Hybrid Consensus with Quantum Sybil Resistance

Hybrid Consensus with Quan tum Sybil Resistance Dar Gilb oa ∗ 1 , Siddhartha Jain † 1,2 , and Or Sattath 3 1 Go ogle Quan tum AI, V enice, CA, United States 2 Univ ersit y of T exas, Austin, TX, United States 3 Ben-Gurion Universit y , Beer Shev a, Israel F ebruary 27, 2026 Abstract Sybil resistance is a k ey requirement of decen tralized consensus proto cols. It is achiev ed by in tro ducing a scarce resource (such as computational p ow er, monetary stak e, disk space, etc.), whic h prev ents participan ts from costlessly creating m ultiple fake iden tities and hijacking the proto col. Quan tum states are generically uncloneable, which suggests that they ma y serv e nat- urally as an unconditionally scarce resource. In particular, uncloneability underlies quan tum p osition-based cryptography , whic h is unachiev able classically . W e design a consensus proto- col that com bines classical hybrid consensus proto cols with quantum p osition verification as the Sybil resistance mechanism, providing security in the standard model, and achieving im- pro v ed energy efficiency compared to h ybrid proto cols based on Pro of-of-W ork. Our protocol inherits the b enefits of other hybrid proto cols, namely the faster confirmation times compared to pure Proof-of-W ork proto cols, and resilience against the comp ounding wealth issue that plagues protocols based on Pro of-of-Stake Sybil resistance. W e additionally prop ose a spam prev en tion mechanism for our proto col in the Random Oracle model. 1 In tro duction The decen tralized consensus problem has received considerable atten tion since the landmark Bit- coin protocol first demonstrated a viable solution in the fully permissionless setting [ 55 ]. Subse- quen t y ears ha ve witnessed an explosion of proto cols of v arious flav ors[ 22 , 56 , 46 , 72 , 27 ], pro viding a base lay er upon whic h v arious applications can be built [ 59 , 23 ]. While some of the original for- m ulations of the consensus problem, often under the name of State Machine Replication (SMR), w ere in a setting where the set of participan ts is fixed in adv ance and known to all [ 32 ], proto cols designed to function in the decentralized setting of the web cannot make this assumption. The ideal degree of decentralization is the “fully p ermissionless” setting, where the set of participan ts is unkno wn to the protocol and ma y v ary ov er time. Intermediate settings settings betw een the p er- missioned and fully p ermissionless setting are also common, most notably the quasi-p ermissionless setting where the protocol has some kno wledge of the participants, though the set of active partic- ipan ts can v ary o ver time (see [ 51 ] for a precise definition of these mo dels, including intermediate ones). An y permissionless protocol m ust include a mechanism of Sybil resistance. Since the iden tity of participan ts is not fixed, this mechanism preven ts a Sybil attac k in whic h an adversary creates ∗ darg@google.com † sidjain@utexas.edu 1 an arbitrary n umber of fak e identities costlessly and hijacks the proto col. Sybil resistance is t ypically ac hieved b y introducing a costly economic resource, and the proto col is designed suc h that the p ow er of an y participant in the proto col, honest or otherwise, is roughly prop ortional to the amount of this resource they hold. Some of the most common choices in practice are computational p o wer/hashrate (Pro of-of-W ork or PoW)[ 55 ] and stak e in the crypto currency native to the blo ck chain (Pro of-of-Stak e or P oS)[ 46 ], though man y other choices are p ossible. Eac h leads to v arious tradeoffs in the protocol design. In parallel, ever since the adven t of quantum money in the 1960s, it has been known that the uncloneabilit y of quantum states can hav e interesting cryptographic consequences. This has led to the construction of m ultiple useful quantum primitives suc h as quantum money and tok ens [ 71 , 35 , 7 , 36 ], quan tum k ey distribution [ 9 ] copy-protected quantum soft ware [ 1 ] and one-shot signatures [ 3 , 63 , 64 ] (see [ 60 ] for a review). These can b e used to create ob jects with tantalizing prop erties that are imp ossible to ac hieve classically without hardw are assumptions, suc h as currency or softw are that cannot be copied or signatures that cannot b e reused. Given the unique capabilities of quan tum states to serv e as an uncloneable resource, it is natural to ask whether b etter solutions to the decen tralized consensus problem, and the Sybil resistance comp onen t in particular, exist in a quan tum w orld. 1.1 Quan tum consensus Indeed, there is at least one result that answ ers the ab ov e question in the affirmative, b y demon- strating a consensus proto col with constant round complexity in a setting where classical low er b ounds are p olynomial in the n umber of participants [ 8 ]. This lo wer b ound ho wev er assumes an unrealistically p o werful adversary mo del, since in practice most proto cols hav e constant round complexit y under normal op erating