spec.html

<!DOCTYPE html>
<html>
<head>
<meta charset='utf-8'>
<title>EBFT Consensus Algorithm Specification v1</title>

<script
src='https://www.w3.org/Tools/respec/respec-w3c-common'
class='remove'></script>

<style>
table, th, td {
    border: 1px solid black;
    border-collapse: collapse;
}
th, td {
    padding: 5px;
}
code {
    font-family: georgia, serif;
	color: black;
	font-size: 105%;
}
</style>

</head>

<body>

<section id='abstract'>

This document, the EBFT Consensus Algorithm Specification, describes a
<a>Proof of Authority</a> (PoA) <a>Byzantine Fault Tolerant</a> (BFT) blockchain
consensus protocol suited for eventually synchronous networks.

The Enterprise Byzantine Fault Tolerant (EBFT) protocol builds on the IBFT
blockchain consensus protocol ([[IBFT]] and [[Quorum]]), retaining all of its
original features, plus addresses safety and liveness limitations described in a
previous work [[IBFT-Analysis]].

</section>

<section id='sotd'>

*This section describes the status of this document at the time of its
publication. Newer documents might supersede this document.*

This is an editors' draft of the EBFT Consensus Algorithm Specification
version 1, with a number of items still to be addressed, including, but limited
to:
- Add pseudocode for the algorithm to determine the validator set.
- Add pseudocode for the algorithm to the block proposer.
- Replace abstract data structures with concrete data structures, if possible.
- Integrate the agreed improvements in the EEA protocol specification.

Extra para.

</section>

  <section id="sec-introduction" class="informative">

  <h2>Introduction</h2>

The EBFT protocol is a <a>Proof of Authority</a> (PoA)
<a>Byzantine Fault Tolerant</a> (BFT) blockchain consensus protocol enabling
consortium networks to leverage on the capabilities of
<a>Ethereum smart contracts</a>. The protocol:

- Ensures <a>immediate finality</a>.
- Is <a>robust</a> in an <a>eventually synchronous network</a> model.
- Features a <a>dynamic validator set</a>.

The EBFT protocol builds on the IBFT protocol ([[IBFT]] and [[Quorum]]), 
inheriting all its properties while addressing the following limitations
described by Saltini [[IBFT-Analysis]]:

  <ul>
    <li>
<a>Persistence</a> is not guaranteed:
    <ul>
      <li>
One Byzantine <a>validator</a> is potentially able to remove a transaction or
change the position of a finalized transaction.
      </li>
      <li>
In a network of six <a>validators</a>, even if all <a>validators</a> are honest,
a network partitioning can cause the blockchains maintained by two sets of three
<a>validators</a> each to diverge. After the partitioning is resolved,
<a>validators</a> have to choose one chain, which means removing or reordering
transactions of the other chain.
      </li>
      <li>
The IBFT protocol does not guarantee that a transaction added to the local
blockchain of one <a>validator</a> is eventually added to the local blockchain
of all other nodes.
      </li>
    </ul>
    </li>
    <li>
<a>Liveness</a> is not guaranteed. Specifically, the IBFT protocol might reach a
state where no new blocks can be added to any local blockchain, which means that
no new transactions can be added to the distributed ledger.
    </li>
  </ul>

  </section>

  <section id="conformance">

  </section>


  <section id="sec-terminology" class="informative">

  <h2>Terminology</h2>

This section outlines the terminology used to describe the EBFT protocol.

  <dl>
    <dt><dfn data-lt="validator">Validators</dfn></dt>
    <dd>
Multiple nodes participating in the EBFT protocol to finalize blocks on
the chain.
    </dd>

    <dt><dfn data-lt="proposers">Proposer</dfn></dt>
    <dd>
A <a>validator</a> that proposes a block. Only one node acts as a proposer for
any given <a>round</a> and <a>height</a>.
    </dd>

    <dt><dfn data-lt="standard nodes|node|nodes">Standard node</dfn></dt>
    <dd>
A node that does not propose or validate blocks.
    </dd>

    <dt>Blockchain consensus protocol</dt>
    <dd>
Blockchains are the most widely-adopted implementations of <em>distributed
ledgers</em>, which are append-only databases of transactions that are
replicated across multiple participants and where the trust and responsibility
for maintaining the database is spread across all, or a subset of, the
participants.<br>

This is in contrast to traditional centralized systems where full trust is given
to a central authority responsible for maintaining the database. One issue with
this traditional approach is that the central authority has the power to alter
the database unilaterally. The decentralisation aspect of distributed ledger
technology makes it well suited in situations where the central authority is
either adding costs to the system or undermining trust in the system itself.

Blockchains implement distributed ledgers by batching transactions into blocks
and cryptographically linking each block to the previous one forming a chain of
blocks. Consensus protocols play a fundamental role in the blockchain technology
as they responsible for ensuring that the chain of blocks replicated amongst the
participants is consistent. The type of network and environment assumptions made
when designing a consensus protocol influence how the blockchain performs after
it is deployed in a real environment and network. Some of the key performance
metrics that are heavily influenced by consensus protocols are:
      <ul>
        <li>
<dfn>Throughput</dfn>. For example, the number of transactions per second.
        </li>
        <li>
<dfn>Latency</dfn>. That is, time taken from when a transaction is submitted to
the system to when the transaction is included in a block.
        </li>
        <li>
<a>Robustness</a>. That is, what type of attacks the protocol can withstand.
        </li>
      </ul>
    </dd>

    <dt><dfn data-lt="ethereum smart contract">Ethereum smart contracts</dfn></dt>
    <dd>
Compared to Bitcoin, which was the first widely adopted blockchain and mainly
allows transferring values between participants, the Ethereum blockchain
specifies a Turing-complete language that can be used to build small distributed
programs, called <em>smart contracts</em>. Smart contracts are executed on a
sandboxed runtime on any participant on execution of transactions. The
availability of a Turing-complete language allows users to specify a custom set
of rules and behavior associated with any transaction referring a specific smart
contract.
    </dd>

    <dt><dfn data-lt="bft">Byzantine fault tolerant</dfn> (BFT)</dt>
    <dd>
Byzantine fault tolerant, or BFT, specifies the type of participant fault mode
that the consensus protocol can cope with. Specifically, BFT identifies a class
of consensus protocols that ensure blockchain consistency despite some of the
participants, referred to as Byzantine, being malicious and acting arbitrarily.
The term <dfn>Byzantine</dfn> is used to identify malicious nodes, and dates
back to the "The [[Byzantine-Generals-Problem]]" paper. The Byzantine failure
mode is the strongest failure mode considered in the consensus protocol
literature. Another common, but weaker, failure mode is fail-stop failure mode,
which only considers participants that stop communicating, but never acting
maliciously.
    </dd>

    <dt><dfn data-lt="poa">Proof of Authority</dfn> (PoA)</dt>
    <dd>
Another way to classify consensus protocols is by the technique used to prevent
Sybil attacks. A Sybil attack is where a participant is able able to gain power
in the system by creating multiple pseudonymous identities. Typically, creating
a new digital identity that can be used to interact with a blockchain is
relatively cheap because it only requires generating a random private key and
the related public key, which can be done in a matter of seconds on any modern
personal computer.<br>

One of the most widely used and famous techniques for preventing Sybil attacks
is Proof of Work ([[PoW]]), which was originally pioneered by Dwork et al., and
gained subsequent publicity by its employment in Bitcoin. PoW requires
participants to spend computing effort in solving a hard cryptographic puzzle
before being able to propose a block to be added to the blockchain.

<dfn data-lt="pos">Proof of Stake</dfn> (PoS) is another well known technique
where the right to propose new blocks is given by the amount of stake owned.

In contrast, PoA prevents Sybil attacks by conferring the right to create new
blocks only to a defined set of identities.
    </dd>

    <dt>Consortium blockchains</dt>
    <dd>
Compared to permissionless, or public, blockchains, like Bitcoin or Ethereum,
where anybody can join the network and participate in the protocol, in
consortium blockchains permissioning exists, which enables only a set of
participants to propose new blocks and to participate in the consensus
protocol.<br>

PoA type consensus protocols, like EBFT, are well suited to this type of
permissioning. While not every participant can propose new blocks, some
consortium blockchains allow any valid blockchain identity to read data from the
blockchain. EBFT also allows for this type of configuration.
    </dd>

    <dt><dfn>Immediate Finality</dfn></dt>
    <dd>
A transaction is deemed to be <em>final</em> after it is included in the
blockchain and it cannot be removed, except if the environment is compromised. A
compromise can occur, for example, if the number of Byzantine participants is
higher than the maximum number the protocol can withstand.<br>

Immediate finality means that as soon as a transaction is included in a block,
the protocol guarantees that the transaction will not be removed.

By comparison, the PoW consensus protocol in Bitcoin and Ethereum only
guarantees eventual probabilistic finality, where the deeper a transaction is in
the blockchain, the less probable that the transaction can be removed or have
its position changed. Casper FFG, the Ethereum 2.0 PoS consensus protocol,
provides eventual non-probabilistic finality, where transactions eventually
reach a state where they cannot be removed or have their position changed, but
this does not necessarily happen at every block.
    </dd>

    <dt>Robust in an eventually synchronous network</dt>
    <dd>
<dfn data-lt="robust">Robustness</dfn> refers to two important properties that
any blockchain consensus protocol must provide:
      <ul>
        <li>
<dfn>Persistence</dfn>, which ensures consistency of the blockchain amongst all
participants.
        </li>
        <li>
<dfn>Liveness</dfn>, which ensures that transactions submitted to participants
will eventually be included in the blockchain.
        </ul>
      </ul>

An <dfn>eventually synchronous network</dfn> identifies a network model under
which <a>robustness</a> of the protocol can be assured. In literature, there are
three main network models that were considered, which differ on the assumptions
made on transmission latency:
      <ul>
        <li>
Synchronous networks. The maximum latency (the time required for a message to
reach its recipient) is bounded and known.
        </li>
        <li>
Asynchronous networks. The maximum latency is unknown and messages might never
be delivered.
        </li>
        <li>
Partially synchronous networks. This model lies in between synchronous and
asynchronous. Specifically, there are two possible definitions of partial
synchronous networks:
          <ul>
            <li>
Messages are guaranteed to be delivered, but the maximum latency is unknown. To
the best of our knowledge, no specific name is defined for this model.
            </li>
            <li>
Eventually synchronous networks where there exists a point in time, called
global stabilisation time (GST) after which the message delay is bounded by a
finite and constant value.
            </li>
          </ul>
        </li>
      </ul>

The model with the weakest assumptions is the asynchronous network model,
followed by the partially synchronous network model and then the synchronous
network model, in this order. Between the two definitions of partial synchronous
networks, eventual synchrony is the one with the weaker assumptions. As proved
by Fischer et al. [[One-Faulty-Process]] in 1985, no consensus protocol that
aims to tolerate at least one fail-stop participant is guaranteed to terminate
in the model with the weakest assumptions (asynchronous network model). This
means that the <a>liveness</a> property introduced above would be impaired in
this model. There exist solutions that operate in the asynchronous network
model, but the termination is only guaranteed probabilistically. The EBFT
protocol is therefore <a>robust</a> in the network model with the weakest
assumptions coming after the asynchronous network model.
    </dd>

    <dt><dfn>Dynamic validator set</dfn></dt>
    <dd>
Compared to classic (non-blockchain) consensus protocols where the set of
participants is known in advance and never changes, EBFT, like Clique,
allows participants to add and remove <a>validators</a> by a voting mechanism.

