[danbruc]

The key correctness insight is this: any two majorities of nodes must overlap in at least one node. So between any two consecutive global state changes [...] at least one node participated in both. This single overlapping node carries forward the knowledge of what was previously committed, preventing conflicts and ensuring consistency.

There is another side to this, it must not be possible for two »majorities« to coexist, otherwise they could independently move on in case of a split cluster. This also rules out allowing consensus by majority in addition to majority by a bloc. In the seven node example, there could be a { 1, 2, 3 } and { 4, 5, 6, 7 } split, the first partition being a bloc and the second one being a majority but not containing a bloc.

[matthewaveryusa]

Ah thanks for the insight. I was wondering why not ‘block || majority’ to get around scenario 5. Quorum has nothing to do with majority and everything to do with trust structure. My mind is blown.

[danbruc]

I would not call it trust because in this kind of consensus protocols, namely permissioned consensus protocols, you assume trust between participants, you assume you know the participants and they are not malicious. Otherwise you have to go down a road more like Bitcoin, where you do not know the participants and do not trust them.

What you need are rules that define a safe behavior in face of arbitrary communication breakdowns. You need a default behavior that guarantees that you are still doing the right thing no matter which other nodes you can no longer talk to. And safe behavior means two things. First, you need continuity, you must not lose any commits, so at least one node in the current round must have participated in the latest round. Second, you have to ensure that no two groups of nodes independently decide that they should continue to make commits, otherwise the state would diverge.

And from this comes the tensions, you want many nodes in the quorum to make continuity easy, you want few nodes in the quorum to tolerate many failures, you kind of want many nodes in the quorum to prevent multiple quorums.