The Asynchronous Imperative: Achieving Robust Consensus in Adversarial Networks

Posted on by uplatzblog

1. Introduction: The Unyielding Problem of Agreement

1.1. Defining Distributed Consensus: The Quest for a Single Source of Truth

In the architecture of modern computing, from the sprawling infrastructure of cloud services to the decentralized ledgers of blockchain networks, a fundamental challenge persists: how to ensure that a collection of independent, communicating computers can function as a single, coherent system. The solution to this challenge is known as distributed consensus. In its simplest form, distributed consensus is the process that enables multiple nodes in a distributed system to agree on a single data value or state, thereby establishing a “single source of truth”.1 This agreed-upon state is critical for maintaining data consistency, coordinating actions, and ensuring the overall reliability of the system.1

The necessity for consensus arises from the inherent unreliability of distributed environments. Individual nodes can fail, software can contain bugs, and network messages can be delayed, lost, or delivered out of order.4 Without a mechanism to reconcile these issues, different parts of the system could diverge, leading to catastrophic inconsistencies such as data corruption in a database, double-spending in a cryptocurrency, or a “split-brain” scenario where multiple nodes incorrectly assume a leadership role.1 Consensus algorithms are the specialized protocols designed to prevent such outcomes. They provide a formal framework of communication and voting rules that allow the non-failing nodes in a system to reach an agreement, even in the presence of faults and network unpredictability.1 Whether it involves electing a leader, committing a database transaction, or validating a block of transactions, consensus is the invisible bedrock that underpins the reliability and fault tolerance of most large-scale distributed services.3

A crucial point of understanding is that the nature of these “faults” has evolved significantly over time. Early distributed systems were primarily concerned with handling benign failures, such as process crashes or network link outages, where components simply stop functioning.1 However, the conceptual framework provided by the Byzantine Generals Problem introduced a far more challenging class of failure: the Byzantine fault.7 This analogy describes a scenario where some components (the “treacherous generals”) are not merely faulty but actively malicious. They can send deliberately conflicting information to different parts of the system in a coordinated effort to prevent the honest components from reaching an agreement.9 This shift from a model of passive, probabilistic failure to one of intelligent, adversarial opposition has profound implications for protocol design. In modern, open, and permissionless systems like public blockchains, the assumption of malicious actors is not an edge case but a primary design constraint.2 Consequently, the evolution of consensus protocols is not merely a story of handling more complex network conditions; it is a narrative of defending against an increasingly sophisticated and adversarial threat model. An “adversarial network” is not just a slow or unreliable network; it is a network where delays, partitions, and malicious messages can be strategically orchestrated by an intelligent attacker to exploit a protocol’s weaknesses.

 

1.2. Core Properties: Agreement, Validity, and the Elusive Guarantee of Termination

 

For a consensus protocol to be considered correct, it must satisfy a set of canonical properties. These properties ensure that the agreement reached is consistent, legitimate, and that the system can continue to make progress. The three core properties are Agreement, Validity, and Termination.7

  • Agreement (also known as Safety): This property mandates that all non-faulty processes that decide on a value must decide on the same value.8 It is the most fundamental guarantee of consensus, ensuring that the system does not diverge into conflicting states. A violation of the Agreement property can lead to irreversible data corruption or inconsistent system behavior.1
  • Validity (also known as Integrity or Non-Triviality): This property ensures that the value agreed upon is legitimate. In its common form, it states that if all correct processes propose the same initial value, then any correct process that decides must decide on that value.9 A stronger form requires that any value decided must have been proposed by at least one of the processes.8 This prevents trivial but useless solutions, such as a protocol where all nodes always agree on a fixed value like ‘0’, regardless of their inputs.
  • Termination (also known as Liveness): This property guarantees that every non-faulty process will eventually decide on some value.8 Termination ensures that the protocol makes forward progress and does not get stuck in an indefinite state of indecision. Without this guarantee, a system could halt and become unavailable in the face of failures or certain network conditions.4

These three properties exist in a delicate balance, and the central challenge of consensus protocol design lies in satisfying all of them simultaneously, especially under adverse conditions. A significant tension exists between Safety (Agreement) and Liveness (Termination), particularly in the presence of network partitions—a scenario where the network splits into two or more disconnected subgroups of nodes. This tension is famously captured by the CAP Theorem, which posits that a distributed data store cannot simultaneously provide more than two of the following three guarantees: Consistency (a strong form of agreement), Availability (related to liveness), and Partition tolerance.8 As will be explored in depth, this fundamental trade-off becomes even more pronounced in fully asynchronous systems, as formalized by the seminal FLP Impossibility Theorem.8

 

1.3. The Spectrum of Reality: From Idealized Synchrony to Adversarial Asynchrony

 

The design, correctness, and real-world performance of any consensus protocol are inextricably linked to the abstract model of the network it assumes. These models are not mere theoretical constructs; they represent a spectrum of assumptions about network behavior, and a protocol’s resilience is determined by how well its assumptions align with reality. At one end of this spectrum lies the synchronous model, an idealized world of perfect predictability. At the other end lies the asynchronous model, which mirrors the chaotic, unpredictable, and often hostile environment of the public internet.13

The transition from protocols built on strong synchronous assumptions to those designed for pure asynchrony is not just an academic progression. It represents a necessary evolution driven by the practical demands of building globally distributed systems that can withstand not only random failures but also targeted, malicious attacks. A protocol that assumes bounded message delays can be rendered useless by a simple denial-of-service attack that introduces unpredictable latency.15 Therefore, the move towards asynchrony is a strategic adaptation to the reality that in open networks, the network itself is an attack surface, and any assumption about timing is a potential vulnerability.16

 

1.4. Thesis Statement

 

This report argues that the inherent fragility of timing assumptions in real-world, wide-area networks—a fragility that can be systematically exploited by malicious actors—necessitates a paradigm shift in the design of high-assurance distributed systems. While partially synchronous protocols such as Paxos and Raft have proven effective in controlled environments, their fundamental reliance on eventual network stability renders them vulnerable to sophisticated liveness and performance degradation attacks. For building the next generation of robust, secure, and resilient distributed systems, particularly those operating in permissionless or adversarial settings, the future lies in truly asynchronous consensus protocols that provide provable guarantees of progress irrespective of network behavior.