  </section>

  <section id="eea-protocol-overview">

  <h2>EBFT Protocol Overview</h2>

As is common to any blockchain implementation, each EBFT node maintains a local
copy of the blockchain where the first block, the <dfn>genesis block</dfn>, is
the same for all nodes.

Each block $B$ added to the blockchain must be cryptographically linked to
another block in the blockchain, $B_p$, which is defined as the
<dfn>parent</dfn> of block $B$. Conversely, $B$ is defined as the
<dfn>child</dfn> of $B_p$.

In EBFT, starting from the <a>genesis block</a>, the next block to be added to
the local blockchain maintained by a node is the <a>child</a> of the block that
was previously added to the blockchain. In this way, the EBFT blockchain can be
modelled as a linked list of blocks, instead of a tree, like in the public
Ethereum blockchain. In alignment with common terminology used in literature,
the <dfn>height</dfn> of a block in a blockchain is defined as the number of
parent links separating the block from the genesis block. The
<a>genesis block</a> has therefore height 0.

The EBFT protocols can be modelled as running sequential instances of what are
called the <em>EBFT-block-finalization-protocol</em>, where the objective of the
$h$-th instance of the EBFT-block-finalization-protocol is to decide which
Ethereum block, and consequently which set of transactions, are to be added at
height $h$ of the blockchain maintained by any EBFT node.

Only a subset of the entire set of EBFT nodes can participate in the $h$-th
instance of the block finalization protocol. This set of nodes are called the
<em><a>validators</a></em> for height/instance h</em> and refer to each member
of this set as a <em><a>validator</a> for height/instance h</em>. All of the
nodes not included in the <a>validator</a> set for height/instance
$h$ are referred to as <a>standard nodes</a>. In statements about
<a>validators</a> where it is clear from the context, we often omit
<em>for height/instance h</em>. The set of <a>validators</a> for each instance
$h$ of the EBFT-block-finalization-protocol is deterministically computed as a
function of the chain of blocks from the <a>genesis block</a> to the block with
height $h-1$.

Each instance of the EBFT-block-finalization-protocol is organized in
<dfn data-lt="round">rounds</dfn>. In each round, one of the <a>validators</a> 
(referred to as the <a>proposer</a>)
is responsible for proposing an Ethereum block for the height associated with
the specific instance of the EBFT-block-finalization-protocol that the
<a>validators</a> is running. After agreement is reached, the
EBFT-block-finalization-protocol creates a finalized block, which includes
the Ethereum block and additional information that allows any node, even nodes
that did not participate in the EBFT-block-finalization-protocol, to verify
that agreement on the Ethereum block included in the finalized block was
correctly added.

In practice, each EBFT node adds finalized blocks to its local blockchain.
In this way, any node joining the
network at any point in time, when synching its local blockchain with its peers,
receives all the information required to verify that agreement was reached
correctly on each block that it receives, even on those created before it joined
the network.

Each Ethereum block can carry a vote, cast by the proposer of that block, to add
a <a>validator</a> to or remove a <a>validator</a> from the <a>validator</a>
set. When more than half of the <a>validators</a> cast a consistent vote to add
or remove a <a>validator</a> to or from the <a>validator</a> set, the
<a>validator</a> is added or removed from the validator set starting from the
next block and all of the votes targeting this <a>validator</a> are discarded.

<p class="note">The exact definition of the algorithm for calculating the
validator set is missing from the current version of this specification and
must be added at some point before finalization of the document.</p>

  </section>

  <section id="eea-protocol-specification">

  <h2>EBFT Protocol Specification</h2>

This section provides a detailed specification of the EBFT protocol.

    <section id="algorithm-convensions">

    <h3>Algorithm Conventions</h3>

The EBFT protocol algorithms are textually described in Sections
<a href="#algorithm-1-description"></a> and
<a href="#ibft2-block-finalization-protocol"></a>, and by the pseudocode in
Section <a href="#algorithm-pseudocode"></a>. The following
conventions are used:

  <ul>
    <li>
Statements are expressed in a mathematical form, but with standard
mathematical symbols replaced by their English equivalent. For example,
$\mathbf{in}$ instead of $\in$, $\mathbf{and}$ instead of $\land$,
$\mathbf{there\;exists}$ instead of $\exists$, and so on. The intent is to
provide an unambiguous definition of the protocol that can be understood by
people not familiar with standard mathematical notation.
    </li>
    <li>
Comments identified by
<code style="color:green;">text in green typewriter font</code> are used to
provide a natural language description of pseudocode statements that might not
be immediately obvious.
    </li>
    <li>
For brevity of notation, using individual existential quantifiers
(for example, $\exists$ in mathematical notation and $\mathbf{there\;exists}$ in
English notation) for message fields is avoided, but instead expressed as
existential quantifiers on the entire message. An overhead line (for example
$\overline{var}$) is used to indicate message fields that, if the extensive
notation was used, then they should be expressed using an
existential quantifier. For example, $\mathbf{there\;exists}$
$\langle{f_1,}\overline{f_2}\rangle$ $\mathbf{in}$ ${receivedMessages_v}$
stands for $\mathbf{there\;exists}$ $f_2$ $\mathbf{such\;that\;there\;exists}$
$\langle{f_1,f_2}\rangle\in{receivedMessages_v}$.
    </li>
    <li>
Each of the $\mathbf{upon}$ blocks in the pseudocode is assumed to be executed
atomically when the condition specified after the $\mathbf{upon}$ keyword is
satisfied.
    </li>
    <li>
All functions in <code>typewriter font</code> are defined in the remainder of
this section.
    </li>
    <li>
All functions in ${italic\;font}$ are defined in the pseudocode.
    </li>
    <li>
${receivedMessages_v}$ corresponds to the set of all messages received by node
$v$.
    </li>
    <li>
$\mathtt{peers}_v$ corresponds to the set of DEVp2p Gossip protocol peers of
$v$;
    </li>
    <li>
$\{m\in{V}$ $\mathbf{such\;that}$ $P(m)\}$ corresponds to the set of all the
elements of $V$ for which predicate $P$ is true.
    </li>
    <li>
$\{F(m)$ $\mathbf{such\;that}$ $m\in{V}$ $\mathbf{and}$ $P(m)\}$ corresponds
to the set obtained by applying the function $F$ to all the elements of $V$ for
which predicate $P$ is true.
    </li>
    <li>
$\mathtt{allSubSetsOf}(M)$ corresponds to the set of all of the subsets of
$M$, which is usually called the power set of $M$. For example,
$\mathtt{allSubSetsOf}(\{m_1,m_2,m_3\})$ corresponds to the set
$\{\{\},\{m_1\},\{m_2\},\{m_3\},\{m_1,m_2\},\{m_1,m_3\},\{m_2,m_3\},\{m_1,m_2,m_3\}\}$.
    </li>
    <li>
The symbol $*$ denotes any value.
    </li>
    <li>
<span style="color:darkred">Dark red color</span> denotes messages used only
for modelling purposes and that do not have an immediate one-to-one relationship
with the messages of the $\texttt{eth}$ sub-protocol [[Ethereum-Wire-Protocol]].
The mapping between the abstract model and the concrete messages is provided in
Section <a href="data-structures"></a>.
    </li>
    <li>
Black color when applied to messages denotes EBFT specific messages not
included in the current $\texttt{eth}$ sub-protocol [[Ethereum-Wire-Protocol]].
    </li>
    <li>
$T:(t_1,...,t_n)$ indicates a tuple $(t_1,...,t_n)$ that is thereafter referred
to as $T$.
    </li>
    <li>
${\pi_m}(T)$ corresponds to the $m$-th element of the tuple $T$ where the
first element has index 1. For example, ${\pi_2}((t_1,t_2,t_3))$ corresponds to
$t_2$.
    </li>
    <li>
$\mathtt{blockHeight}(EB)$ is defined as the height of the Ethereum block
$EB$.
    </li>
    <li>
$\mathtt{sizeOf}(M)$ indicates the size of the set $M$. That is,
$\mathtt{sizeOf}(M)\equiv\lVert{M}\rVert$.
    </li>
    <li>
$\mathtt{EthAddressRecover}(H,signature)$ corresponds to the Ethereum address
whose signature of the hash $H$ corresponds to $signature$.
    </li>
    <li>
Each <a>validator</a> $v$ stores its local blockchain in $chain_v$.
    </li>
    <li>
$chain_v[n]$ corresponds to the finalized block with height $n$, while
$chain_v[n:m]$ corresponds to a sub-chain including all of the finalized blocks
from height $n$ to height $m$ included.
    </li>
    <li>
$chain_{EB_v}[n]$ corresponds to the Ethereum block included in the finalized
block with height $n$, while $chain_{EB_v}[n:m]$ corresponds to a sub-chain
including all of the Ethereum blocks included in the finalized blocks from
height $n$ to height $m$ included.
    </li>
    <li>
The blockchain height is defined as the height of the last finalized block
added to the blockchain.
    </li>
    <li>
$\mathtt{validators}(chain_v[0:h-1])$ represents the set of authorized
<a>validators</a> for instance $h$ of the EBFT-block-finalization-protocol.
    </li>
    <li>
$\mathtt{n}(chain_v[0:h-1])$ represents the number of <a>validators</a> for
instance $h$ of the EBFT-block-finalization-protocol. That is,
$\mathtt{n}(chain_v[0:h-1])\equiv\mathtt{sizeOf}(\mathtt{validators}(chain_v[0:h-1]))$.
    </li>
    <li>
For the purpose of this section, $\mathtt{isValidBlock}(EB,EB_p)$ is defined to
be true if and only if block $EB$ is a valid Ethereum block with parent $EB_p$
where $\mathtt{isValidBlock}(EB,EB_p)$ only verifies the following fields of the
standard Ethereum header:

    <ul>
      <li>
<code>parentHash</code>
      </li>
      <li>
<code>stateRoot</code>
      </li>
      <li>
<code>transactionsRoot</code>
      </li>
      <li>
<code>receiptsRoot</code>
      </li>
      <li>
<code>logsBloom</code>
      </li>
      <li>
<code>number</code>
      </li>
      <li>
<code>gasLimit</code>
      </li>
      <li>
<code>gasUsed</code>.
      </li>
    </ul>

For a detailed description of the validation performed by $\mathtt{isValidBlock}$
see Section <a href="#sec-block-header-validation"></a>.
    </li>

    <li>
Each EBFT finalized block $FB$ is modelled by the tuple $(FB_{EB},FB_{FP})$ where:
    <ul>
      <li>
$FB_{EB}$ is the Ethereum block to be added to the blockchain.
      </li>
      <li>
$FB_{FP}$ is the proof that agreement was correctly reached on the position in
the chain of the block $FB_{EB}$.
      </li>
    </ul>
    </li>

    <li>
Each finalization proof $FP$ is modelled by the tuple $(FB_r,FB_{CS})$ where:
    <ul>
      <li>
$FB_r$ is the round number of the EBFT-block-finalization-protocol, during the
execution of which, agreement on the block inclusion in the blockchain was
reached.
      </li>
      <li>
$FB_{CS}$ is a list of signatures on both the Ethereum block and the round
proving that agreement was reached by a correct execution of the
EBFT-block-finalization-protocol. For more information about how this list of
signatures, called <dfn data-lt="commit seal">commit seals</dfn>, are
computed, see Section 3.1 of the [[IBFT2-Gray-Paper]].
      </li>
    </ul>

    </li>
  </ul>

    </section>

    <section id="algorithm-1-description">

    <h3>Description of the EBFT protocol (Algorithm 1)</h3>

The overarching structure of the EBFT protocol is essentially specified by the
$\mathbf{upon}$ block at line 10 of Algorithm 1, which states that when a new
finalized block is received by a node $v$, $v$ executes the following operations:
  <ol>
    <li>
Verifies if the finalized block received is for the next expected chain height.
That is, $h_v$.
    </li>
    <li>
If so, it verifies if the finalized block received is a valid finalized block.
    </li>
    <li>
If both verifications pass, then:
    </li>
    <ol type="a">
      <li>
$v$ adds the finalized block to its local blockchain.
      </li>
      <li>
If $v$ is a <a>validator</a> for the current instance of the
EBFT-block-finalization-protocol, then $v$ stops that instance.
      </li>
      <li>
$v$ advances the next expected block height, $h_v$, by 1.
      </li>
      <li>
If $v$ is a <a>validator</a> for the EBFT-block-finalization-protocol instance
for the new value of $h_v$, then $v$ starts that instance.
      </li>
    </ol>
  </ol>

As described by the function $isValidFinalizationBlock(FB,v)$ at line 3, an
EBFT finalized block $FB$ is defined valid if and only if all of the following
conditions are met:

- It contains at least $Quorum(n)\equiv\left\lceil\frac{2n}{3}\right\rceil$
different commit seals, where $n$ is the number of <a>validators</a> for
instance $h$ of the EBFT-block-finalization-protocol. That is,
$n\equiv\mathbf{n}(chain_v[0:h-1])$.
- Each commit seal corresponds to the signature of one of the <a>validators</a>
over the Ethereum block and the round number included in the finalization proof.

Finalized blocks are delivered to nodes using the standard $\texttt{eth}$
[[RLPx]] sub-protocol [[Ethereum-Wire-Protocol]]. In the pseudocode the actual
$\texttt{eth}$ sub-protocol is abstracted and models the reception of a
finalized block $FB$ with the reception of a
<span style="color:darkred">$\langle\mathsf{FINALIZED-BLOCK},FB\rangle$</span>
message. No such message actually exists in the concrete EBFT protocol. As per
the standard $\texttt{eth}$ sub-protocol, a block can be received either using
an unsolicited NewBlock message or using the pair of messages
GetBlockHeaders/BlockHeaders followed by the pair of messages
GetBlockBodies/BlockBodies [[Ethereum-Wire-Protocol]].

As specified by the $\mathbf{upon}$ block at line 19, when a node $v$ receives
an EBFT message (Proposal, Prepare, Commit or Round-Change message) including a
height $h_m$ with value $\ge$ than the next expected height $h_v$, if the sender
of the message is one of the DEVp2p peers of $v$, then $v$ starts asking the
peer for finalized blocks with height between the $v$'s current height $h_v$ and
the height $h_m$ included in the EBFT message received. This is modeled with the
transmission of a
<span style="color:darkred">$\langle\mathsf{GET-BLOCKS},h_v,h_m\rangle$</span>
message. The peer's response to this request is modeled as a
<span style="color:darkred">$\langle\mathsf{FINALIZE-BLOCK},FB\rangle$</span>
message. As stated previously, this is not an exact description of the real
messages sent by the implementation. It is a modelling of the DEVp2p behavior
useful in this context for specifying the EBFT protocol at a high level. In
modelling of this protocol, $\mathbf{expectedHeight}_v[v']$ is used to express
that Get-Blocks messages are sent only the first time an EBFT message with a
height higher than $h_v$ is received.

    </section>

    <section id="ibft2-block-finalization-protocol">

    <h3>Description of the EBFT-block-finalization-protocol (Algorithm 2)</h3>

This section describes a generic $h$ instance of the
EBFT-block-finalization-protocol for a <a>validator</a> $v$, as detailed in
Algorithm 2 in Section <a href="#algorithm-pseudocode"></a>.

The EBFT-block-finalization-protocol is organized in rounds, starting from round
0, where <a>validators</a> progress to the next round after they suspect that in
the current round they cannot decide on the block to be included at height $h$
of the blockchain. Both in Algorithm 2 and in this description, the current
round for the $h$-th instance of the EBFT-block-finalization-protocol for
<a>validator</a> $v$ is denoted as $r_{h,v}$.

For each round, one of the <a>validators</a> is selected to play the role of
block proposer. The selection is operated by the evaluation of
$\mathbf{proposer}(chain_v[0:h-1],r_{h,v})$ where
$\mathbf{proposer}(\cdotp,\cdotp)$ is a deterministic function of the chain of
blocks from the genesis block until the block with height $h-1$ and the current
round number.

The pseudocode at lines 2 to 4 introduces the following macros:

- $n_{h,v}$, which is the number of <a>validators</a> for the $h$-th instance of
the EBFT-block-finalization-protocol for <a>validator</a> $v$.
- $\mathbf{validators}_{h,v}$, which is the <a>validators</a> for the $h$-th
instance of the EBFT-block-finalization-protocol for <a>validator</a> $v$.
- $\mathbf{proposer}_{h,v}(r_{h,v})$, which is the proposer for round
$r_{h,v}$ of the $h$-th instance of the EBFT-block-finalization-protocol for
<a>validator</a> $v$.

These macros are used both in the pseudocode and in this section to simplify the
notation when describing the $h$-th instance of the
EBFT-block-finalization-protocol for <a>validator</a> $v$. The term,
<em>non-proposing <a>validators</a> for round r and instance h</em>, is used to
indicate all of the <a>validators</a> for round $r$ and instance $h$ with the
exclusion of the proposer for round $r$ and instance $h$.

The proposer selection function ensures that all of the <a>validators</a> for
the $h$-th instance of the EBFT-block-finalization-protocol are selected for any
sequence of $n_{h,v}$ consecutive rounds. Also, the proposer for round 0
corresponds to the proposer of the proposer selection sequence that comes after
the proposer of the block included in the previous finalized block.

  <p class="note">
The specification and description of the exact algorithm used for the proposer
selection function is currently not included in this specification and must be
added at some point before finalization of the document.
  </p>

As specified by the initialization block (line 9), if $v$ is the selected block
proposer for the first round, that is, round 0, then $v$ multicasts a <a>Proposal message</a>
$\langle\langle\mathsf{PROPOSAL},h,0,\mathbf{KEC}(PB)\rangle_{\sigma_v},PB,\bot\rangle$
to all <a>validators</a> (including itself) that comprises the message
$\langle\langle\mathsf{PROPOSAL},h,0,\mathbf{KEC}(PB)\rangle_{\sigma_v}$
signed by $v$, the proposed block $PB$ and a Round-Change-Certificate, which for
round 0 is empty (that is, $\bot$). More detail on how the
Round-Change-Certificate is assembled is provided further down in this section
when discussing how <a>validators</a> move to a different round.

The proposed block $PB$ is modelled here as a tuple where the first element is a
standard Ethereum block and the second element is the current round number at
which the Ethereum block was created, which at initialization is 0.
$\mathbf{KEC}(\cdotp)$ represents the Keccak hash function. The pseudocode uses
$\mathbf{createNewProposedBlock}(h,v)$ to represent the creation of a new block
with height $h$ by <a>validator</a> $v$. Honest <a>validators</a> employee a
fair transaction selection algorithm to decide which transactions to include in
the next block. The definition of such algorithm is outside the scope of this
document.

As specified by lines 31 to 32, a <a>validator</a> $v$ accepts a <a>Proposal message</a>
$\langle\langle\mathsf{PROPOSAL},h_{pp},r_{pp},H\rangle,PB:(EB,r_{EB}),*\rangle$
if and only if all of the following conditions are met:

- $v$ is currently running the EBFT-block-finalization-protocol instance
$h_{pp}$. That is, $h_{pp}=h$.
- $v$ is in round 0. That is, $r_{pp}=r_{h,v} = 0$.
- The signed portion of the message, $\langle\mathsf{PROPOSAL},h_{pp},r_{pp},H\rangle$,
is signed by the selected proposer for round $r_{h,v} = 0$ and instance $h$ of
the EBFT-block-finalization-protocol.
- $v$ has not already accepted a <a>Proposal message</a> for round $r_{h,v} = 0$
in the $h$-th instance of the EBFT-block-finalization-protocol. That is,
$acceptedPB = \bot$.
- The Ethereum block $EB$ included in the proposed block $PB$ is a valid block
for height $h$.
- The round number included in the prepared block $PB$ matches the current round
number. That is, $r_{h,v} = r_{EB} = 0$.
- $H$ corresponds to the Keccak hash of the proposed block $PB$.