conditions. Aside from this work, there seem to hav e b een v ery few attempts to use quantum resources to solve consensus, despite the massive interest in the problem. Zhandry gives a construction of a crypto currency based on quantum ligh tning[ 73 ] (whic h can b e built from one-shot signatures[ 63 ]). His scheme uses P oW to mint new money , as in man y other crypto currencies, but relies on the no-cloning prop erty of quan tum lightning to prev ent double-sp ending. Ov erall, Zhandry’s approach eliminates the need for a block chain or an y form of consensus. The main drawbac k of Zhandry’s approach is that, without consensus, there is no w ay to regulate the rate at whic h money is min ted and th us con trol inflation. This construction is closest in spirit to our w ork, y et it uses uncloneabilit y to partially replace the consensus mechanism itself rather than the Sybil resistance mec hanism (i.e., PoW). Put differently , this doesn’t enable one to solv e the basic question that consensus answers when applied to cryptocurrencies: “Where is the money?”. Ref. [ 28 ] piggybac ks on an existing blo ck chain for Sybil resistance (where the coins are already allo cated), and provides a mec hanism to migrate to quantum money , thereby removing the need to further main tain the block chain, while relying on no-cloning to preven t double-sp ends. In this work we attempt a fresh lo ok at this question, and design a consensus protocol based on a nov el quantum Sybil resistance mec hanism. Our key idea is to use quan tum computers located at distinct p ositions in space as the scarce resource, enabling Sybil resistance. W e denote this mec hanism Quantum Pr o of-of-Position (QPoP). This leads to impro ved energy efficiency compared to Pro of-of-W ork and mec hanisms to av oid concen tration of wealth that o ccurs in Pro of-of-Stake proto cols. A more detailed comparison to existing protocols is pro vided in Section 1.2 . While there are problems that are widely b elieved to only be efficien tly solv able on a quan tum computer, most notably factoring, it is not obvious ho w to use this fact to obtain improv ed Sybil resistance. This is because relying on computational tasks directly will lik ely require fine-grained analysis of the complexity of e.g. factoring in order to guarantee security , similar to the fine-grained complexit y guarantees needed for classical Proof-of-W ork [ 6 ]. The practical cost of factoring may b e particularly sensitiv e to hardware impro vemen ts in a field that is progressing rapidly , and to 2 tradeoffs b etw een circuit depth and qubit counts which are common in quantum algorithm design (e.g., Regev’s recent factoring algorithm [ 57 ]). Ev en if the complexity of factoring or another problems exhibiting quan tum adv antage could b e understo od at the required resolution, it is still unclear what b enefits would b e conferred b y replacing classical computation with quantum. In our approac h, there is a clear b enefit in that the main function of the quantum computers is to (p eriodically) pro vide a pro of of the quantum computer’s p osition in space. This is kno wn to b e imp ossible classically [ 26 ], but achiev able using quantum computers [ 21 ], ev en when only using classical communication [ 52 ]. W e discuss the problem of p osition v erification and its quantum solution in greater detail in Section 2.1 . One issue with using position v erification for Sybil resistance is that the pro of of p osition is not transferable, whic h precludes it from b eing used as a drop-in replacemen t for PoW in e.g. Nak amoto consensus. F ortunately , there is a class of hybrid protocols such as Hybrid [ 56 ], Byzcoin [ 47 ] and Solida [ 2 ] which maintain a dynamic committee running a permis sioned consensus proto col, and up date it in a fair wa y using PoW. The committee in these algorithms mak es them a particularly go od matc h for our resource, since only the committee mem b ers need to run position verification as the v erifier. W e show that QPoP can b e substituted for Proof-of-W ork in these proto cols, fo cusing on Solida [ 2 ]. W e do this b ecause Byzcoin do es not come with formal guaran tees (at least not at the time of original publication) and Solida is a simplification of Hybrid, though similar mo difications of these other hybrid proto cols migh t b e possible. Another consequence of the non-transferability of p osition v erification is that spam preven tion in our setting is non-trivial. Since position verification requires communication and computation by the entire committee, one would lik e to av oid a scenario where an adversary costlessly publishes a large num b er of p ositions that m ust then b e v erified. The use of quan tum computers in our proto col suggests a natural solution. W e present in Algorithm 3 a registration algorithm that optionally uses pro ofs of quantumness based on discrete logarithm to ensure that registration to participate in the proto col is not costless, by relying on a Random Oracle assumption. The proof is publicly v erifiable, using classical computation