 

2. A Taxonomy of Network Models: From Theory to Practice

 

The behavior and guarantees of a distributed consensus protocol are fundamentally constrained by the assumptions it makes about the underlying network environment. These assumptions are formalized into distinct network models, each with specific rules regarding message delivery times, process execution speeds, and the notion of time itself. Understanding this taxonomy is crucial for appreciating why certain protocols are feasible in one model but impossible in another, and for contextualizing their respective strengths and vulnerabilities.

 

2.1. The Synchronous Model: A World of Bounded Delays and Lockstep Execution

 

The synchronous model represents the most restrictive and predictable network environment. It is defined by a set of strong timing assumptions that make it the easiest setting in which to design and reason about consensus protocols.13

The core assumptions of the synchronous model are:

  • Bounded Message Delay: There exists a known, fixed upper bound, denoted as , on the time it takes for a message sent from one correct process to be received by another.17 A message sent at time  is guaranteed to arrive no later than time .
  • Bounded Process Execution: There is a known upper bound on the time required for a process to execute a single step of its algorithm.18 The relative speeds of different processors are also assumed to be bounded.20
  • Synchronized Clocks: The model often assumes that all processes have access to a shared global clock or that their local clocks are synchronized with a known, bounded drift rate.14

These assumptions allow protocols to operate in discrete, lockstep “rounds”.13 A process can send messages at the beginning of a round and know with certainty that all messages from that round will have been received by all other correct processes before the next round begins. This predictability enables the use of timeouts as a reliable mechanism for failure detection. If a message from a process is not received within the bound , it can be unambiguously concluded that the sender has failed.4

While the synchronous model facilitates the design of efficient protocols with strong theoretical guarantees—for example, it is possible to solve consensus deterministically even in the presence of Byzantine faults 21—it is widely regarded as an impractical abstraction for most real-world distributed systems, especially those deployed over large, unpredictable networks like the internet.14 Guaranteeing a fixed upper bound on message latency across a global network is infeasible due to network congestion, routing changes, and other variable factors.14

 

2.2. The Asynchronous Model: Embracing Unbounded Delays and Network Unpredictability

 

The asynchronous model stands in stark contrast to the synchronous model, representing the other end of the spectrum. It is defined by its deliberate lack of timing assumptions, making it a more realistic, albeit more challenging, environment for protocol design.14

The core assumptions of the asynchronous model are:

  • Unbounded Message Delay: There is no upper bound on message delivery time. Messages sent between correct processes are guaranteed to be delivered eventually, but the delay can be arbitrarily long.8 The network can also reorder messages.4
  • Unbounded Process Execution: There are no assumptions about the speed at which processes execute their steps.17
  • No Global or Synchronized Clocks: Processes do not have access to a shared global clock and cannot rely on their local clocks for synchronization, as the drift rate is arbitrary.4

This model accurately reflects the conditions of the internet, where network latency is variable and unpredictable, and where it is impossible to distinguish between a crashed process and one that is merely very slow or connected via a high-latency link.16 However, this realism comes at a significant theoretical cost. The famous Fischer-Lynch-Paterson (FLP) Impossibility Theorem proves that it is impossible for any deterministic algorithm to guarantee a solution to the consensus problem in a purely asynchronous model, even if only a single process can fail by crashing.8 This result forces protocol designers to either introduce some form of randomization or relax the purely asynchronous assumptions.

 

2.3. Partial Synchrony: The “Sweet Spot” and Its Two Flavors

 

Partial synchrony was introduced as a pragmatic and realistic middle ground between the idealized synchronous model and the overly restrictive asynchronous model.13 It is often considered the “sweet spot” for designing practical consensus protocols because its assumptions are weak enough to be relevant to real-world systems but strong enough to circumvent the FLP impossibility result, thereby permitting provably correct and terminating consensus protocols.19

The concept of partial synchrony was formally defined by Dwork, Lynch, and Stockmeyer and comes in two primary flavors 4:

  1. The Unknown Latency (UL) Model: This model assumes that there exist fixed upper bounds on message delivery delay () and relative processor speeds, but these bounds are unknown to the protocol designer.20 The protocol must be designed to work correctly regardless of the actual values of these bounds, meaning it cannot use any hard-coded timeout values based on them.
  2. The Global Stabilization Time (GST) Model: This model is arguably the more influential of the two. It assumes that the bounds on message delay and processing time are known, but they are only guaranteed to hold after some unknown but finite time, referred to as the Global Stabilization Time (GST).19 Before GST, the system is completely asynchronous, with messages subject to arbitrary delays. After GST, the system behaves synchronously. The protocol has no knowledge of when GST will occur and must be designed to function correctly regardless.4

Protocols designed for the partially synchronous model, particularly the GST variant, typically share a common design goal: they must be always safe, but need only be eventually live.19 This means that the protocol must never violate the Agreement property, even during the initial asynchronous period before GST. However, the protocol is only guaranteed to make progress and terminate (Liveness) once the system stabilizes and enters the synchronous period after GST.27

This design philosophy reveals an inherent optimism in the partial synchrony model. It is a model built for solvability, providing a theoretical escape from the FLP impossibility result by postulating that network instability, however severe, is ultimately transient. Protocols like Paxos and Raft, which are built upon this model, are architecturally designed to survive periods of asynchrony while waiting for stability to resume. They are not designed to thrive or make guaranteed progress within asynchrony itself. This foundational choice—to wait for good network conditions rather than operate robustly within bad ones—is a critical architectural characteristic. It directly leads to the liveness vulnerabilities that can be exploited by an adversary capable of prolonging or mimicking the asynchronous phase, effectively preventing the system from ever reaching its “Global Stabilization Time.”