When a <a>validator</a> $v$ accepts a <a>Proposal message</a>, it:

- Marks the <a>Proposal message</a> as accepted by setting the state variable
$acceptedPB$ to the proposed block included in the <a>Proposal message</a> (see
line 16).
- Multicasts a <a>Prepare message</a>
$\langle\mathsf{PREPARE},h,r_{h,v},H\rangle_{\sigma_v}$ (see line 17) to all
<a>validators</a> (including itself).

The $\mathbf{upon}$ block at line 36 is executed the first time all of the
following conditions are met by <a>validator</a> $v$:

- $v$ has accepted a <a>Proposal message</a> for the proposed block $PB$. That
is, $acceptedPB_{h,v} = PB$.
- $v$ has received, from non-proposing <a>validators</a> for the current round,
at least $Quorum(n_{h,v})-1$ <a>Prepare message</a> for the current instance of
the EBFT-block-finalization-protocol, current round, and with digest $H$
corresponding to the Keccak hash of the accepted proposed block $PB$.

When all of the conditions listed above are met for the first time, then:

- $v$ multicasts a <a>Commit message</a>
$\langle\mathsf{COMMIT},h,r_{h,v},H,CS(PB,v)\rangle_{\sigma_v}$ to all
<a>validators</a> (including itself), where $CS(PB,v)$, called
<em>commit seal</em>, corresponds to the signature of $v$ over the proposed
block $PB$ and the current round number.
- $v$ sets $latestPreparedProposedBlock_{h,v}$ to the proposed block $PB$;
- $v$ sets $latestPC_{h,v}$ to a set including the signed portion of the
accepted <a>Proposal message</a> and all of the <a>Prepare message</a> sent by
non-proposing <a>validators</a> for the current round targeting the current
instance of the EBFT-block-finalization-protocol, current round and with
digest $H$ corresponding to the Keccak hash of the accepted proposed block $PB$.

The pseudocode uses the state variable $commitSent_{h,v}$ to indicate that the
<a>Commit message</a> is sent only the first time that all of the conditions
listed above are met. $commitSent_{h,v}$ is set to $true$ at line 39 and reset
to $false$ in the $StartNewRound$ procedure at line 26. Borrowing from the PBFT
terminology, when a <a>validator</a> meets the conditions indicated in the
$\mathbf{upon}$ block at line 36, then $v$ is said to be $prepared$ at round
$r_{h,v}$. Borrowing again from the PBFT terminology, $latestPC_{h,v}$ is the
latest Prepared-Certificate and the protocol is designed so that
$latestPC_{h,v}$ always holds at least the minimum number of messages required
to prove that $v$ $prepared$ in round $r_{h,v}$ on a proposed block with Keccak
hash $H$. A Prepared-Certificate is said to be for round $r$ and instance $h$
if and only if the Prepared-Certificate only includes signed
<a data-lt="proposal message">Proposal</a> and
<a data-lt="prepare message">Prepare</a> messages for round $r$ and height $h$.
$latestPC_{h,v}$ always holds the Prepared-Certificate for the latest round in
the current instance $h$ where $v$ is $prepared$. $latestPC_{h,v} = \bot$ only
if $v$ has never $prepared$ in the current instance $h$.

The $\mathbf{upon}$ block at line 44 is executed the first time all of the
following conditions are met by <a>validator</a> $v$:

- $v$ has accepted a <a>Proposal message</a> for the proposed block $PB$. That
is, $acceptedPB_{h,v} = PB$.
- $v$ has received, from at least different $Quorum(n_{h,v})$ <a>validators</a>
for the current instance of the EBFT-block-finalization-protocol, a
<a>Commit message</a> for the current instance of the
EBFT-block-finalization-protocol, current round, with digest $H$ corresponding
to the Keccak hash of the accepted proposed block $PB$ and commit seal signed by
the sender of the <a>Commit message</a>.

When all of the conditions listed above are met for the first time, then:

- $v$ creates a block finalization proof modelled as a tuple comprising the
current round number and the commit seals included in all the
<a>Commit messages</a> that satisfy the condition on <a>Commit messages</a>
stated above.
- $v$ creates a finalized block modelled as a tuple comprising the Ethereum
block included in the proposed block and the finalization proof.
- $v$ broadcasts the finalized block to all nodes.

The pseudocode uses the state variable $finalizedBlockSent_{h,v}$ to trigger the
transmission of a finalized block only the first time the conditions listed
above are met. $finalizedBlockSent_{h,v}$ is set at line 50 and reset in the
$StartNewRound$ procedure at line 12.

In alignment with PBFT, the EBFT protocol relies on a round change
sub-protocol to detect whether the selected proposer might be Byzantine and
causing the protocol to never terminate. As specified at lines 21 to 22,
whenever a <a>validator</a> $v$ starts a new round, it starts a round timer with
a duration exponential to the round number (see line 8).

When <a>validator</a> $v$'s round timer for the current round expires (line 51),
$v$ starts the round $r_{h,v} + 1$ and multicasts a
$\langle\langle\mathsf{ROUND-CHANGE},h,r_{h,v} + 1,latestPC_{h,v}\rangle,latestPreparedProposedBlock_{h,v}\rangle$
message for the new round to all <a>validators</a> (including itself). Note that
the <a>Round Change message</a> includes the latest Prepared-Certificate and the
proposed block associated with the latest Prepared Certificate.

The $\mathbf{upon}$ block at line 55 describes under which conditions a
<a>Proposal message</a> for a new round is multicast and how the
<a>Proposal message</a> is assembled. Specifically, the $\mathbf{upon}$ block is
executed only if $v$ has received at least $Quorum(n_{h,v})$
<a>Round Change messages</a> for the current EBFT-block-finalization-protocol
instance such that:

  <ul>
    <li>
All messages are for the same round number $r_{rc}$ and $r_{rc}$ is higher than
the current round.
    </li>
    <li>
All messages are sent by distinct <a>validators</a> for the current instance of
the EBFT-block-finalization-protocol.
    </li>
    <li>
All messages contain a valid Prepared-Certificate. A Prepared-Certificate is
considered valid either if it is empty ($\bot$) or if it contains one
<a>Proposal message</a> and at least $Quorum(n_{h,v}) - 1$
<a>Prepare messages</a> for the same round $r'$ such that:
    <ul>
      <li>
$r'\lt$ than the the round number of the <a>Round Change messages</a>, $r_{rc}$.
      </li>
      <li>
The <a>Proposal message</a> is signed by the selected proposer for round $r'$.
      </li>
      <li>
The <a>Prepare messages</a> are sent by non-proposing validators for the $h$-th
instance of the EBFT-block-finalization-protocol and round $r'$ and they are
all for the current instance $h$ of the EBFT-block-finalization-protocol,
round $r'$ and same hash as the one included in the <a>Proposal message</a>.
      </li>
    </ul>
    </li>
    <li>
The Keccak hash of the $proposedBlock$ included in each of the
<a>Round Change messages</a> considered matches the hash included in the
<a data-lt="proposal message">Proposal</a> and
<a data-lt="prepare message">Prepare</a> message of the Prepared-Certificate.
    </li>
  </ul>

Any set meeting these conditions is a valid Round-Change-Certificate for round
$r'$ where round $r'$ is the round included in all of the
<a>Round Change messages</a> included in the Round-Change-Certificate. When all
of the conditions listed above are met, then:

  <ul>
    <li>
$v$ moves to the round number included in one of the Round-Change-Certificates
with the highest round number, lets $RCC$ be the chosen Round-Change-Certificate
and lets $r_h$ be the round number of $RCC$.
    </li>
    <li>
If $v$ was not already in $r_h$, then $v$ starts the round timer for round $r_h$.
    </li>
    <li>
If $v$ is the selected proposer for round $r_h$, $v$ sends a
<a>Proposal message</a> for the new round including the selected
Round-Change-Certificate ($RCC$) and a proposed block calculated as follows:
    <ul>
      <li>
If all of the Prepared-Certificates included in the
<a>Round Change message</a> are empty, that is $=\bot$, then the proposed block
must be a tuple including any valid Ethereum block for height $h$ and the
current round number, which must match the round number of the
<a>Proposal message</a>.
      </li>
      <li>
Otherwise, the Ethereum block included in the tuple constituting the proposed
block must match the proposed block received as part of one of the
<a>Round Change messages</a> including a Prepared-Certificate for the highest
round amongst the rounds of all the other Prepared-Certificates included in the
Round-Change-Certificate.
      </li>
    </ul>
    </li>
  </ul>

As specified by the $\mathbf{upon}$ block at line 71, a <a>Proposal message</a>
$\langle\langle\mathsf{PROPOSAL},h,r_{pp},H\rangle_{\sigma_{sender}},PB;RCC\rangle$
for a round higher than 0 is accepted only if all of the following conditions
are met:

  <ul>
    <li>
$v$ is currently running the EBFT-block-finalization-protocol instance
$h_{pp}$. That is, $h_{pp}=h$.
    </li>
    <li>
The round number $r_{pp}$ of the <a>Proposal message</a> is either higher than
the current round or equal to the current round provided that $v$ has not
accepted any <a>Proposal message</a> for the current round. That is,
$acceptedPB = \bot$.
    </li>
    <li>
$H$ corresponds to the Keccak hash of the proposed block $PB$.
    </li>
    <li>
The signed portion of the message is signed by the selected proposer for round
$r_{pp}$ and instance $h$ of the EBFT-block-finalization-protocol.
    </li>
    <li>
The Round-Change-Certificate $RCC$ includes at least $Quorum(n_{h,v})$
<a>Round Change messages</a> for round $r_pp$ and height $h$.
    </li>
    <li>
If each of the <a>Round Change messages</a> included in the
Round-Change-Certificate $RCC$ includes either an invalid Prepared-Certificate
or an empty Prepared-Certificate, then the:
    <ul>
      <li>
Ethereum block $EB$ included in the proposed block $PB$ must be a valid block
for height $h$.
      </li>
      <li>
Round number $r_{EB}$ included in the prepared block $PB$ must match the current
round number. That is, $r_{h,v} = r_{EB}$.
      </li>
    </ul>
    </li>
    <li>
Otherwise, the Keccak hash of the tuple composed of the Ethereum block included
in $PB$ and the highest round number of all Prepared-Certificated included in
$RCC$ must match the hash included in any of the messages that are part of the
Prepared-Certificates with the highest round number amongst all of the
Prepared-Certificates included in the Round-Change-Certificate $RCC$.
    </li>
  </ul>

The effect of accepting a <a>Proposal message</a> for a round $r_{pp} \gt 0$ is
essentially the same as accepting the <a>Proposal message</a> for round 0 with
the addition of moving to round $r_{pp}$. Specifically, $v$:

  <ul>
    <li>
Moves to round $r_{pp}$ and starts the related round timer if $v$ was not
already in round $r_{pp}$.
    </li>
    <li>
Multicasts a <a>Prepare message</a>
$\langle\mathsf{PREPARE},h,r_{h,v},H\rangle_{\sigma_v}$ to all validators
(including itself).
    </li>
    <li>
Sets $acceptedPB_{h,v}$ to the proposed block $PB$ indicating that it
accepted a <a>Proposal message</a> for $PB$.
    </li>
  </ul>

From here on the protocol proceeds as described above.