only . This can be seen as a highly coarse-grained, effectiv ely binary form of Sybil resistance (distinguishing betw een p ossession of a sufficiently p o werful quan tum computer or lac k thereof ), which as mentioned abov e would app ear insufficient on its own to build a useful Sybil resistance mechanism. W e sho w ho wev er that it can in some sense be “bo otstrapp ed” in to a legitimate Sybil resistance mechanism based on position verification. The dev elopment of quan tum computation will very lik ely impact classical consensus proto cols due to the vulnerabilities of cryptographic schemes based on Elliptic Curv e Cryptograph y , used b y virtually every widely deplo yed blo c kc hain, to quantum attacks. Due to their decen tralized nature, blo c kc hains are especially ill-suited to coping with suc h a threat, and transitioning to p ost-quantum cryptograph y is non trivial. W e do not concern ourselv es with this problem in this w ork. 1.2 Comparison to other proto cols Belo w we summarize ho w our protocol compares to other approaches to Sybil resistance. F or more details, see Section 4.1 . • Pro of-of-W ork (Nak amoto consensus[ 55 ], Solida [ 2 ], Hybrid[ 56 ], Byzcoin[ 47 ], etc.): – P oW-based protocols, and Bitcoin in particular, are notorious for their energy consump- tion [ 74 , 61 ]. This is b ecause participation essen tially amoun ts to rep eatedly attempting to solv e a cryptographic puzzle by brute-force search. In con trast, the quan tum com- puters used by our protocol are only used v ery sparingly in order to v alidate th e position of a participant. This has the potential to significantly reduce energy consumption. – Since finalization of transactions is based on a deterministic BPFT protocol, it shares the impro ved throughput adv antage that other hybrid protocols ha v e compared to pure 3 Proto col Energy consumption Finalization Securit y W ealth conc. Costless sim ulation Bitcoin (P oW) High Slo w R OM No No Ethereum (P oS) Lo w F ast SM Y es Y es Solida (P oW) High F ast R OM No No Solana (P oH) Lo w F ast N/A No No * This w ork (QP oP) Low F ast SM No Y es This w ork (QP oP) (spam prev ention) Lo w F ast R OM No No T able 1: A comparison of our proto col with prominent blo ck chains. Our hybrid proto col uses quan tum p osition v erification as an off-chain resource, leading to improv ed energy efficiency com- pared to PoW proto cols while a voiding the risks of wealth concentration and costless sim ulation faces b y proto cols that rely solely on on-c hain resources suc h as stak e. * Proof-of-History based hashc hains do not hav e security guarantees. See additional discussion in Section 4.1 . P oW-based solutions, and enables deterministic finalization (no rollbac ks). – Securit y of many PoW-based protocols (and in fact of other proto cols based on longest- c hain consensus[ 30 ] as well) dep ends on message propagation dela ys, while securit y of our proto col is indep endent of these. A dditionally , our Sybil resistance mechanism is secure in the Standard Model, unlike PoW whic h is only secure in the Random Oracle mo del. • Pro of-of-Stak e (Ethereum[ 22 ], Ouroboros[ 46 ], etc.): – P oS-based protocols suffer from wealth comp ounding issues [ 34 ]. As the proto col ev olves, a Byzantine leader can giv e preferential treatment to transactions from other Byzan tine no des and pro cess them faster than transactions from hone st no des. This form of censorship ma y even tually lead to concentration of w ealth, or a “rich get richer” effect, compromising the safety of the protocol o ver time. In this context, Theorem 11.1 of [ 51 ] formalizes the limitations of protocols that only rely on “on-c hain” resources lik e stak e. These vulnerabilities are a voided by including an off-chain resource in hybrid proto cols and using it in a w ay that on-chain resource holders hav e little con trol o ver. In our case, this is the process of election to the committee based on position sampling. – P oS-based proto cols are vulnerable to costless simulation [ 29 ]. Our spam-mitigation tec hnique based on Pro of-of-Discrete-Logarithm prev ents a classic al adversary from costlessly sim ulating the output of the proto col. • External resources other than work suc h as disk space or elapsed time[ 33 , 17 ] (Chia[ 27 ], Solana[ 72 ], etc.): These typically rely on non-standard primitives suc h as V erifiable Dela y F unctions (VDF s) [ 15 ]. VDF s cannot be built in the Random Oracle model and hence require stronger assumptions [ 41 ]. Solana is p erhaps the most widely deploy ed h ybrid consensus proto col of this form. The details of its Proof-of-History Sybil resistance mec hanism are not fully explicit and consequen tly it do es not ha ve securit y guaran tees. There ha v e also b een concerns about the securit y of the proposed mec hanism [ 66 , 67 ]. The details of the proto col are pro vided in Section 3 , and in Section 4 w e sho w that it satisfies consistency , liveness and av oids spam. W e surv ey results on the quan tum resources required to run certain subroutines used b y the protocol in Section 5 , and discuss v arious open questions in Section 6 . 