Time-Travel-Resilient Broadcast (TTRB)

• Time-Travel-Resilient Broadcast (TTRB) is a resilient broadcast primitive that maintains consensus in permissionless PoW systems by enforcing freshness and causal consistency of messages.
• It employs explicit round-typing and cryptographic coffers to ensure only recent, valid proofs are delivered, thereby countering time-travel attacks.
• The protocol uses the Sieve algorithm alongside a deterministic PoW oracle to achieve constant-latency, robust message filtering and reliable consensus.

Time-Travel-Resilient Broadcast (TTRB) is a resilient broadcast primitive designed to achieve deterministically safe, constant-latency consensus in fully permissionless proof-of-work (PoW) systems, countering a critical class of attacks known as time-travel attacks. By tightly constraining message freshness through explicit round-typing and cryptographic causality, TTRB enables direct adaptation of state-of-the-art proof-of-stake consensus protocols, such as MMR, to environments where nodes may join, leave, and replay proofs arbitrarily, without fallback to social consensus or probabilistic finality (Farahbakhsh et al., 23 Dec 2025).

1. Formal Specification and Security Properties

TTRB operates in synchronous, round-based permissionless environments, where an unbounded set of nodes may be active or inactive at any step, and Byzantine adversaries can precompute and buffer valid PoW proofs indefinitely. At each step $s$:

• At the first tick, TTRB delivers to the application a set $\mathcal L_s$ of message tuples $\langle m, v, w \rangle$ that claim PoW generation in the previous step ($s-1$).
• The application responds with a new payload $m'$ to broadcast.
• At the last tick, TTRB multicasts this payload, complete with its PoW proof and a "coffer" (list) of accepted messages from step $s-1$.

TTRB guarantees:

• Safety (TTRB1): Every delivered message carries a correct, verifiable PoW proof generated exactly in step $s-1$; no antique messages from older steps are deliverable.
• Liveness (TTRB2): Every payload broadcast by a correct node in $s-1$ is delivered to all correct nodes in $s$.

The model presumes a synchronous, reliable network and a black-box deterministic PoW (DPoW) oracle, with a $\rho$-bounded adversary who cannot amass more than a $\rho$ fraction of the global PoW weight in any time window, for $\rho < 1/2$ (Farahbakhsh et al., 23 Dec 2025).

2. Vulnerabilities of Standard Broadcast and TTRB Intuition

Traditional authenticated broadcast and quorum-based consensus mechanisms, such as Bracha and Dolev–Strong, presuppose a fixed set of identities and threshold-based intersection properties. In permissionless PoW systems, every valid PoW message remains "legal" indefinitely, allowing Byzantine nodes to accumulate large stockpiles of genuine proofs, which can be replayed at strategic moments to subvert quorum formation—a phenomenon termed the time-travel attack.

TTRB introduces two central constraints:

1. Timestamping: Every broadcast message contains the explicit step index when its DPoW proof was requested.
2. Coffers: Each message is cryptographically linked (as a vertex in a DAG) to a coffer—an explicit supermajority list of messages accepted as fresh in the previous step.

This structure ensures that fresh messages in step $s$ are causally and cryptographically tied to fresh messages from $s-1$, and any attempted replay of antique (old) proofs is thwarted at the DAG's filtering stage due to causal inconsistency (Farahbakhsh et al., 23 Dec 2025).

3. Sieve Algorithmic Realization

TTRB is functionalized through the Sieve algorithm—a two-mode filtering mechanism with precise per-step operations. Each node maintains:

• $\mathcal M$: Set of all messages seen
• $\mathcal L$: Last step's filtered messages
• pending: Most recent payload awaiting broadcast

Key routines (condensed for clarity):

Main Loop:

\mathsf{UponNewTick}(t, \mathcal M', \mathcal R): \mathcal M \gets \mathcal M \cup \mathcal M' if\ (t \bmod K) = 0: // first tick of step s if\ node\ was\ active\ in\ s-1: \mathcal L \gets OnlineSieve(s, \mathcal M, \mathcal L) else: \mathcal L \gets BootstrapSieve(s, \mathcal M) m \gets TTRBDeliver(s,\mathcal L) pending \gets m request\ PoW:\ dpow(\langle m,\mathcal L, r\rangle, w_n) else\ if\ (t \bmod K) = K-1: // last tick obtain\ \{v\} = \mathcal R broadcast\ \langle pending, s, \mathcal L, v, w_n\rangle

Online-Sieve (for active nodes):

• Retains only timestamp-$(s-1)$ messages that pass the PoW verification, and whose cited coffer from previous round intersects with $\mathcal L$ in weight exceeding $(1-\rho) \cdot \mathrm{weight}(\mathcal L)$.