Table 1: Comparative Analysis of Network Models

 

Feature Synchronous Model Partially Synchronous (GST) Partially Synchronous (UL) Asynchronous Model
Clock Assumption Global or tightly synchronized clocks 14 Shared global clock assumed, but not essential for liveness 19 Shared global clock assumed, but not essential for liveness 20 No shared or synchronized clocks 14
Message Delay Bound Known, fixed upper bound () 17 Known bound () holds only after unknown Global Stabilization Time (GST) 19 Unknown but fixed upper bound exists 20 Unbounded, but messages are eventually delivered 19
Process Speed Assumption Bounded execution time and relative speeds 18 Bounded speeds after GST 20 Unknown but bounded relative speeds 20 Unbounded execution speeds 17
Solvability of Deterministic Consensus Solvable, even with Byzantine faults (e.g., ) 21 Solvable (guarantees liveness only post-GST) 19 Solvable 20 Impossible with even one crash fault (FLP Theorem) 25
Real-World Applicability Impractical for most large-scale systems (e.g., internet) 14 Considered a realistic and practical model for many systems 19 A useful theoretical model, less commonly cited than GST 26 Accurately models the internet, but imposes strong theoretical limits 16

 

3. The Fragility of Synchronous Assumptions Under Adversarial Conditions

 

Protocols built on synchronous or partially synchronous models derive their liveness guarantees from assumptions about time. This reliance, while enabling them to circumvent theoretical impossibilities, simultaneously creates a fragile dependency. In real-world networks, and especially in adversarial environments, these timing assumptions are not just parameters but vulnerabilities. An adversary does not need to compromise a node’s integrity to disrupt the system; they merely need to manipulate the network environment to violate the protocol’s core assumptions about message delivery. The network itself thus becomes a primary attack surface.

 

3.1. The Δ Dilemma: The Inherent Trade-off Between Correctness and Performance

 

Synchronous consensus protocols are fundamentally dependent on a predefined network delay bound, denoted as .29 This parameter represents the maximum time a message is allowed to take between two honest nodes. The choice of  creates a direct and challenging trade-off between the protocol’s correctness and its performance.29

To ensure correctness and liveness, the value of  must be chosen conservatively. If  is set too low (an aggressive or optimistic value), normal network jitter or transient congestion could cause messages to arrive after the timeout. This “synchrony violation” can lead to honest nodes being incorrectly flagged as faulty, triggering unnecessary and disruptive recovery mechanisms (like leader elections) or, in the worst case, causing the protocol to fail entirely.14 To avoid this, system designers typically set  to a very high value, often based on the 99.99th percentile of observed network latencies or as a large multiple (e.g., 10x) of the average latency.29

However, this conservative approach has a severe impact on performance. Because synchronous protocols operate at a pace dictated by , a large value for this parameter introduces significant latency into the consensus process. The system must wait for the full timeout period in each round or step to ensure that all expected messages have had a chance to arrive.29 This means that even when the network is fast and messages arrive almost instantly, the protocol’s performance is artificially limited by its worst-case assumption. For instance, a protocol that can tolerate one synchrony violation in every 100,000 messages might require a  of over 82 seconds for communication between US datacenters, whereas a protocol that can tolerate one violation in 10,000 messages could use a  of around 1 second—a 75x performance improvement.29 This “Δ Dilemma” illustrates the fundamental tension: a protocol can be either fast or robust to network fluctuations, but not both, when its logic is tied to a fixed timing bound.

 

3.2. Network Partitions: When Latency Becomes Indistinguishable from Failure

 

In any system that lacks perfectly synchronized global clocks—which includes all asynchronous and partially synchronous models—it is impossible to definitively distinguish between a node that has crashed and a node whose messages are simply experiencing extreme delay.24 This ambiguity lies at the heart of the network partition problem. A network partition occurs when a communication failure splits a cluster of nodes into two or more subgroups that cannot communicate with each other. From the perspective of a node in one partition, the nodes in the other partition appear to be unresponsive. The only tool available to detect this is a timeout. Therefore, a network partition is functionally equivalent to a scenario where network latency becomes high enough to be considered a failure.24

When a partition occurs, nodes are left in a state of uncertainty. They have no way of knowing if the other nodes are alive, if they have failed, or if they are simply on the other side of a network break.24 This uncertainty poses a direct threat to consensus, as it can lead to a “split-brain” scenario. In a split-brain, each partitioned subgroup, unable to communicate with the other, might believe it is the only active part of the system. If both partitions contain a leader (or elect a new one), they may independently continue to accept and process operations, leading to two divergent and inconsistent versions of the system’s state.6 Preventing this is a primary goal of robust consensus protocols.

 

3.3. Attack Vector Analysis: Weaponizing Network Unpredictability

 

An intelligent adversary can exploit these inherent properties of time-dependent protocols to mount effective attacks that degrade performance or cause a complete denial of service. The adversary’s goal is to attack the protocol’s underlying model rather than its specific implementation.

  • Denial-of-Service (DoS) and Liveness Attacks: An adversary can weaponize the protocol’s reliance on timeliness. By launching a volumetric DoS attack, such as a SYN flood, the adversary can create network congestion that increases message latency beyond the protocol’s configured .30 This does not require compromising any nodes or even taking them offline. It simply requires manipulating the network environment to violate the protocol’s synchrony assumption. When honest nodes fail to receive messages within the expected time, they trigger timeouts and enter recovery procedures. If the attack is sustained, it can prevent the protocol from ever making progress, resulting in a liveness failure.15 Leader-based protocols are particularly vulnerable, as an attack targeting just the leader can halt the entire system.15
  • Resource Exhaustion via Signature Flooding: A more subtle and efficient attack targets the computational resources of nodes, particularly the leader. Many BFT protocols require messages to be authenticated with cryptographic signatures. Signature verification is a computationally intensive operation.15 An adversary, who may be external to the system or a malicious insider (a Byzantine node), can launch a “signature flooding” attack by sending a high volume of validly formed but useless messages that require signature verification to the current leader. The leader’s CPU becomes overwhelmed with the task of verifying these signatures, preventing it from processing and propagating legitimate consensus messages in a timely manner. This effectively creates a targeted DoS attack on the leader, which in turn halts the entire consensus process.15 This attack is highly effective because it can compromise liveness with only a few Mbps of traffic, and it is independent of the total number of nodes in the system, as the adversary can simply track and target each new leader that is elected.15

These attack vectors demonstrate that for protocols relying on timing assumptions, the network is not a passive medium but an active battleground. By manipulating latency and computational load, an adversary can turn the protocol’s own mechanisms for ensuring liveness—timeouts and leader-based coordination—into weapons that guarantee its failure.

 

4. The Asynchronous Ideal and Its Foundational Impossibility

 

In response to the fragility of timing assumptions, the theoretical ideal for building robust distributed systems has long been the asynchronous model. Protocols designed for this model promise unparalleled resilience by making the weakest possible assumptions about the network environment, thereby aiming to be immune to the timing-based attacks that plague their synchronous counterparts. However, this ideal runs into a formidable theoretical barrier: the FLP Impossibility Theorem, a cornerstone result in distributed computing that defines the fundamental limits of what can be achieved in a fully asynchronous world.

