|
|
|---|
|
|
|
|---|
Transitions for proposal certification.
Once a correct validator has received enough endorsing signatures for a pending proposal, i.e. the signers (author and endorsers) form a quorum, the validator creates and broadcasts a certificate.
A faulty validator may also create and broadcast a certificate, but it is not constrained to have a quorum of signers. However, in order to include the signature of a correct validator, that correct validator must have signed the proposal, i.e. there must be a message, in the network, from that correct validator that endorses the proposal. Since faulty validators have no internal state in our model, we model certificate creation by faulty validators as an atomic event, which uses zero or more endorsing messages from the network, and puts their signatures (represented as the endorsing addresses) into the certificate. Importantly, the endorsing messages are not consumed: this way, we can model the fact that a faulty validator may create different certificates with the same proposal but with different sets of endorsers, chosen among the ones available in endorsing messages.
Either way, the certificate is broadcast to a set of validators. For certain properties like blockchain nonforking, it does not matter that the certificate actually goes to all validators; there is no need to model any form of reliable broadcast.