevant paper(s). Simple-IT is a leader-based, partially synchronous, signature-free Byzantine fault-tolerant (BFT) consensus protocol with optimal resilience n>3fn > 3f, introduced as a practical low-latency alternative to contemporary signature-based BFT designs in the context of post-quantum security concerns (Yu et al., 12 Jun 2026). Its central premise is that modern BFT protocols rely on quantum-vulnerable public-key signatures such as Ed25519 and BLS12-381, whereas a signature-free design can instead use authenticated point-to-point channels and symmetric cryptography, avoiding public-key signatures on the critical path (Yu et al., 12 Jun 2026). The protocol adapts the simple round structure of Simplex to the signature-free setting, replacing transferable quorum certificates with convergence mechanisms based on Reliable Broadcast (RBC) and Reliable Notification (RN) (Yu et al., 12 Jun 2026). In the reported geo-distributed implementation, Simple-IT achieves throughput and latency competitive with state-of-the-art quantum-vulnerable protocols, while preserving a theoretical latency of 4 message delays in the good case and 3 message delays on its optimistic path (Yu et al., 12 Jun 2026).

1. Motivation and problem setting

The protocol is motivated by the observation that high-performance BFT systems commonly place public-key signatures on the critical path, and that under the stated threat model a sufficiently capable quantum adversary running Shor’s algorithm could recover validators’ secret keys from public keys and forge protocol messages (Yu et al., 12 Jun 2026). The paper identifies two consequences: such an adversary could break safety, by fabricating votes or certificates for conflicting blocks, and liveness, by impersonating validators or disrupting leader and view-change logic (Yu et al., 12 Jun 2026).

A direct migration to post-quantum secure signatures is presented as costly. The paper specifically notes that signing and especially verification lie on the protocol’s critical path, and reports experimentally that in a state-of-the-art BFT protocol, replacing BLS with ML-DSA-65 doubles latency (Yu et al., 12 Jun 2026). This establishes the design space in which signature-free BFT becomes attractive: after setup, the protocol uses only authenticated channels and symmetric cryptography such as HMAC-SHA256, which the paper treats as practically post-quantum secure because Grover’s algorithm provides only a quadratic speedup (Yu et al., 12 Jun 2026).

The main systems question is therefore whether signature-free BFT consensus protocols can match the performance of current state-of-the-art, quantum-vulnerable BFT consensus protocols (Yu et al., 12 Jun 2026). Prior work had already shown that state-of-the-art throughput was attainable signature-free, but the paper identifies latency as the open problem in practice (Yu et al., 12 Jun 2026). Several recent signature-free protocols had low latency in theory, but they were described as intricate and lacking practical implementations (Yu et al., 12 Jun 2026). Simple-IT is proposed as an answer to this gap.

2. Protocol model and architectural principles

Simple-IT operates in an eventually synchronous message-passing model with nn parties, up to ff Byzantine faults, and the optimal resilience condition

f<n3,equivalentlyn>3f.f < \frac{n}{3}, \qquad\text{equivalently}\qquad n > 3f.

A quorum is a set of size n−fn-f, and two such quorums intersect in at least one correct party (Yu et al., 12 Jun 2026). Before GST, message delays are arbitrary; after GST, every message from a correct party to a correct party arrives within at most δ\delta, and parties know a public upper bound Δ≥δ\Delta \ge \delta (Yu et al., 12 Jun 2026). A predetermined fair leader schedule assigns every round rr a leader LrL_r, and every party is leader infinitely often (Yu et al., 12 Jun 2026).

The defining architectural move is to eliminate transferable quorum certificates. In a signature-based protocol, one replica can forward a signed message from another replica and any third replica can verify it. With only authenticated channels, that transferability disappears: if p1p_1 receives a message from nn0, nn1 cannot prove to nn2 that nn3 sent it (Yu et al., 12 Jun 2026). Simple-IT addresses this by introducing convergence through two broadcast-style abstractions:

  • Reliable Broadcast (RBC): used to make a leader’s proposal converge at all correct replicas.
  • Reliable Notification (RN): a new abstraction used to make timeout or disable decisions converge.

The protocol is thus best understood as a signature-free analogue of a Simplex-style parent-chain protocol, where explicit certificates are replaced by globally convergent facts established through RBC and RN (Yu et al., 12 Jun 2026).

3. Round structure, safe parents, and state transitions

Simple-IT runs an infinite sequence of rounds nn4. In each round nn5, the leader tries to assign a block nn6 and a parent round nn7, thereby forming a tree of rounds (Yu et al., 12 Jun 2026). A round may end up in one of two mutually exclusive states: committed or disabled (Yu et al., 12 Jun 2026). A round may be disabled while still having an assigned proposal and safe parent, and such a round may still serve as a parent for a later round (Yu et al., 12 Jun 2026).