 

4.1. The Allure of Asynchrony: Designing for the Real World

 

The primary motivation for designing asynchronous consensus protocols is their inherent robustness. By making no assumptions about message delivery delays or process execution speeds, these protocols are designed from the ground up to handle the unpredictable and often hostile conditions of real-world networks like the internet.8 This approach offers several key advantages:

  • Resilience to Network Volatility: Asynchronous protocols are, by definition, immune to failures caused by synchrony violations. Network congestion, routing flaps, or long-distance communication links that result in high latency do not break the protocol’s correctness guarantees.33
  • Immunity to Timing-Based Attacks: An adversary cannot cause a liveness failure simply by delaying messages, as the protocol has no concept of a timeout or a deadline that can be violated.34 This makes them fundamentally more secure against the denial-of-service and performance degradation attacks described previously.
  • Simplified Deployment: Protocols that do not rely on finely-tuned timeout parameters are easier to deploy and manage across diverse and heterogeneous environments. There is no need to engage in complex network analysis to determine a “safe” value for , which may change over time anyway.33

In essence, asynchronous protocols embrace network unpredictability as the default state, rather than treating it as an exceptional condition to be tolerated.

 

4.2. The Fischer-Lynch-Paterson (FLP) Impossibility Theorem: A Detailed Exposition

 

Despite the appeal of the asynchronous model, a seminal 1985 paper by Michael Fischer, Nancy Lynch, and Michael Paterson established a profound limitation. The FLP Impossibility Theorem formally states that no deterministic algorithm can solve the consensus problem in a completely asynchronous system that is subject to even a single crash failure.8

This result is powerful and surprising for several reasons:

  • Minimal Fault Model: It holds even for the most benign type of failure—a “fail-stop” or crash failure, where a process simply stops executing—and does not require the more complex Byzantine failures.8
  • Reliable Communication: The proof assumes a reliable message system where messages are never lost or corrupted, only arbitrarily delayed.36
  • Minimal Number of Faults: The impossibility holds with just one faulty process in a system of any size ().25

The core assumptions underpinning the proof are critical to its interpretation 36:

  1. Asynchronous Communication: Message delays are unbounded but finite.
  2. Deterministic Processes: The actions of each process are a fixed function of its current state and the messages it has received. There is no source of randomness.
  3. Possibility of One Crash Fault: At least one process may fail by halting at any point.

 

4.3. Understanding Bivalence: Why Deterministic Agreement Cannot Be Guaranteed

 

The ingenuity of the FLP proof lies in its use of the concept of system configurations and their “valence.” A configuration is a snapshot of the entire system, including the internal state of every process and the contents of the message buffer. A configuration can be classified based on the potential outcomes of the consensus protocol starting from that state 8:

  • Univalent: A configuration is univalent if the final consensus value is already determined, regardless of the subsequent sequence of events (message deliveries and process steps). It can be 0-valent or 1-valent.
  • Bivalent: A configuration is bivalent (or “ambiguous”) if the outcome is not yet decided, and future event orderings could lead to either a final decision of 0 or a final decision of 1.8

The proof proceeds in two main steps:

  1. Existence of an Initial Bivalent Configuration: The proof first demonstrates that for any non-trivial consensus protocol, there must exist an initial configuration (i.e., a set of initial input values for the processes) that is bivalent. This is shown by contradiction. If all initial configurations were univalent, one could construct two adjacent initial configurations, differing only in one process’s input, that are 0-valent and 1-valent respectively. Because the protocol must tolerate the failure of that one differing process, an execution could proceed without its participation, forcing the other processes to reach the same decision in both cases—a contradiction.37
  2. Preserving Bivalence Indefinitely: The second, and more critical, step shows that from any bivalent configuration, an adversarial scheduler can always orchestrate a sequence of events (i.e., deliver a message) that leads to another bivalent configuration. The adversary identifies a “critical” event—a message delivery to a process—that would force the system to transition to a univalent state. Since the system is asynchronous, the adversary can simply delay the delivery of that critical message indefinitely and instead deliver a different, non-critical message. The proof shows that there will always be such a non-critical message available. By repeatedly applying this logic, the adversary can construct an infinite execution where the system moves from one bivalent state to another, never reaching a decision.36

 

4.4. Implications: The “Window of Vulnerability” in Every Asynchronous Protocol

 

The FLP theorem proves that for any deterministic asynchronous consensus protocol, there exists an “admissible run”—one with only a single crash fault and where all messages are eventually delivered—that is not a “deciding run,” meaning no process ever reaches a decision.39 This confirms the existence of a “window of vulnerability” in every such protocol: an execution path where the unfortunate timing of a single process crash or message delay can cause the entire system to halt indefinitely, thus violating the Termination property.25

It is crucial to recognize that the FLP theorem is a statement about guarantees, not about typical behavior. The adversarial schedule constructed in the proof is highly specific and “pathological”—it requires an omniscient adversary with perfect control over the timing of every message to perpetually identify and delay the one critical event that would resolve consensus.5 Real-world networks, while unpredictable, do not typically behave in this perfectly malicious manner; there is an element of natural randomness in their operation.40

Therefore, the impossibility result should not be seen as a declaration that asynchronous consensus is practically useless. Instead, it serves as a fundamental guidepost, clarifying the necessary compromises for building practical systems. It proves that a 100% guarantee of termination for a deterministic protocol is impossible in this model. This forces a clear architectural choice:

  1. Relax the Asynchrony Assumption: Introduce minimal timing assumptions, leading to the partially synchronous model and protocols like Paxos and Raft.
  2. Relax the Determinism Assumption: Introduce randomness into the protocol, allowing it to achieve termination with a probability of 1, but not with certainty.

This choice between partial synchrony and randomization represents the two primary pathways that have been explored to build practical and robust consensus protocols in the decades since the FLP result was published.

 

5. Circumventing Impossibility: Pathways to Practical Asynchronous Consensus

 

The FLP Impossibility Theorem established that deterministic consensus cannot be guaranteed in a fully asynchronous system. This foundational result, rather than halting progress, galvanized the distributed systems community to explore two primary pathways to circumvent this limitation: relaxing the assumption of determinism by introducing randomization, and developing a modular design philosophy that simplifies the construction of complex asynchronous protocols.