    </section>

    <section id="algorithm-pseudocode">

    <h3>Algorithm Pseudocode</h3>

<figure id="fig-algorithm1">
  <img src="./images/IBFT2_algorithm1.png" alt="Algorithm 1">
  <figcaption>EBFT Protocol for EBFT node $v$ (Algorithm 1)</figcaption>
</figure>

<figure id="fig-algorithm2">
  <img src="./images/IBFT2_algorithm2.png" alt="Algorithm 2">
  <figcaption>The EBFT-block-finalization-protocol (Algorithm 2)</figcaption>
</figure>


  <p class="note">
Algorithms for the computing the validator set and for the proposer selection
function must be added.
  </p>

    </section>


  </section>

  <section id="data-structures">

  <h2>Data Structures Encoding</h2>

  <p>
This section provides the details of how data structures such as messages,
block headers and finalization proof, for which only an abstract model is
provided in Section <a href="#eea-protocol-specification"></a>, are bit-wise
represented and encoded.
  </p>

  <p>
When it might be ambiguous whether the text refers to the abstract data
structures of Section <a href="#eea-protocol-specification"></a> or to the
encoding of those data structures, the term <em>abstract data structure</em> is
used to refer to the abstract data structures of Section
<a href="#eea-protocol-specification"></a>, while
<em>concrete data structure</em> is used to refer to actual encoding of those
data structures.
  </p>
  
      <section id="proposed-finalized-ethereum-blocks">

      <h3>Proposed Blocks, Finalized Blocks, and Ethereum Blocks</h3>

From a bit representation perspective, proposed blocks, finalized blocks and
EBFT Ethereum blocks share the same data structure.

The difference between them lies in how the fields of the block structure are
treated in the block verification.

The concrete data structure is a modification of the standard Ethereum data
structure which hereafter is called <em>EBFT Block Structure</em>.

      </section>

      <section id="ebft-block-structure">

      <h3>EBFT Block Structure</h3>

The EBFT block structure is split between Header and Body.

The body of the EBFT block structure is identical to the body of the Ethereum block
structure.

The header of the EBFT block structure is identical to the Ethereum header
structure except for the <code>extraData</code> field, which in an EBFT block is
as follows:

<code>extraData</code>

  <ul>
    <li>
<code>vanityData</code> DATA, 0 to 32 bytes.
    </li>
    <li>
<code>validatorList</code> LIST - A variable length list of Ethereum addresses
(20 byte each), representing the Ethereum address associated with each validator.
    </li>
    <li>
<code>vote</code>, which is either:
    <ul>
      <li>
LIST - A list comprised of the following elements:
      <ul>
        <li>
<code>recipient</code> ADDRESS, 20 bytes - the address of the Ethereum node for
which the vote is cast.
        </li>
        <li>
<code>voteValue</code> DATA, 1 byte - either 0x00 or 0xFF.
        </li>
      </ul>
      </li>
      <li>
or nil - if no vote is cast.
      </li>
    </ul>
    <li>
round QUANTITY, 4 bytes - The round number at which the finalized block was
created.
    </li>
    <li>
commitSeals LIST - A variable list of signatures (65 bytes) representing the
commit seals.
    </li>
  </ul>

      </section>

    <section id="sec-block-header-validation">

    <h3>Block Header Validation</h2>

As mentioned in Section <a href="#proposed-finalized-ethereum-blocks"></a>,
while finalized blocks and proposed blocks share the same data structure, they 
differ in how they are validated.

The next subsection describes some additional notation used in this section, 
the following sub-section describes the validation for the fields that share
the same validation rules between proposed and finalized blocks, while the last
two sub-sections describe the validation for the fields with different
validation rules.

      <section id="notation">


      <h4>Notation</h4>

The following function produces an exact copy, including the content, of the
data structure $\mathtt{structure}$ but with the field $\mathtt{field}$ removed.
$\mathtt{removeField}(\mathtt{structure},\mathtt{field}) $

      </section>


      <section id="common-validation-rules">

      <h4>Common Validation Rules</h4>

The following are some common validation rules:

  <ul>
    <li>
$\mathtt{parentHash}$: Must be equal to
$\mathtt{KEC}(\mathtt{RLP}(\mathtt{removeField}(\mathtt{removeField}(FB_{p}{ },\texttt{extraData.commitSeals}),\texttt{round})))$
where $FP_{p}$ indicates the parent finalized block.

Essentially, the hash of the parent block is calculated in the same way that the
parent hash is calculated in Ethereum, but with the fields
$\texttt{extraData.round}$ and $\texttt{extraData.commitSeals}$ removed from
$\texttt{extraData}$.

    </li>
    <li>
$\mathtt{ommersHash}$: Must be equal to the Keccak hash of the RLP encoding of
an empty list. That is, $\mathtt{KEC(RLP([]))}$
    </li>
    <li>
$\mathtt{beneficiary}$: Must be one the validators for the header under
validation as computed by $\mathtt{validators(H)}$.
    </li>
    <li>
$\mathtt{stateRoot}$: As per Ethereum Yellow Paper.
    </li>
    <li>
$\mathtt{transactionsRoot}$: As per Ethereum Yellow Paper.
    </li>
    <li>
$\mathtt{receiptsRoot}$: As per Ethereum Yellow Paper.
    </li>
    <li>
$\mathtt{logsBloom}$: As per Ethereum Yellow Paper.
    </li>
    <li>
$\mathtt{difficulty}$: Must be equal to 1
    </li>
    <li>
$\mathtt{number}$: As per Ethereum Yellow Paper.
    </li>
    <li>
$\mathtt{gasLimit}$: As per Ethereum Yellow Paper.
    </li>
    <li>
$\mathtt{gasUsed}$: As per Ethereum Yellow Paper.
    </li>
    <li>
$\mathtt{timestamp}$: Must be $\ge$ than the timestamp of the parent block
header + $\mathtt{BLOCK\_PERIOD}$
    </li>
    <li>
$\mathtt{extraData}$:
    <ul>
      <li>
$\mathtt{extraData.vanityData}$: Any sequence of $\le$ 32 bytes is admitted
      </li>
      <li>
$\mathtt{extraData.validatorList}$: Must match the validator list for the header
under verification as computed by $\mathtt{validators(H)}$
      </li>
      <li>
$\mathtt{extraData.vote}$:
      <ul>
        <li>
$\mathtt{extraData.vote.recipient}$: Any sequence of 20 bytes is admitted
        </li>
        <li>
$\mathtt{extraData.vote.voteValue}$: Must be either $\mathtt{0x00}$ or $\mathtt{0xFF}$
        </li>
      </ul>
      </li>
      <li>
$\mathtt{extraData.round}$: Any sequence of 4 bytes is admitted
      </li>
      <li>
$\mathtt{extraData.commitSeals}$: As described by the pseudocode in ... :
      <ul>
        <li>
All the elements of the $\mathtt{extraData.commitSeals}$ list must be unique
        </li>
        <li>
The number of elements in the $\mathtt{extraData.commitSeals}$ list must be
equal to $\mathtt{ceil\biggl(\frac{2*len(extraData.validators)}{3}\biggr)}$
        </li>
        <li>
Each element of $\mathtt{extraData.commitSeals}$ must be a signature over the
block header hash, as calculated by $\mathtt{headerHashForCommitSealCalculation}$
(defined below) generated by one of the Ethereum addresses listed in
$\mathtt{extraData.validators}$.

$\mathtt{headerHashForCommitSealCalculation}$ is defined as the Keccak hash over
the RLP encoding of the RLP encoding of the header with the field
$\mathtt{commitSeals}$, but not $\mathtt{round}$, removed from the
$\mathtt{extraData}$ field. More formally, $\mathtt{extraData}$ must be replaced
with the following $\mathtt{extraDataForBlockHeaderHashCalculationForCommitSeal}$:

$\mathtt{extraDataForBlockHeaderHashCalculationForCommitSeal:[vanityData,\;validatorList,\;vote,\;round]}$
where the value of $\mathtt{vanityData}$, $\mathtt{validatorList}$,
$\mathtt{vote}$, and $\mathtt{round}$ must be equal to the values of the
homonymous fields in $\mathtt{extraData}$.
        </li>
      </ul>
      </li>
    </ul>
  </li>
    <li>
$\mathtt{mixHash}$: Must be equal to $\mathtt{0x63746963616c2062797a616e74696e65206661756c7420746f6c6572616e6365}$
    </li>
    <li>
$\mathtt{nonce}$: Must be equal to 0.
    </li>
  </ul>

      </section>

      <section id="validation-rules-for-proposed-blocks">

      <h4>Validation Rules for Proposed Blocks</h4>

The validation rules listed here together with the validation rules listed in
Section <a href="#common-validation-rules"></a> corresponds to the $\texttt{isValid}()$
predicate of the pseudocode in Section <a href="#algorithm-pseudocode"></a>:

  <ul>
    <li>
$\mathtt{extraData}$:
    <ul>
      <li>
$\mathtt{extraData.commitSeals}$: Must be an empty list $[]$.
      </li>
    </ul>
    </li>
  </ul>

      </section>

      <section id="validation-rules-for-finalized-blocks">

      <h4>Validation Rules for Finalized Blocks</h4>

The validation rules listed here together with the validation rules listed in
Section <a href="#common-validation-rules"></a> correspond to the
$isValidFinalisedBlock()$ predicate of the pseudocode in Section
<a href="#algorithm-pseudocode"></a>:

  <ul>
    <li>
$\mathtt{extraData}$:
    <ul>
      <li>
$\mathtt{extraData.commitSeals}$: As described by line 4 of Algorithm 1 in Section <a href="#algorithm-pseudocode"></a>:
      <ul>
        <li>
All the elements of the $\mathtt{extraData.commitSeals}$ list must be unique
        </li>
        <li>
The number of elements in the $\mathtt{extraData.commitSeals}$ list must be
equal to $\mathtt{ceil\biggl(\frac{2*len(extraData.validators)}{3}\biggr)}$
        </li>
        <li>
Each element of $\mathtt{extraData.commitSeals}$ must be a signature, by one of
the Ethereum addresses listed in $\mathtt{extraData.validators}$, over the
following hash:
$\mathtt{KEC}(\mathtt{RLP}(\mathtt{removeField}(FB{ },\texttt{extraData.commitSeals})))$
where $FP$ indicates the finalized block to validate.
        </li>
      </ul>
      </li>
    </ul>
    </li>
  </ul>

      </section>

      </section>

  <section id="ebft-messages">

  <h2>EBFT Messages</h2>

This section defines how the abstract message data structures defined in Section
<a href="#eea-protocol-specification"></a> are mapped to the concrete message
data structures.