The key structural notion is the safe parent. A parent nn8 is safe for round nn9 if ff0 or round ff1 itself has a safe assigned proposal, and every intermediate round ff2 with ff3 is disabled (Yu et al., 12 Jun 2026). Formally, the helper predicate ff4 returns true iff ff5, ff6, and ff7 for all ff8 (Yu et al., 12 Jun 2026). This mechanism replaces the lock and quorum-certificate logic typical of HotStuff-style protocols.

Each replica keeps local state including curr_round, submitted, delivered, proposal[r], safe[r], disabled[r], committed[r], and round-specific flags such as voted and timed_out; speculative variants additionally use aborted[r] and proposed[r] (Yu et al., 12 Jun 2026). At the message level, the protocol uses RBC proposal messages of the form ff9, commit votes f<n3,equivalentlyn>3f.f < \frac{n}{3}, \qquad\text{equivalently}\qquad n > 3f.0, and RN messages f<n3,equivalentlyn>3f.f < \frac{n}{3}, \qquad\text{equivalently}\qquad n > 3f.1 and f<n3,equivalentlyn>3f.f < \frac{n}{3}, \qquad\text{equivalently}\qquad n > 3f.2 for events such as f<n3,equivalentlyn>3f.f < \frac{n}{3}, \qquad\text{equivalently}\qquad n > 3f.3 (Yu et al., 12 Jun 2026).

In the non-speculative version, the round flow is as follows. On entering round f<n3,equivalentlyn>3f.f < \frac{n}{3}, \qquad\text{equivalently}\qquad n > 3f.4, a party sets curr_round := r, resets the round timer to

f<n3,equivalentlyn>3f.f < \frac{n}{3}, \qquad\text{equivalently}\qquad n > 3f.5

resets voted and timed_out, and, if it is leader f<n3,equivalentlyn>3f.f < \frac{n}{3}, \qquad\text{equivalently}\qquad n > 3f.6, proposes (Yu et al., 12 Jun 2026). The leader selects the highest round f<n3,equivalentlyn>3f.f < \frac{n}{3}, \qquad\text{equivalently}\qquad n > 3f.7 such that f<n3,equivalentlyn>3f.f < \frac{n}{3}, \qquad\text{equivalently}\qquad n > 3f.8, chooses a not-yet-delivered block f<n3,equivalentlyn>3f.f < \frac{n}{3}, \qquad\text{equivalently}\qquad n > 3f.9 not already in n−fn-f0, and RBC-broadcasts n−fn-f1 (Yu et al., 12 Jun 2026). When a party RB-delivers the proposal, it sets n−fn-f2; if the proposal is present and the parent is safe, it marks n−fn-f3 (Yu et al., 12 Jun 2026). If the round is safe, the party has not timed out, and has not already voted, it sends n−fn-f4 to all parties (Yu et al., 12 Jun 2026). If the timer expires before voting, it invokes RN on the timeout event and marks itself timed out; if RN confirms the timeout, it sets n−fn-f5 (Yu et al., 12 Jun 2026). A party commits round n−fn-f6 after receiving commit votes from n−fn-f7 parties, and if round n−fn-f8 is both committed and safe, it delivers all blocks in the chain n−fn-f9 not already delivered (Yu et al., 12 Jun 2026).

4. Reliable Notification and the signature-free replacement for quorum certificates

RN is central to the design because it creates convergence for timeout outcomes without signatures. The protocol is a simple two-step-style mechanism (Yu et al., 12 Jun 2026). Upon rn_raise(e), a party broadcasts δ\delta0; after receiving δ\delta1 votes, it broadcasts δ\delta2; it confirms δ\delta3 after receiving δ\delta4 accepts; and if it sees δ\delta5 accepts without having sent accept, it sends accept as a cascade step (Yu et al., 12 Jun 2026).

The paper states three RN properties:

  • Unanimity: if every correct party raises δ\delta6, everyone confirms δ\delta7.
  • Totality: if one correct party confirms δ\delta8, all eventually do.
  • Validity: if δ\delta9 is confirmed, at least Δ≥δ\Delta \ge \delta0 correct parties raised it.

The significance of RN is that a disable decision is not a certificate but a convergent globally shared fact (Yu et al., 12 Jun 2026). Together with RBC, RN supplies the protocol’s substitute for the transferability normally provided by signatures. RBC makes all correct parties converge on the same leader proposal, RN makes them converge on the same timeout or disable facts, and direct receipt of Δ≥δ\Delta \ge \delta1 commit votes suffices for commit (Yu et al., 12 Jun 2026).

This architecture yields what the paper describes as a deliberately simple leader-based design. There are no signature-based quorum certificates, no intricate lock-transfer rules, and no entangled fallback logic; instead, safety is organized through parent-chain structure and liveness through round disabling (Yu et al., 12 Jun 2026). This suggests that the protocol’s simplicity is not merely rhetorical but a specific systems design choice.