 

5.1. The Power of Randomness: How Coin Flips Break Deterministic Deadlocks

 

The FLP impossibility proof hinges on an adversary’s ability to construct a specific, deterministic sequence of events that keeps the system in a bivalent state indefinitely. The introduction of randomness into a protocol shatters the adversary’s ability to predict and control the system’s evolution with such precision.41

By allowing processes to make random choices—colloquially, to “flip coins”—a protocol can break the deterministic deadlocks and symmetries that the FLP adversary exploits.5 The core intuition is that while an adversary can still delay messages, it cannot control the outcome of a random coin flip internal to a process. If processes find themselves in a state of indecision (e.g., an equal split of votes between two values), they can use a random choice to bias their preference for the next round. While a single round might still fail to produce a decision, the laws of probability dictate that eventually, a sufficient majority of processes will randomly align their preferences, allowing a decision to be made.41

This approach fundamentally alters the guarantees of the protocol. Instead of guaranteeing termination in all possible executions, a randomized protocol guarantees termination with probability 1. This means that while non-terminating executions may still theoretically exist, they form a set of measure zero; the probability of encountering such a “bad sequence” of coin flips forever is infinitesimally small, akin to flipping a coin infinitely and only ever getting tails.41 This probabilistic guarantee is sufficient for building practical and highly reliable systems.

 

5.2. Anatomy of Randomized Protocols

 

The use of randomness has given rise to a class of elegant and powerful asynchronous consensus protocols.

  • Ben-Or’s Algorithm: One of the earliest and most influential randomized consensus protocols, proposed by Michael Ben-Or, solves binary consensus in an asynchronous system with crash failures, provided that the number of faulty processes, , is less than half the total, i.e., .43 The algorithm proceeds in asynchronous rounds. In each round, if a process observes a clear majority for a value, it adopts and proposes that value. However, if it observes a split vote or no clear majority, it chooses its next proposal randomly.43 This random choice is the key mechanism that ensures the protocol will eventually break symmetry and terminate with probability 1.
  • Shared Coins: A critical primitive for improving the efficiency of randomized protocols is the shared coin (or common coin).46 Instead of relying on the independent, local coin flips of many processes to align by chance—an event that can take many rounds—a shared coin protocol allows all processes to collaboratively generate a single random value. A “weak shared coin” protocol guarantees that with some constant, non-trivial probability (e.g., ), all honest processes will agree on the same random output (e.g., ‘0’ or ‘1’).46 This collective coin flip provides a much stronger bias towards agreement in each round, dramatically reducing the expected number of rounds needed to reach consensus compared to protocols relying solely on local coins.46

 

5.3. Building Blocks for Modern Protocols: The Modular Approach

 

As asynchronous BFT protocols grew in sophistication, a powerful design paradigm emerged: constructing complex protocols from a set of simpler, well-defined, and composable building blocks or primitives.50 This modular approach abstracts away the intricate details of individual components, allowing designers to reason about the system at a higher level and even swap out different implementations of a primitive to achieve different performance trade-offs.52

This engineering principle represents a fundamental shift in how complex fault-tolerant systems are designed. Instead of creating monolithic protocols, researchers can isolate and optimize individual components. For instance, the Dumbo protocol’s performance was significantly improved by designing a faster Multi-Valued Byzantine Agreement (MVBA) primitive, without altering the overall protocol structure.54 This modularity simplifies not only design and optimization but also formal verification, as the correctness of the overall system can be proven based on the established properties of its constituent blocks.

The most common primitives used in modern asynchronous BFT consensus include:

  • Reliable Broadcast (RBC): This primitive allows a designated sender to broadcast a message to all processes. It guarantees that (1) all honest processes eventually deliver the same message, and (2) if the sender is honest, all honest processes will deliver its message.49 This prevents a Byzantine sender from sending different versions of a message to different recipients (equivocation).
  • Asynchronous Binary Agreement (ABA): This is a protocol that solves the simplest form of consensus: agreeing on a single bit (0 or 1). It guarantees that all honest processes will decide on the same bit, and if all honest processes start with the same bit, that is the bit they will decide.52 ABA protocols are typically implemented using a shared coin primitive to ensure termination.
  • Asynchronous Common Subset (ACS): This is a powerful and central primitive in many state-of-the-art protocols like HoneyBadgerBFT. In an ACS protocol, each of the  processes proposes a value (or a set of transactions). The protocol concludes when all honest processes agree on a common subset of these proposed values.16 ACS guarantees that the output subset is consistent across all honest nodes and contains contributions from a threshold of honest nodes, providing censorship resistance. ACS itself is typically constructed from multiple instances of RBC and ABA.52

By combining these primitives, designers can construct a full-fledged atomic broadcast (or total order broadcast) protocol, which is the core of state machine replication. For example, a common pattern is for each node to use RBC to broadcast its batch of proposed transactions. Then, ACS is used to agree on which of these broadcasted batches should be included in the next block. Finally, the transactions within the agreed-upon batches are deterministically ordered to form a consistent log across all nodes.

 

6. A Critical Analysis of Partially Synchronous Protocols: The Case of Paxos and Raft

 

Partially synchronous protocols, most notably Paxos and its more understandable descendant, Raft, represent the dominant paradigm for consensus in production systems today. They are the engines behind critical infrastructure in distributed databases, cloud coordination services, and more. Their design philosophy is to optimize for the common “happy path” of a stable network by using a leader, while retaining safety during periods of asynchrony. However, this leader-centric design, while efficient, introduces a distinct set of vulnerabilities that can be exploited in adversarial network conditions, primarily leading to failures of liveness and severe performance degradation.

 

6.1. Leader-Based Consensus: A Double-Edged Sword of Efficiency and Vulnerability

 

The core optimization in protocols like Multi-Paxos and Raft is the election of a single, stable leader.58 This leader acts as the sole coordinator for all state changes. In a stable network, this design is highly efficient: a client request goes only to the leader, which then orchestrates replication to a quorum of followers in a single round-trip of communication. This results in low latency and high throughput.59

However, this centralization of authority creates a single point of failure and a conspicuous target for an adversary.58 The performance and availability of the entire cluster become critically dependent on the health and connectivity of one node.61 If the leader fails, becomes slow, or is partitioned from the network, the system cannot make progress until a new leader is elected and established. This recovery process, known as a view change or leader election, is the system’s primary mechanism for fault tolerance. Paradoxically, it is also the system’s greatest liveness vulnerability. An adversary’s optimal strategy is often not to crash nodes, but to manipulate the network in ways that keep the system perpetually in a state of recovery, a condition that leader-based protocols are ill-equipped to handle.