All messages MUST be transmitted using the RLPx protocol [[RLPx]].

For any type of message, the <dfn>signature</dfn> corresponds to the hash over
the message using the <a>validator</a> private key:

<code>hashForMessageSignature(message) = KEC(concatenate(message.ID, RLP(message.payload)))</code>

    <section id="eft-sub-protocol">

    <h3>EFT Sub-Protocol</h3>

  <p>
EBFT clients must advertise the $\texttt{EFT}$ capability version 0 using the
RLPx Hello message [[RLPx]].
  </p>

  <p>
All messages included in this section MUST be part of the $\texttt{EFT}$
capability.
 </p>
 
      <section id="proposal-message">

      <h4>Proposal Message</h4>

The block <a>proposer</a> MUST send the
<dfn data-lt="proposal messages|proposal|proposals">Proposal message</dfn> to
all other <a>validators</a> at the beginning of any round.

**Message content**

The Proposal message contains the following fields:

  - <code>0x00</code> DATA, x? bytes – The message ID for the Proposal message
type.
  - <code>payload</code> – A list containing each of the following:

    - <code>height</code> QUANTITY, 8 bytes – The <a>height</a> of the block
being proposed, as an integer.
    - <code>round</code> QUANTITY, 4 bytes – The <a>round</a> number, as an
integer.
    - <code>digest</code> DATA, 32 bytes – The Keccak hash of the RLP encoding of the
    proposed block.
  - <code>signature</code> DATA, 65 bytes – The <a>signature</a> of the payload.
  - <code>proposedBlock</code> – The content of the proposed block in Ethereum
block format.

      </section>

      <section id="prepare-message">

      <h4>Prepare Message</h4>

The <dfn data-lt="prepare messages">Prepare message</dfn> MUST be sent when a
<a>validator</a> that is not the designated block proposer for a round receives
a <a>Proposal message</a>.

**Message content**

The Prepare message contains the following fields:

  - <code>0x01</code> DATA, x? bytes – The message ID for the Prepare message
type.
  - <code>payload</code> – An array of the following:

    - <code>height</code> QUANTITY, 8 bytes – The <a>height</a> of the block
being prepared, as an integer.
    - <code>round</code> QUANTITY, 4 bytes – The <a>round</a> number, as an
integer.
    - <code>digest</code> DATA, 32 bytes – The Keccak of the RLP encoding of the prepared
block.
  - <code>signature</code> DATA, 65 bytes – The <a>signature</a> of the payload.

      </section>

      <section id="commit-message">

      <h4>Commit Message</h4>

The <dfn data-lt="commit messages">Commit message</dfn> MUST be sent by a
<a>validator</a> when <em>enough</em> <a>Prepare messages</a> matching the
<a>Proposal</a> sent by the designated <a>proposer</a> of the round are
received.

**Message content**

The Commit message contains the following fields:

  - <code>0x02</code> DATA, x? bytes – The message ID for the Commit message
type.
  - <code>payload</code> – An array of one or more of the following:

    - <code>height</code> QUANTITY, 8 bytes – The <a>height</a> of the block
being prepared, as an integer.
    - <code>round</code> QUANTITY, 4 bytes – The <a>round</a> number, as an
integer.
    - <code>digest</code> DATA, 32 bytes – The Keccak hash of the RLP encoding
    of the  prepared block.
    - <code>commitSeal</code> DATA, 32 bytes – The signature of the
<a>validator</a> over the proposed block included in the <a>Proposal message</a>
received by the designated proposer of the round.
  - <code>signature</code> DATA, 65 bytes – The <a>signature</a> of the payload.

      </section>

      <section id="round-change-message">

      <h4>Round-Change Message</h4>

A <dfn data-lt="round change messages">Round Change message</dfn> MUST be sent
by a <a>validator</a> when they suspect no agreement on the block to be added to
the blockchain with the given height will be reached in this round.

**Message content**

The Round Change message contains the following fields:

  - <code>0x03</code> DATA, x? bytes – The message ID for the Round Change
message type.
  - <code>payload</code> – An array of one or more of the following:

    - <code>height</code> QUANTITY, 8 bytes – The <a>height</a> of the block for
which the <a>validator</a> is trying to reach agreement, as an integer.
    - <code>round</code> QUANTITY, 4 bytes – The <a>round</a> number to which
the <a>validator</a> intends to move to, as an integer.
    - <code>preparedCertificate</code> DATA – See below.

  - <code>signature</code> DATA, 65 bytes – The <a>signature</a> of the
concatenation of the message ID and the payload.
  - <code>latestProposedBlock</code> DATA - <code>nil</code> or the content of
the latest prepared block in Ethereum block format. Should be <code>nil</code>
if <code>preparedCertificate</code> is <code>nil</code>.

The <code>preparedCertificate</code> might be <code>nil</code> or a list of:

  - <code>signedPartOfProposalMessage</code> – The payload and signature copied
from the latest prepared <a>Proposal message</a>.
  - <code>signedPartOfPrepareMessages</code> – The list of payloads and
signatures copied from the latest prepared <a>Prepare messages</a>.

If <code>latestProposedBlock</code> is not <code>nil</code>, then the digest of
<code>signedPartOfProposalMessage</code> and all messages included in
<code>signedPartOfPrepareMessages</code> should match the Keccak hash of
<code>proposedBlock</code>.

      </section>

  </section>

    <section id="ethereum-sub-protocol-messages">

    <h3>Ethereum Sub-Protocol Messages</h3>

  <p>
This section describes message used by the EBFT protocol which are already
included in the $\texttt{eth}$ capability of the [[RLPx]] protocol.
  </p>

      <section id="finalized-block-message">

      <h4>Finalized-Block Message</h4>

As mentioned in Section <a href="#eea-protocol-specification"></a>, the abstract
Finalized-Block message is mapped to the messages NewBlock, GetBlockHeaders,
BlockHeaders, GetBlockBodies and BlockBodies which are already specified by the
$\texttt{eth}$ sub-protocol [[Ethereum-Wire-Protocol]].

A Finalized-Block message represents the reception of a finalized block which
by definition of the standard $\texttt{eth}$ sub-protocol, it can happen either
by means of an unsolicited NewBlock message or by means of the pair of
messages GetBlockHeaders/BlockHeaders followed by the pair of messages
GetBlockBodies/BlockBodies [[Ethereum-Wire-Protocol]].

      </section>

      <section id="get-block-message">

      <h4>Get-Block Message</h4>

The abstract message Get-Block is mapped to the GetBlockHeaders, BlockHeaders, GetBlockBodies and BlockBodies which are already
specified by the $\texttt{eth}$ sub-protocol [[Ethereum-Wire-Protocol]] as these are
the messages that allow a node to retrieve a block from its peers.

      </section>

    </section>

  </section>

  <section id="improvements">

  <h2>Improvements</h2>

This section specifies a series of possible improvements to the EBFT
protocol, based on the analysis performed in the [[IBFT2-Gray-Paper]].

For the reasoning supporting the proposed improvements see Section 5 of the
[[IBFT2-Gray-Paper]].

    <section id="reduce-number-assuptions">

    <h3>Reduce the Number of Assumptions</h3>

The improvements in this section are designed to reduce the number of
assumptions required for correctness of the protocol.

      <section id="remove-fair-network-assumption">

      <h4>Remove the Fair Network Behavior Assumption (Improvement 1)</h4>

To remove the dependency on the robustness proof in the Fair Network Behaviour
Assumption described in Section 4.4 of the [[IBFT2-Gray-Paper]]
it is sufficient to require that the proposer selection function for
height $h$ only selects validators that did not propose any of the latest
$f(n_h)$ blocks where $n_h$ is the number of validators for the block with
height $h$.

This modification corresponds to replacing the $\mathbf{proposer}(\cdotp,\cdotp)$
function in the EBFT-block-finalization-protocol (introduced at line 4) with
the $FairProposer$ function, shown below.

<figure id="fig-algorithm3">
  <img src="./images/IBFT2_algorithm3.png" alt="Algorithm 3">
  <figcaption>FairProposer (Algorithm 3)</figcaption>
</figure>


      </section>

    </section>

    <section id="reduce-block-finalization-latency">

    <h3>Reduce Block Finalization Latency</h3>

The improvements in this section are designed to reduce block finalization
latency.

      <section id="reduce-number-of-communication-phases">

      <h4>Reduce the Minimum Number of Communication Phases From Three Down to Two (Improvement 2)</h4>

In the EBFT protocol the minimum number of communication phases required to
finalize a block is three, even if all validators happens to be honest and the message
transmission latency is less than $\frac{\mathbf{timeoutForRoundZero}}{3}$.

These phases are as follows:
1. The proposer for round 0 and instance $h$ of the
EBFT-block-finalization-protocol sends a
<a>Proposal message</a> to all validators.
2. All validators of height $h$, excluding the proposer for round 0, reply by
sending a <a>Prepare message</a> to all validators.
3. All validators of height $h$, after they receive the <a>Proposal message</a>
for round 0 from the proposer for round 0, and $Quorum(n_h) - 1$
<a>Prepare messages</a> from non-proposing validators for round 0, they send a
<a>Commit message</a> to all validators. After a validator for height $h$
receives $Quorum(n_h)$ <a>Commit messages</a> for round 0 from the validators of
height $h$, it creates a finalized block.