5. Latency, pipelining, and performance parameters

The paper instantiates Simple-IT with two RBC variants. For Bracha-RBC, the optimistic delay is Δ≥δ\Delta \ge \delta2, the worst delay is Δ≥δ\Delta \ge \delta3, and the totality delay is Δ≥δ\Delta \ge \delta4 (Yu et al., 12 Jun 2026). For Opt-RBC, the optimistic delay is Δ≥δ\Delta \ge \delta5, the worst delay is Δ≥δ\Delta \ge \delta6, the totality delay is Δ≥δ\Delta \ge \delta7, and the optimistic resilience is

Δ≥δ\Delta \ge \delta8

The general optimistic commit bound is

Δ≥δ\Delta \ge \delta9

This yields:

  • Bracha-Simple-IT: rr0
  • Opt-Simple-IT optimistic: rr1

The paper also gives the good-case or general latency without the optimistic honesty assumption as rr2 for the Bracha-based version and rr3 for the Opt-based version (Yu et al., 12 Jun 2026). These are the core latency numbers behind the statement that Simple-IT achieves a theoretical latency of 4 message delays and 3 on its optimistic path (Yu et al., 12 Jun 2026).

Without speculative proposal pipelining, the block time is rr4 for the Bracha variant and rr5 for the Opt variant (Yu et al., 12 Jun 2026). With speculative pipelining, both speculative variants achieve optimistic block time rr6 (Yu et al., 12 Jun 2026). The protocol defines four variants: a Bracha-RBC version, an Opt-RBC version, and speculative versions of both (Yu et al., 12 Jun 2026).

Speculative proposing allows the leader of round rr7 to propose before the previous round is fully established as safe, provided several conditions hold, including that round rr8 is safe and the leader has received the first message of round rr9’s RBC directly from LrL_r0 (Yu et al., 12 Jun 2026). This creates a proposal pipeline of depth LrL_r1 for Bracha-RBC and LrL_r2 for Opt-RBC (Yu et al., 12 Jun 2026). If a round times out and is disabled, parties that truly timed out there proactively RN-raise timeouts for the next LrL_r3 speculative rounds, marking them aborted and preventing LrL_r4 serial timeouts (Yu et al., 12 Jun 2026).

The paper also reports eventual worst-case view duration. Since

LrL_r5

the Bracha-based variant has LrL_r6 and eventual worst-case view duration LrL_r7, while the Opt-based variant has LrL_r8 and eventual worst-case view duration LrL_r9 (Yu et al., 12 Jun 2026). This makes explicit the cost of Opt-RBC: faster optimistic latency, but worse worst-case timing.

Communication complexity is reported as p1p_10 bits per view for Simple-IT itself, excluding block dissemination details (Yu et al., 12 Jun 2026). For long messages using erasure-coded RBC, the cost is

p1p_11

communication per broadcast for an p1p_12-bit message, where p1p_13 is the hash output length (Yu et al., 12 Jun 2026). This is contrasted with p1p_14 per view for Algorithm BFT and Sailfish++, and p1p_15 for signature-based Simplex (Yu et al., 12 Jun 2026).

6. Safety, liveness, implementation, and empirical evaluation

The safety argument rests on two main invariants. First, no round can be both committed and disabled (Yu et al., 12 Jun 2026). Correct parties vote to commit only if they have not timed out, and they raise timeout only if they have not voted (Yu et al., 12 Jun 2026). Commit requires p1p_16 commit messages, while disable confirmation implies by RN validity that at least p1p_17 correct parties raised timeout (Yu et al., 12 Jun 2026). Since

p1p_18

these sets must overlap, which would force some correct party to both vote and timeout, a contradiction (Yu et al., 12 Jun 2026). Second, committed rounds form one ancestor chain, because a round becomes safe only if its parent is safe and all skipped rounds are disabled; once a round commits, it cannot later be disabled, so future safe rounds cannot skip it (Yu et al., 12 Jun 2026). The paper’s resulting safety theorem is that if a correct party delivers block p1p_19 before nn00, then no correct party delivers nn01 before nn02 (Yu et al., 12 Jun 2026).

Liveness is based on the fact that every round eventually resolves either to a safe proposal or to a disabled round (Yu et al., 12 Jun 2026). If some correct party RB-delivers the leader’s proposal, RBC totality ensures that all correct parties eventually RB-deliver it; otherwise, all eventually time out and RN-confirm the timeout (Yu et al., 12 Jun 2026). With a round timeout larger than nn03, and a fair leader schedule with infinitely many correct leaders, all correct parties eventually deliver infinitely many blocks submitted by a correct party that submits infinitely many blocks (Yu et al., 12 Jun 2026). For speculative variants, liveness requires infinitely many windows of nn04 consecutive correct leaders (Yu et al., 12 Jun 2026).