 

6.2. Liveness and Performance Downgrade Attacks

 

An adversary can exploit the leader-dependent nature of these protocols to mount attacks that do not violate safety but effectively render the system unavailable.

  • Targeting the Leader: The “Delayed View Change” Attack: This is a subtle but potent performance downgrade attack. An adversary with control over network scheduling can introduce just enough latency to the leader’s outgoing messages to significantly slow down the entire system. The key is to keep the delay below the protocol’s timeout threshold for leader failure.58 By doing so, the followers do not declare the leader dead and do not initiate a new election. The slow leader remains in power, and its poor performance becomes the bottleneck for the entire cluster, effectively throttling throughput without triggering any overt failure alarms.59
  • Dueling Leaders and Leader Flapping: In unstable network conditions, such as a partition that heals and re-partitions, multiple nodes may concurrently believe they have the right to become leader. In Paxos, this can lead to a “dueling leaders” livelock. Two proposers with increasing ballot numbers can continuously preempt each other, each failing to secure a majority of acceptors before being preempted by the other. This cycle can prevent any value from ever being chosen, halting progress indefinitely.63 Raft is designed to be less susceptible to this specific livelock due to its stronger leadership model, but it can suffer from a related phenomenon known as “leader flapping.” Misconfigured timeouts or network instability can cause rapid and repeated leader elections. Since the cluster is unavailable for writes during each election, frequent flapping can severely degrade the system’s overall availability.65

 

6.3. Raft’s Achilles’ Heel: Split Votes and Log Divergence in Network Partitions

 

Raft was designed to be more understandable than Paxos, but it introduces its own set of vulnerabilities related to its specific leader election and log replication mechanisms.

  • Split Votes: During a Raft leader election, if two or more candidate nodes start their election at roughly the same time, they can “split” the votes of the followers such that no single candidate achieves the required majority ().68 When a split vote occurs, the election for that term fails, and the candidates time out and start a new election in a subsequent term. While Raft’s use of randomized election timeouts is designed to make this scenario rare and quickly resolved, it remains a fundamental liveness vulnerability. In a sufficiently unstable network, or under an adversarial scheduler, repeated split votes can prevent a leader from being elected for an extended period, leading to prolonged system unavailability.69
  • Log Divergence and Split-Brain: A network partition presents a significant threat to Raft’s consistency. If a leader is partitioned away from a majority of the cluster, it can no longer commit new log entries. The majority partition, upon losing contact with the leader, will time out and elect a new leader. This new leader will begin accepting new client requests. At this point, the system is in a “split-brain” state, with two nodes (the old leader in the minority partition and the new leader in the majority partition) believing they are in charge.6 Raft’s safety mechanisms prevent this from leading to inconsistent committed states. The old leader cannot commit any new entries because it lacks a quorum. The new leader can. When the network partition heals, Raft’s log reconciliation mechanism comes into play. The old leader will discover the new leader’s higher term number and step down, becoming a follower. It will then discover that its log has diverged from the new leader’s log. To resolve this, Raft forces the follower to discard its conflicting uncommitted entries and adopt the leader’s log as the source of truth.11 While this process maintains safety, it can result in the loss of writes that were accepted by the old leader but never committed.

Table 2: Vulnerability Matrix for Paxos and Raft

 

Attack Vector Protocol Mechanism of Attack Impact on System
Delayed View Change Paxos & Raft An adversary introduces latency to the leader’s messages, keeping the delay just below the timeout threshold. Performance Downgrade: The entire cluster’s throughput is throttled to the speed of the slow leader. Liveness is maintained, but performance is severely impacted.59
Dueling Leaders / Leader Flapping Paxos Two or more proposers with escalating ballot numbers continuously preempt each other, preventing either from securing a quorum. Liveness Failure: The system can enter a livelock state where no new values are ever chosen, halting all progress.63
Raft Network instability or misconfigured timeouts cause rapid, repeated leader elections. Reduced Availability: The system is unavailable for writes during each election. Frequent elections lead to significant downtime and poor performance.65
Split Vote Raft Two or more candidates in an election split the available votes, so no candidate achieves a majority. Liveness Failure / Delayed Recovery: The election fails, and a new one must start after a timeout. Repeated split votes can prevent a leader from being elected, causing prolonged unavailability.68
Log Divergence (Split-Brain) Raft A network partition isolates a leader, while the majority partition elects a new one. The old leader may accept writes that it cannot commit. Safety Preserved, but Potential Data Loss: Raft’s safety rules prevent inconsistent committed states. However, upon partition healing, uncommitted writes on the old leader are discarded during log reconciliation.68

 

7. The Vanguard of Asynchrony: Modern Byzantine Fault-Tolerant Protocols

 

The theoretical limitations of partially synchronous models and the practical vulnerabilities of protocols like Paxos and Raft have spurred a new wave of research into building practical, high-performance consensus protocols designed for fully asynchronous and adversarial environments. These modern Byzantine Fault-Tolerant (BFT) protocols do not merely tolerate asynchrony; they are architected around it. They leverage randomization and advanced cryptographic primitives not just to ensure eventual liveness, but to provide robust security and performance guarantees even when the network is actively hostile. This represents a paradigm shift from viewing asynchrony as a problem to be survived to an environment to be mastered.

 

7.1. HoneyBadgerBFT: A Leaderless, Censorship-Resistant Protocol for the Wild

 

HoneyBadgerBFT, introduced by Miller et al. in 2016, is widely recognized as the first practical asynchronous BFT protocol.33 Its design philosophy is to guarantee liveness without making any timing assumptions whatsoever. Unlike partially synchronous protocols whose performance is tied to a fixed timeout parameter, HoneyBadgerBFT’s throughput dynamically adapts to the actual, prevailing network conditions.34

The core mechanism of HoneyBadgerBFT is both leaderless and modular, built upon the Asynchronous Common Subset (ACS) primitive.56 In each epoch, every node proposes its own batch of transactions. The ACS protocol then ensures that all honest nodes agree on an identical subset of these proposed batches. A key innovation of HoneyBadgerBFT is its approach to censorship resistance. A simple ACS protocol would be vulnerable to an adversary who could observe the contents of proposed transactions and then use its control over message scheduling to exclude specific transactions from the final agreed-upon set. To counter this, HoneyBadgerBFT employs Threshold Encryption. Each node encrypts its proposed batch of transactions before broadcasting it. The ACS protocol then runs on these encrypted batches. Only after the nodes have irrevocably agreed on a common subset of encrypted batches do they collaboratively perform a threshold decryption to reveal the plaintext transactions.56 This “agree-then-reveal” strategy ensures that an adversary cannot selectively censor transactions based on their content, as the content is not known until after consensus is complete.