The modification described in this section, which is based on the very fast
learning protocol presented by Dutta et al. [[Byzantine-Consensus]], allows
reducing the minimum number of communication phases from three to two, as
follows:

1. The proposer for round 0 and instance $h$ of the
EBFT-block-finalization-protocol sends a <a>Proposal message</a> to all
validators.
2. All validators of height $h$, excluding the proposer for round 0, reply by
sending a <a>Prepare message</a> to all validators. After a validator for height
$h$ receives the <a>Proposal message</a> for round 0 from the proposer for round
0, and $n_h - 1$ <a>Prepare messages</a> from all the non-proposing validators
for round 0, it creates a finalized block.

With this modification, if all validators behave honestly and the network
latency is less than $\frac{\mathbf{timeoutForRoundZero}}{2}$, then a block is
finalized with only two communication phases. In the case that the conditions
listed above are not met, then the protocol gracefully degrades back to the
performance of the original EBFT protocol with no overhead.

This modification can reduces the block finalization latency by 33%.

This improvement requires the following modifications to the EBFT protocol:

  <ul>
    <li>
If the improvement outlined in Section
<a href="#remove-commit-seal-from-commit-message"></a> is not applied, then a
<em>Prepare seal</em> must be added to the <a>Prepare messages</a>. If the
improvement applied, the <a>Prepare messages</a> do not need to be modified.
    </li>
    <li>
If a block is finalized in only two phases, the commit seals include the
signatures (or Prepare seals, if the improvement outlined in Section
<a href="#remove-commit-seal-from-commit-message"></a> is not applied) of the
$n_h - 1$ <a>Prepare messages</a>.
    </li>
    <li>
During validation of a finalized block, if the number of commit seals is
$n_h - 1$, the seals are interpreted as signatures (Prepare seals, if the
improvement outlined in Section
<a href="#remove-commit-seal-from-commit-message"></a> is not applied) of
Prepare messages. Otherwise, if the number of seals is $Quorum(n_h)$, the seals
are interpreted as signatures (Commit seals, if the improvement outlined in
Section <a href="#remove-commit-seal-from-commit-message"></a> is not applied)
of Commit messages.
    </li>
    <li>
When a validator sends a <a>Round Change message</a>, if the validator has
received a valid <a>Proposal message</a> for round 0, but it has never prepared,
then it must include the <a>Proposal message</a> in the
<a>Round Change message</a>. After the first time a validator prepares while
running instance $h$ of the EBFT-block-finalization-protocol, the validator
only includes the latest Prepared-Certificate in any <a>Round Change message</a>
it sends.
    </li>
    <li>
When a validator sends a <a>Proposal message</a> for a round number higher than
0, if there exists an Ethereum block $EB$ such that:
    <ul>
      <li>
$EB$ is the only Ethereum block such that at least $f(n_h) + 1$ of the
<a>Round Change messages</a> forming the Round-Change-Certificate (included in
the <a>Proposal message</a>) include a <a>Proposal message</a> for round 0 and
for this block.
      </li>
      <li>
No <a>Round Change messages</a> include a valid Prepared-Certificate.
      </li>
    </ul>

then the proposed block included in the <a>Proposal message</a> must include the
Ethereum block $EB$.

If the conditions listed above are not met, the Ethereum block to be included in
a <a>Proposal message</a> with height higher than 0 must be determined as
specified by the original EBFT protocol.
    </li>
    <li>
On reception of a <a>Proposal message</a> for a round higher than 0, the
same calculation must be performed to validate the <a>Proposal message</a>.
    </li>
  </ul>

As described above, this modification allows reducing the minimum number of
communication phases from three to two for round 0 only. While it is possible to
modify the EBFT protocol to reduce the minimum number of communication
phases to two for any round, because of the following reasons, this optimisation
should be applied only to round 0:

  <ul>
    <li>
Applying the optimization for rounds higher than 0 requires potentially
increasing the size of the <a>Round Change message</a> by the size of one block
because the latest accepted <a>Proposal message</a> and the latest
Prepared-Certificate can refer to two different blocks.
    </li>
    <li>
If the conditions required to achieve block finalization in two phases are not
met for round 0, then either:
    <ul>
      <li>
One or more validators are Byzantine and can therefore prevent block
finalization in two phases at any round, or
      </li>
      <li>
Network latency is higher than $\frac{\mathbf{timeoutForRoundZero}}{2}$, which
means block finalization latency is already higher than
$\mathbf{timeoutForRoundZero}$ and therefore whether block finalization is
reached in two or three phases in the next round adds only minimal improvement
to the block finalization latency.
      </li>
    </ul>
    </li>
  </ul>


      </section>

      <section id="reduce-latency-for-validators">

      <h4>Reduce Latency for Validators (Improvement 3)</h4>

This improvement reduces the latency for validators to be in the same round long
enough to create a finalized block and requires the following modifications to
the EBFT protocol.

When a validator running the $h$-th instance of the
EBFT-block-finalization-protocol receives $f(n_h) + 1$
<a>Round Change messages</a> for height $h$ and round number higher than the
current round number, it:

- Starts the round number corresponding the lowest round number amongst the set
of $f(nh)+1$ <a>Round Change messages</a> received that have a round number
higher than the current one.
- Sends a <a>Round Change messages</a> for this round number.

      </section>

    </section>

    <section id="decrease-message-size">

    <h3>Decrease Message Size</h3>

The improvements in this section are designed to decrease overall message sizes.

      <section id="replace-round-change-messages-with-hashes">

      <h4>Replace Round-Change Messages with Hashes of Round Change Messages (Improvement 4)</h4>

This improvement replaces the <a>Round Change messages</a> in the
Round-Change-Certificate included in <a>Proposal messages</a> with hashes of the
<a>Round Change messages</a>. The set of hashes of <a>Round Change messages</a>
included in a <a>Proposal message</a> is called the
<em>Round-Change-Hash-Certificate</em>. Validators would be required to cache
the <a>Round Change messages</a> they receive and then verify a
<a>Proposal message</a> by using a Round-Change-Certificate composed of the
received <a>Round Change messages</a> for which Keccak hash matches one of the
hashes included in the Round-Change-Hash-Certificate.

If this modification is applied, then the block hash field can be removed from
the <a>Proposal message</a> and the proposed block field can be moved inside the
signed portion of the message.

The reason why <a>Proposal messages</a> in the original EBFT protocol
include the block hash in the signed portion of the message is to reduce the
size of <a>Proposal messages</a> with a round higher than 0. This because in the
original EBFT protocol a signed <a>Proposal message</a> with enough
information to match it to a proposed block must be included in
<a>Proposal messages</a> for rounds higher then 0 as part of the
Prepared-Certificates included in the Round-Change-Certificate.

If this improvement is applied, then the size of <a>Proposal messages</a> for
rounds higher than 0 become independent of the block size. Similarly, if this
improvement is applied then the size of <a>Proposal messages</a> for rounds
higher than 0 become independent of the <a>Round Change messages</a> size.
Therefore, there is no more need to split the <a>Round Change messages</a>
between a signed portion and an unsigned portion and all message fields can be
moved within the signed portion of the message.

      </section>

      <section id="remove-commit-seal-from-commit-message">

      <h4>Remove the Commit Seal from the Commit Message and Replace the Commit
Seals Included in a Block with the Signatures of the Commit Messages Received (Improvement 5)</h4>


This improvement removes the commit seal from a <a>Commit message</a> and
replaces the commit seals included in a block with the signatures of the
<a>Commit messages</a> received. It requires the following modifications to the
EBFT protocol:

- Remove the commit seal from the <a>Commit message</a>.
- When composing a finalization proof, collate the signatures of $Quorum(n_h)$
valid <a>Commit messages</a> sent by distinct validators.
- When validating a finalized block, reconstruct the body of the
<a>Commit message</a> that would have been sent for the block under validation
and verify that each of the signatures included in the finalization proof is a
valid signature of the reconstructed <a>Commit message</a> by one of the
validators. This can be done using the Elliptic Curve Signature Recovery
function.
      </section>

      <section id="reduce-number-of-messages-in-prepared-certificates">

      <h4>Reduce the Number of Messages Included in Prepared-Certificates (Improvement 6)</h4>

This improvement reduces the number of messages included in
Prepared-Certificates as well as the number of commit seals included in
finalization proofs to the minimum required to guarantee robustness of the
protocol. It requires the following modifications to the EBFT protocol. For
any:

- Prepared-Certificate included in a <a>Round Change messages</a>, include only
$Quorum(n_h)-1$ <a>Prepare messages</a> for the current round, instance of the
EBFT-block-finalization-protocol, and block hash matching the accepted
<a>Proposal message</a>, even if more <a>Prepare messages</a> with the same
characteristics were received.
- Finalization proof, include only $Quorum(n_h)$ commit seals included in valid
<a>Commit messages</a> for the current round, instance of the
EBFT-block-finalization-protocol, and block hash matching the accepted
Proposal, even if more commit seals included in valid <a>Commit messages</a>
were received.

      </section>

      <section id="remove-proposal-message-from-prepared-certificate">

      <h4>Remove the Proposal Message from the Prepared-Certificate (Improvement 7)</h4>

The <a>Proposal message</a> included in the Prepared-Certificates can be removed
without impacting the <a>robustness</a> of the EBFT protocol. While this
improvement reduces message size only marginally, it simplifies the
Prepared-Certificate validation logic.

      </section>

      <section id="remove-repeated-message-bodies">

      <h4>Remove Repeated Message Bodies from the Prepared-Certificates in a Round Change Message (Improvement 8)</h4>

This improvement replaces the set of <a data-lt="proposal message">Proposal</a>
and <a data-lt="prepare message">Prepare</a> messages included in a
Prepared-Certificate with a set including only the following pieces of
information:

- The round number of the messages included in the Prepared-Certificate.
- The hash of the block included in the
<a data-lt="proposal message">Proposal</a> and
<a data-lt="prepare message">Prepare</a> messages included in the
Prepared-Certificate.
- The signature of the <a>Proposal message</a> included in the
Prepared-Certificate.
- All the signatures of the <a>Prepare messages</a> included in the
Prepared-Certificate.

A Prepared-Certificate constructed as described above can be validated by
reconstructing the body of the <a data-lt="proposal message">Proposal</a>
and <a data-lt="prepare message">Prepare</a> messages included in the original
Prepared-Certificate by using the pieces of information listed above (the height
is provided as part of the <a>Round Change message</a>) and verifying that:

- The signature for the <a>Proposal message</a> is a valid signature of the
proposer (for the round number included in the modified version of the
Prepared-Certificate) over the <a>Proposal message</a> body
- Each Prepare signature is a correct signature of one of the non-proposing
validators (for the round number included in the modified version of the
Prepared-Certificate) over the <a>Prepare message</a> body.