Bootstrap-Sieve (for joining nodes):

• Prunes antique messages over all prior steps, discarding any message that cannot be causally chained to a maximal weight, consistent prefix of correct messages.

Only messages whose DAG ancestry demonstrates sufficient fresh predecessor inclusion will be delivered, making time travel attacks ineffective (Farahbakhsh et al., 23 Dec 2025).

4. Deterministic Proof-of-Work Oracle (DPoW) Design

The DPoW oracle, a critical TTRB dependency, supports:

• $\mathsf{dpow}(\gamma, w)$: On challenge $\gamma$ and integer weight $w$, after deterministic delay, returns a unique proof $v$.
• $\mathsf{verify}(v, \gamma, w)$: Verifies proof $v$ is the unique correct output of the oracle on $(\gamma, w)$.

Every node may issue only one outstanding $\mathsf{dpow}$ call per input. The uniqueness and time-coupling of each proof (determined by the round) make backdating or pre-accumulation attacks unfeasible, under the $\rho$-bounded assumption.

A concrete instantiation uses Merkle-trees over $w$ leaves $\mathcal H(\chi), \ldots, \mathcal H(\chi + w - 1)$, achieving deterministic work of approximately $2w + k$ hash calls and $O(k\log w)$ verification complexity (Farahbakhsh et al., 23 Dec 2025).

5. Security Argument and Sieve Invariant

The TTRB security argument formalizes the Sieve Invariant (SI):

• SI1: Every $m \in \mathcal L$ at step $s$ is generated in $s-1$.
• SI2: Every correct node that broadcast in $s-1$ has its message in $\mathcal L$.

Online-Sieve upholds SI by induction: Correct timestamp-$(s-1)$ messages cite a supermajority of correct timestamp-$(s-2)$ messages (the induction hypothesis), ensuring they pass the $(1-\rho)$ threshold. An antique message, devoid of fresh coffer references, fails filtering.

Bootstrap-Sieve—through an iterative, prefix-maximal DAG pruning over history—guarantees that at any iteration $s'$, an old adversarial message is eliminated unless it genuinely extends a correct ancestry, which only honest participation can provide.

Thus, TTRB1 (only fresh, valid PoW messages are delivered) and TTRB2 (all honest broadcasts are delivered everywhere) follow directly from preservation of SI (Farahbakhsh et al., 23 Dec 2025).

6. Performance and Complexity

Key complexity metrics:

Component	Asymptotic Cost / Latency	Details
Broadcast round latency	1 step ($K$ ticks/step)	Each round: request PoW, $K-2$ idle, 1 broadcast
Communication complexity	$O(N^2)$ per step	All-to-all, with message $\langle$payload, timestamp, coffer, PoW$\rangle$
Online-Sieve	$O(|\mathcal L|)$ per message	Filtering via coffer membership
Bootstrap-Sieve	Exponential in history length	Used only for inactive/rejoining nodes
MMR commit latency	3–7 steps (constant expected)	Best case: 3 steps; adversarial: 7 steps (Farahbakhsh et al., 23 Dec 2025)

This deterministic, constant expected latency for end-to-end total-order broadcast is inherited from the MMR protocol layered atop TTRB, which, in Sieve-MMR, provides provable safety and liveness (Farahbakhsh et al., 23 Dec 2025).

7. Comparison with Traditional Reliable Broadcast

Traditional atomic broadcast requires a fixed authenticated node set, with quorum intersection guaranteeing safety. In permissionless PoW networks:

• Byzantine actors may replay precomputed PoWs, passing all authenticity checks, undermining quorum intersection.
• TTRB uniquely enforces "freshness" by requiring every message to be uniquely typed by generation step (timestamp) and cryptographically linked by its coffer to the previous round's honest messages.
• Use of DPoW weight thresholds ensures that only messages causally and temporally coherent with the honest supermajority are admissible.

This construction restores the intersection properties necessary for deterministic safety in permissionless, PoW-based consensus, enabling fully permissionless protocols without external mechanisms or probabilistic fallback (Farahbakhsh et al., 23 Dec 2025).