 

7.2. The Dumbo Family (Dumbo, Speeding Dumbo): Pushing the Performance Envelope

 

While HoneyBadgerBFT demonstrated the practicality of asynchronous BFT, its performance, particularly its latency, was not competitive with highly optimized partially synchronous protocols. The Dumbo family of protocols emerged to close this performance gap, significantly improving the throughput and latency of asynchronous consensus.81

The key innovation of the original Dumbo protocol was to redesign the underlying ACS primitive. HoneyBadgerBFT’s ACS construction required running  parallel instances of Asynchronous Binary Agreement (ABA), one for each node’s proposal. Dumbo replaced these  ABA instances with a single, more efficient Multi-Valued Validated Byzantine Agreement (MVBA) primitive.54 This architectural simplification dramatically reduced the communication and computational overhead, leading to significant performance gains.82

The successor, Speeding Dumbo, pushed the performance envelope even further. It identified that the MVBA protocol itself was the new bottleneck and introduced a novel, concretely more efficient “Speeding-MVBA” protocol. This new MVBA reduces the number of communication rounds required to reach a decision in both the best case (from dozens to just 6) and the expected worst case, effectively halving the latency of Dumbo and doubling its throughput.54 These advancements have made asynchronous BFT protocols performance-competitive with their partially synchronous counterparts, without sacrificing their superior robustness guarantees.

 

7.3. Algorand: Achieving Scale and Security Through Cryptographic Sortition

 

Algorand offers a different approach to achieving scalable and secure consensus in a permissionless, asynchronous environment. Its consensus protocol is a novel Byzantine Agreement protocol, often referred to as BA*, which is designed to be extremely fast and resilient to network partitions.83

The central innovation in Algorand is cryptographic sortition.85 Instead of having all nodes participate in consensus or electing a fixed, long-lived leader, Algorand uses a Verifiable Random Function (VRF) to select small, ephemeral committees of users to perform the steps of the BA protocol for each block.87 The probability of a user being selected is proportional to their stake (the amount of cryptocurrency they hold).83

This mechanism provides two critical benefits:

  1. Scalability: By having only a small committee participate in each step, the protocol’s communication overhead is dramatically reduced, allowing the system to scale to millions of users without a corresponding increase in consensus traffic.88
  2. Security: The sortition process is run locally and privately on each user’s machine. A user can prove they were selected for a committee, but no one, including an adversary, knows who is on the committee until the selected members broadcast their messages (which include the VRF proof).86 This secrecy prevents an adversary from identifying and targeting committee members in advance with DoS attacks or corruption attempts, providing a proactive defense that is not possible in protocols with fixed or predictable leaders. This use of randomness for security, rather than just for liveness, illustrates how modern protocols leverage the properties of the asynchronous model as a feature.

Table 3: Comparative Overview of Modern Asynchronous BFT Protocols

 

Feature HoneyBadgerBFT Dumbo / Speeding Dumbo Algorand (BA*)
Core Primitives Asynchronous Common Subset (ACS), Reliable Broadcast (RBC), Asynchronous Binary Agreement (ABA), Threshold Cryptography 56 Multi-Valued Validated Byzantine Agreement (MVBA), cheaper broadcast primitives 54 Byzantine Agreement (BA*), Verifiable Random Function (VRF) 85
Leader Mechanism Leaderless; all nodes propose in each epoch 56 Leaderless; all nodes can contribute proposals 81 Ephemeral, randomly selected “leaders” (block proposers) for each round 84
Key Innovation First practical asynchronous BFT; censorship resistance via Threshold Encryption 33 High-performance MVBA construction, reducing communication rounds and latency 54 Cryptographic Sortition for secret, scalable committee selection, preventing targeted attacks 85
Fault Tolerance Byzantine () 56 Byzantine () 54 Byzantine ( honest stake) 84
Primary Strength Unconditional liveness and censorship resistance, regardless of network conditions 34 High throughput and low latency, competitive with partially synchronous protocols 82 High scalability, security against targeted attacks in a permissionless setting 88

 

8. A Synthesis of Performance, Trade-offs, and Future Directions

 

The evolution from synchronous to asynchronous consensus protocols is not a simple linear progression toward a single “best” solution. Instead, it has revealed a complex landscape of design choices and trade-offs. The performance, security, and complexity of a given protocol are deeply intertwined, and the optimal choice depends heavily on the specific requirements and threat model of the target application. As the field matures, a more nuanced understanding of these trade-offs is emerging, alongside a clear set of open challenges that will define the next frontier of research.

 

8.1. Throughput vs. Latency: Analyzing Performance in Wide-Area Networks

 

A common point of comparison between consensus protocols is their performance, typically measured in terms of throughput (transactions per second) and latency (time to finality).

  • Partially Synchronous Protocols: These protocols, like PBFT and HotStuff, are generally optimized for low latency in the “happy path”—that is, when the network is stable and there is a clear leader. They can often commit a transaction in just a few communication rounds.90
  • Asynchronous Protocols: Early asynchronous BFT protocols were often criticized for high latency, as they inherently require more communication rounds to provide their strong safety and liveness guarantees in the absence of timing assumptions.16 Protocols like HoneyBadgerBFT, for instance, explicitly optimize for maximizing throughput by ensuring the protocol can always make progress and saturate available network bandwidth, even if it means individual transactions take longer to commit.78

However, this simple comparison is misleading. The low latency of partially synchronous protocols is fragile and holds only under ideal conditions. In an adversarial environment or a volatile wide-area network (WAN), their performance can degrade catastrophically, with latency becoming effectively infinite if the protocol’s liveness fails.91 In contrast, the performance of an asynchronous protocol is more predictable. While its baseline latency may be higher, it continues to make progress and operate with consistent (albeit potentially reduced) throughput even during periods of extreme network disruption or attack.57 Recent advancements, such as the Dumbo family of protocols, have significantly closed the latency gap, demonstrating that asynchronous protocols can achieve performance competitive with their partially synchronous counterparts without sacrificing robustness.89

This forces a re-evaluation of what “high performance” means. For a mission-critical financial system, predictable, bounded latency during a denial-of-service attack may be far more valuable than extremely low latency that becomes infinite under duress. The definition of performance is context-dependent, and for systems requiring high assurance, resilience and predictability under adverse conditions are paramount performance metrics.