      </section>

      <section id="use-aggregate-signature-scheme">

      <h4>Use an Aggregate Signature Scheme for the Prepared-Certificate (Improvement 9)</h4>

The size of the Prepared-Certificate can be further reduced by employing an
aggregate signature scheme, which allows replacing the $Quorum(n_h) - 1$
signatures of the <a>Prepare messages</a> with a single signature.

      </section>

    </section>

    <section id="improve-message-semantics">

    <h3>Improve Message Semantics</h3>

The improvements in this section are designed to improve the overall message
structure, making it more efficient.

      <section id="disregard-round-number">

      <h4>Disregard the Round Number when Computing the Block Hash in EBFT Messages (Improvement 10)</h4>

As described in Section <a href="#ibft2-block-finalization-protocol"></a>, the
block hash included in the EBFT messages is calculated over a tuple composed
of the Ethereum block and the current round number. This improvement replaces
this hash with the hash of the Ethereum block only. Note that it is still
required to include the current round number in the finalization proof.

      </section>

    </section>

    <section id="algorith-pseudocode-with-improvements">

    <h3>Algorithm Pseudocode with Improvements</h3>

<figure id="fig-algorithm4">
  <img src="./images/IBFT2_algorithm4.png" alt="Algorithm 4">
  <figcaption>EBFT Protocol for EBFT node $v$ with Improvements (Algorithm 4)</figcaption>
</figure>

<figure id="fig-algorithm5">
  <img src="./images/IBFT2_algorithm5.png" alt="Algorithm 5">
  <figcaption>The EBFT-block-finalization-protocol with Improvements (Algorithm 5)</figcaption>
</figure>

    </section>

  </section>



  <section id="sec-additional-information" class="appendix">

  <h2>Additional Information</h2>

    <section id="sec-definitions">

    <h3>Terms defined in this specification</h3>

    <div class="inside">
      <ul class="respec-dfn-list">
        <li>
          <a href="#dfn-sampleterm">
            sample term<!---0.529120%-->
          </a>
        </li>
      </ul><!---0.529120%-->
    </div>
    </section>

    <section id="sec-summary-of-requirements">

    <h3>Summary of Requirements</h3>

This section summarizes all of the requirements in this Specification into one
section.

    </section>

    <section id="sec-acknowledgments">

    <h3>Acknowledgments</h3>

Acknowledgments here.

    </section>

    <section id="sec-changes">

    <h3>Changes</h3>

Full details of all changes since the version 1.0 release of this Specification
are available in the
[GitHub repository for this Specification](https://github.com/entethalliance/enhanced-bft).

    </section>

  </section>

<script class='remove'>
async function loadSolidity() {    //this is the function you call in 'preProcess'
    const worker = await new Promise(resolve => {
      require(["core/worker"], ({ worker }) => resolve(worker));
    });
    const action = "highlight-load-lang";
    const langURL =
      "https://rawgit.com/pospi/highlightjs-solidity/master/solidity.js";
    const propName = "hljsDefineSolidity";
    const lang = "solidity";     // this is the class you use to identify the language
    worker.postMessage({ action, langURL, propName, lang });
    return new Promise(resolve => {
      worker.addEventListener("message", function listener({ data }) {
        const { action: responseAction, lang: responseLang } = data;
        if (responseAction === action && responseLang === lang) {
          worker.removeEventListener("message", listener);
          resolve();
        }
      });
    });
  }


function cleanUp () {
  document.querySelector('h2').removeChild(document.querySelector('h2').firstChild);
  document.head.removeChild(document.querySelectorAll('link[rel=stylesheet]')[1]);
  document.head.removeChild(document.querySelector('link[rel=canonical]'));

  document.querySelector('p.copyright').innerHTML=" "

  var linksList = document.querySelector('div.head > dl');
  linksList.removeChild(document.querySelectorAll('div.head dt')[5]);
  linksList.removeChild(document.querySelectorAll('div.head dt')[1]);
  linksList.removeChild(document.querySelectorAll('div.head dt')[0]);
  linksList.removeChild(document.querySelectorAll('div.head dd')[12]);
  linksList.removeChild(document.querySelectorAll('div.head dd')[11]);
  linksList.removeChild(document.querySelectorAll('div.head dd')[10]);
  linksList.removeChild(document.querySelectorAll('div.head dd')[9]);
  linksList.removeChild(document.querySelectorAll('div.head dd')[1]);
  linksList.removeChild(document.querySelectorAll('div.head dd')[0]);

  var theA = document.querySelector('[href=dummycontrib]');
  theA.outerHTML = theA.innerHTML;


  //
  // This is ugly but works unless ReSpec tracks a serious change to W3C boilerplate
  //

    var statusSection = document.querySelector('section#sotd');
    var statusPs = document.querySelectorAll('#sotd > p').length;
    statusSection.removeChild(document.querySelectorAll('#sotd > p')[(statusPs-1)]);
    statusSection.removeChild(document.querySelectorAll('#sotd > p')[(statusPs-2)]);
    statusSection.removeChild(document.querySelectorAll('#sotd > p')[(statusPs-3)]);
    statusSection.removeChild(document.querySelectorAll('#sotd > p')[(statusPs-5)]);
    statusSection.removeChild(document.querySelectorAll('#sotd > p')[0]);

}

var respecConfig = {
  preProcess: [loadSolidity],
  format: "markdown",
  specStatus: "ED",
  // edDraftURI: "https://entethalliance.github.io/client-spec/spec.html",
  postProcess: [cleanUp],
  editors: [{
    name: "Robert Coote",
    company: "PegaSys",
    mailto: "robert.coote@consensys.net",
  },{
    name: "Grant Noble",
    company: "PegaSys",
    mailto: "grant.noble@consensys.net",
  },{
    name: "Roberto Saltini",
    company: "PegaSys",
    mailto: "roberto.saltini@consensys.net",
  },{
    name: "David Hyland-Wood",
    company: "PegaSys",
  },{
    name: "Sample Editor",
    company: "Editor Co."
  }],
  formerEditors: [{
    name: "Former Editor",
    company: "Editor Co."
  }],
  github: "https://github.com/EntEthAlliance/enhanced-bft",
  shortName: "EEASpec",
  copyrightStart: 2019,
  logos: [{
    src: './images/no_logo.svg',
    href: "https://entethalliance.org",
    alt: " ",
    width: 180,
    height: 90,
    id: 'eea-logo',
  }],
  otherLinks: [{
    key: "Contributors to this version",
    data: [{
      value: "Sample Contributor (Contributor Co.),\
          Sample Contributor2 (Contributor Co.)",
      href:"dummycontrib"
    }]
  }],
  localBiblio: {
    "PBFT": {
      title: "Practical Byzantine Fault Tolerance",
      href: "https://dl.acm.org/citation.cfm?id=296806.296824",
      publisher: "Miguel Castro and Barbara Liskov"
    },
    "Byzantine-Consensus": {
      title: "Best-Case Complexity of Asynchronous Byzantine Consensus",
      href: "http://lpdwww.epfl.ch/upload/documents/publications/567931850DGV-feb-05.pdf",
      publisher: "Partha Dutta, Rachid Guerraoui, and Marko Vukolic"
    },
    "Partial-Synchrony": {
      title: "Consensus in the Presence of Partial Synchrony",
      href: "https://dl.acm.org/citation.cfm?doid=42282.42283",
      publisher: "Cynthia Dwork, Nancy Lynch, and Larry Stockmeyer"
    },
    "PoW": {
      title: "Pricing via Processing or Combatting Junk Mail",
      href: "https://dl.acm.org/citation.cfm?id=646757.705669",
      publisher: "Cynthia Dwork and Moni Naor"
    },
    "Ethereum-Wire-Protocol": {
      title: "Ethereum Wire Protocol",
      href: "https://github.com/ethereum/wiki/wiki/Ethereum-Wire-Protocol",
      publisher: "Ethereum Foundation"
    },
    "Byzantine-Generals-Problem": {
      title: "The Byzantine Generals Problem",
      href: "https://dl.acm.org/citation.cfm?doid=357172.357176",
      publisher: "Leslie Lamport, Robert Shostak, and Marshall Pease"
    },
    "One-Faulty-Process": {
      title: "Impossibility of Distributed Consensus with One Faulty Process",
      href: "https://dl.acm.org/citation.cfm?doid=3149.214121",
      publisher: "Michael J. Fischer, Nancy A. Lynch, and Michael S. Paterson"
    },
    "IBFT": {
      title: "Istanbul Byzantine Fault Tolerance",
      href: "https://github.com/ethereum/EIPs/issues/650",
      publisher: "Yu-Te Lin, Ethereum Foundation"
    },
    "Pantheon": {
      title: "Pantheon",
      href: "https://github.com/PegaSysEng/pantheon",
      publisher: "PegaSys (ConsenSys)"
    },
    "Quorum": {
      title: "Quorum: A permissioned implementation of Ethereum supporting data privacy",
      href: "https://github.com/jpmorganchase/quorum",
      publisher: "JP Morgan Chase"
    },
    "IBFT-Analysis": {
      title: "Correctness Analysis of IBFT",
      href: "https://arxiv.org/abs/1901.07160",
      publisher: "Roberto Saltini"
    },
    "IBFT2-Gray-Paper": {
      title: "IBFT 2.0 Gray Paper",
      href: "https://member.entethalliance.org/HigherLogic/System/DownloadDocumentFile.ashx?DocumentFileKey=c42892a9-7768-4803-897c-5d533c7713ad&forceDialog=0",
      publisher: "Roberto Saltini"
    },
    "RLP": {
      title: "Ethereum RLP",
      href: "https://github.com/ethereum/wiki/wiki/RLP",
      publisher: "Ethereum Foundation"
    },
    "RLPx": {
      title: "The RLPx Transport Protocol",
      href: "https://github.com/ethereum/devp2p/blob/master/rlpx.md",
      publisher: "Ethereum Foundation"
    },
    "Ethereum-Yellow-Paper": {
      title: "Ethereum: A Secure Decentralized Generalized Transaction Ledger",
      href: "https://ethereum.github.io/yellowpaper/paper.pdf",
      publisher: "Dr. Gavin Wood"
    }
  }
};
</script>

<script type="text/x-mathjax-config">
  MathJax.Hub.Config({tex2jax: {inlineMath: [['$','$'], ['\\(','\\)']]}});
</script>

<script src='https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.5/MathJax.js?config=TeX-MML-AM_CHTML' async></script>

</body>

</html>