The implementation emphasizes practicality. The paper presents what it calls the first practical implementation of a signature-free, leader-based BFT protocol (Yu et al., 12 Jun 2026). It implements two dissemination styles:

Variant family Dissemination strategy Reported role
Mempool-Simple-IT Shared mempool dissemination adapted from Autobahn’s mempool Consensus orders digests or batches
Dispersed-Simple-IT Leader-driven erasure-coded block dissemination based on AVID-style techniques Avoids leader bottleneck

For large blocks, the dispersed design uses Reed-Solomon coding and can recover from nn05 fragments, which equals nn06 when nn07 (Yu et al., 12 Jun 2026). For nn08, the code rate is about nn09, corresponding to about a nn10 communication overhead on payloads (Yu et al., 12 Jun 2026). The paper reports that in practice data dissemination dominates both network cost and CPU cost, while signature-free control traffic is negligible by comparison (Yu et al., 12 Jun 2026). For dispersed variants at 50 MB blocks, proposal construction latency is reported as 212/227 ms p50/p95 and reconstruction latency as 42/49 ms p50/p95 (Yu et al., 12 Jun 2026).

The empirical evaluation uses 50 nodes on Google Cloud Platform, distributed across five regions on three continents, with machine type c2-standard-16, 16 vCPUs, 64 GB RAM, and inter-region RTTs from roughly 30 ms to 260 ms (Yu et al., 12 Jun 2026). Transactions are 512 random bytes; dispersed blocks scale up to 50 MB; experiments run for 120 s with 50 nodes and 60 s with 10 nodes (Yu et al., 12 Jun 2026). Throughput is measured in committed tx/s, and latency is measured from transaction creation to commit by 50% of non-faulty nodes (Yu et al., 12 Jun 2026).

The main reported results are as follows. Mempool-Simple-IT outperforms Autobahn across the latency-throughput curve, reaching about 170,000 tx/s, about 92 MB/s, at roughly 0.5 seconds latency (Yu et al., 12 Jun 2026). The paper attributes this to a shorter combined mempool and consensus delay path (Yu et al., 12 Jun 2026). Dispersed-Simple-IT reaches essentially the same peak throughput as DispersedSimplex, about 120,000 tx/s and about 61 MB/s, while latency in the pre-saturation region is only up to 9% higher; specifically, Opt-Dispersed-Simple-IT is only about 35 ms slower on average before saturation (Yu et al., 12 Jun 2026). With 10 nodes, threshold effects disappear and performance becomes very similar (Yu et al., 12 Jun 2026).

A particularly strong comparison is with post-quantum signatures. PQ-DispersedSimplex, obtained by replacing BLS with ML-DSA-65, exhibits roughly 2x the latency of even Bracha-Dispersed-Simple-IT at about 1 second latency (Yu et al., 12 Jun 2026). This is the paper’s clearest practical argument that signature-free BFT is a more viable post-quantum route than simply swapping in current post-quantum signatures.

The protocol is compared with several related systems. Sailfish++ had already shown state-of-the-art throughput in the signature-free setting, but it is DAG-based, has average optimistic commit latency around 5.6 message delays in the optimistic Opt-RBC setting, and uses nn11 bits per view (Yu et al., 12 Jun 2026). IT-HS is listed at nn12, TetraBFT at nn13, Forget-IT at nn14 but described as single-shot and intricate, and Simplex at nn15 but signature-based (Yu et al., 12 Jun 2026). Simple-IT’s contribution is therefore the combination of low latency, nn16 communication per view, structural simplicity, practical pipelining, and a real implementation (Yu et al., 12 Jun 2026).

The limitations are explicit. The 3-delay optimistic path via Opt-RBC requires the stronger honesty condition nn17 among non-leaders (Yu et al., 12 Jun 2026). Opt-RBC also worsens the eventual worst-case view duration relative to Bracha-RBC (Yu et al., 12 Jun 2026). Speculative pipelining weakens liveness assumptions because it requires windows of consecutive correct leaders, and a Byzantine leader can poison a speculative window and force several rounds to be disabled (Yu et al., 12 Jun 2026). Erasure coding introduces CPU and bandwidth overhead, and the general-case protocol still remains one message delay from the absolute optimum (Yu et al., 12 Jun 2026).

A plausible implication is that Simple-IT is significant less because it proves a new asymptotic extreme than because it demonstrates a practical systems point: a signature-free, post-quantum-oriented BFT protocol can be simultaneously simple, implementable, and competitive with leading signature-based designs (Yu et al., 12 Jun 2026). In that sense, its main place in the literature is as a bridge between theoretical signature-free consensus and deployable low-latency BFT engineering.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (1)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Simple-IT.