 

8.2. The Designer’s Calculus: Trade-offs in Asynchronous Protocol Design

 

Even within the realm of asynchronous BFT, there is no one-size-fits-all solution. Protocol designers face a “calculus” of trade-offs to balance performance, security, and complexity.

  • Message Complexity vs. Cryptographic Overhead: A fundamental trade-off exists in the design of core primitives like Asynchronous Byzantine Agreement (ABA). One approach is to use a “local coin,” where each process flips its own random coin. This avoids computationally expensive cryptography but results in high message complexity (e.g., ) as processes must exchange many messages to converge on a common value. The alternative is to use a “shared coin” based on threshold cryptography. This reduces message complexity (e.g., to ) but introduces significant computational overhead for generating and verifying threshold signatures.93 This trade-off is particularly acute in resource-constrained environments like wireless networks or IoT devices, where both bandwidth and CPU power are scarce.93
  • Resilience vs. Performance: The classic resilience threshold for BFT consensus is tolerating  Byzantine faults in a system of  nodes. While this is the theoretical optimum for certain models, some research has explored protocols with “suboptimal resilience,” such as requiring  or even . By relaxing the resilience requirement, these protocols can achieve significant performance improvements, for instance, by requiring smaller quorums or simpler communication patterns.57 This presents a trade-off between the level of security and the achievable performance.
  • Leaderless vs. Leader-based Designs: While the trend in asynchronous BFT has been toward leaderless designs to enhance robustness against targeted attacks, the efficiency of a single coordinator is undeniable. This has led to the emergence of hybrid protocols like Alea-BFT, which is gaining adoption in systems like Ethereum’s distributed validators.94 These protocols re-introduce the concept of a designated (but perhaps ephemeral) leader for certain phases of the protocol to improve efficiency, while falling back on a fully decentralized mechanism to ensure liveness. This creates a new, more complex set of trade-offs between the efficiency of centralization and the robustness of decentralization.55

 

8.3. Open Problems and the Research Frontier

 

Despite tremendous progress, several key challenges remain in the field of asynchronous consensus.

  • Scalability to Large Networks: While modern protocols have been demonstrated to scale to over a hundred nodes, their performance can still degrade significantly in larger networks. A primary bottleneck is the “authenticator complexity”—the overhead associated with generating and, more importantly, verifying a large number of digital signatures for quorum certificates. With  nodes, this can involve  or even  signature verifications per decision, which becomes computationally prohibitive at scale.95 Designing protocols that can scale to thousands of nodes while maintaining high performance is a major open problem.
  • Practical Deployment and Benchmarking: The complexity of implementing asynchronous BFT protocols correctly is a significant barrier to their widespread adoption in production systems.16 Furthermore, there is a lack of standardized frameworks and testbeds for rigorously and fairly benchmarking different BFT protocols, especially under simulated adversarial conditions. This makes it difficult for practitioners to make informed, apples-to-apples comparisons between protocols.93
  • Post-Quantum Security: Many BFT protocols, both partially synchronous and asynchronous, rely heavily on public-key cryptography (e.g., digital signatures for authentication, threshold encryption for censorship resistance). The underlying mathematical problems (e.g., factorization, discrete logarithms) are known to be vulnerable to attack by large-scale quantum computers. A critical area of future research is the design of efficient asynchronous consensus protocols that are secure in a post-quantum world, likely relying on different cryptographic primitives.99
  • Expanding the Theoretical Frontiers: Research continues to uncover new subtleties and challenges in achieving agreement in Byzantine environments. For example, recent work has shown that it is impossible to reliably determine the causal “happens-before” relationship between events in an asynchronous system with even a single Byzantine process.100 Understanding and addressing these more nuanced problems will be essential for building the next generation of verifiable and secure distributed applications.

 

9. Conclusion: Embracing Asynchrony for a Resilient Future

 

9.1. Recapitulation of the Journey

 

The pursuit of distributed consensus has been a defining journey in computer science, tracing a path from idealized theory to the complex realities of global, adversarial networks. This report has navigated that journey, beginning with the foundational principles of agreement and the theoretical purity of the synchronous model, where bounded delays offered a clean but unrealistic environment for problem-solving. We then confronted the practical limitations of this model and the stark theoretical barrier erected by the Fischer-Lynch-Paterson Impossibility Theorem, which proved that guaranteed, deterministic agreement in a truly asynchronous world is an unattainable ideal.

This impossibility result did not mark an end, but rather a beginning, forcing the field to diverge along two distinct philosophical paths. The first, rooted in pragmatism and optimization for the common case, led to the partially synchronous model. This “optimistic” approach, which underpins industry stalwarts like Paxos and Raft, accepts the reality of asynchrony but wagers on its transience, building protocols that are safe during storms but only guarantee progress once the skies clear. The second path, driven by a demand for uncompromising robustness, chose to abandon determinism itself. This led to the development of randomized and, ultimately, practical asynchronous BFT protocols like HoneyBadgerBFT, Dumbo, and Algorand, which leverage probability and modern cryptography to provide provable liveness guarantees, no matter how hostile the network becomes.

 

9.2. Final Assessment

 

The analysis presented throughout this report leads to a clear conclusion. While partially synchronous, leader-based protocols have been instrumental in the growth of large-scale distributed systems and will continue to serve well in controlled, trusted environments, their foundational reliance on timing assumptions represents a critical and exploitable fragility. In an era defined by decentralized finance, global-scale blockchains, and the constant threat of sophisticated, state-level adversaries, designing systems whose liveness can be compromised by mere network manipulation is an increasingly untenable risk.

The future of truly fault-tolerant, secure, and resilient systems—especially those that form the bedrock of critical infrastructure—lies in embracing asynchrony. The vanguard of modern BFT protocols demonstrates that this is not a concession to lower performance, but a strategic design choice that trades the fragile speed of the “happy path” for the invaluable asset of predictable and guaranteed progress under duress. These protocols are not merely tolerant of asynchrony; they are native to it. They have transformed the constraints of an unpredictable world into features, using randomness for security, modularity for innovation, and cryptography for censorship resistance. The asynchronous imperative is clear: for systems that cannot afford to fail, we must build upon foundations that do not assume the network will be kind.