4 2 Preliminaries 2.1 P osition verification P osition-based cryptograph y [ 26 ] is motiv ated by the idea that iden tity in a cryptographic setting can b e established based on physical lo cation. The original w ork that formalized this concept sho wed that secure position v erification is impossible (when only classical resources are used). A p osition v erification protocol inv olves a prov er and a set of verifiers, and it was sho wn in [ 26 ] that for any classical proto col, the part of the prov er can b e simulated by an adversary that is not present at th e claimed p osition. In terestingly , it was later shown that this is no longer the case if pro vers and verifiers are equipp ed with quan tum computers [ 21 , 69 , 11 ]. At a high level, the classical imp ossibility results can b e ev aded in a quantum world b ecause the attack in [ 26 ] requires that the adv ersary copies messages sen t by the verifiers to the prov er. If the messages are quan tum states that are unknown to the adv ersary , they can no longer be copied by the no- cloning theorem. While the original proposals for quantum p osition v erification required quan tum messages, this requirement was later remov ed by combining p osition verification proto cols with pro ofs of quantumness [ 52 ]. Pro ofs of quantumness [ 53 , 18 , 19 , 70 ] are p ow erful tools that allo w a classical v erifier to certify that a pro ver holds a quantum computer, and can in fact be used to certify an y efficient quan tum computation. The original constructions of pro of of quantumness rely on families of Noisy T rapdo or Cla w-F ree F unctions (NTCF s), whic h map pairs of inputs to a single output, and can only be inv erted efficiently given a secret trap do or. A quan tum computer can b e used to prepare a sup erposition ov er the inputs of such a function that map to an y output, and solve a c hallenge that requires such a state as input. A classical algorithm capable of solving this challenge could b e rewound and used to recov er b oth inputs of the NTCF that map to the same output, breaking the hardness assumption associated with the NTCF. One natural construction is based on hardness of Learning With Errors (L WE)[ 58 ]. The idea of [ 52 ] is to hav e a classic al verifier b y replacing the quantum messages in p osition v erification with a (classical) Pro of-of-Quan tumness. There are certain timing constraints that must b e satisfied so that the prov er cannot c heat, but the authors sho w that this enables secure position verification using only classical messages. As with other p osition v erification schemes, the adv ersaries can spo of their position if they pre-share en tanglement, y et the authors also show how to render p osition v erification secure in suc h settings. W e summarize their main results in T able 2 . Theorem Quan tum Hardness Assumption A dversary En tanglement A dversary Complexit y Mo del 1.1 L WE (Polynomial) None P olynomial Standard 1.2 L WE (Sub exp onential) Fixed p olynomial Sub exp onen tial Standard 1.3 L WE (Polynomial) Polynomial P olynomial QROM [ 14 ] T able 2: Security of Classically V erifiable Position V erification (CVPV) [ 52 ]. Here p olynomial refers to n c for all c , whereas fixed polynomial refers to O ( n c ) for some fixed constant c . The most relev an t result for use is Theorem 1.1, since it provides security in the standard mo del under a reasonably pow erful adv ersary mo del. 2.2 Notation and terminology W e use c, C for (usually small/large resp.) absolute constan ts whose v alue can change from line to line. W e denote b y a | b the concatenation of strings a and b . W e use Python conv entions for 5 dictionaries and arra ys, namely d . k eys is the set of k eys of a dictionary d , the v alue stored with k ey k is given b y d [ k ] , and [ a, . . . , b ] is an ordered list. W e denote our security parameter b y λ and define negligible probability with resp ect to it. When w e refer to quan tum c omputers, we mean devices that are capable of running fault- toleran t quan tum programs at input sizes that are cryptographically relev ant (in particular, we will use Shor’s algorithm for the discrete logarithm problem [ 65 ] and Mahadev’s pro ofs of quantumness based on hardness of L WE[ 53 , 58 ]). In practice, this will lik ely require access to an order of 10 3 error-corrected qubits. At any stage of the proto col where participants are asso ciated with public k eys, w e will refer to en tities holding such keys as no des (with honest no des holding a unique signing key asso ciated with a public k ey , and an adversary p oten tially holding m ultiple k eys). W e will refer to an entit y in p ossession of an off-chain resource (suc h as a quantum computer) as a no de, even though such a participant is effectiv ely anonymous from the persp ective of the protocol, and is not y et associated with a public k ey . This participant has the freedom of generating new digital signature keys for ev ery computer it wishes to register (or for the same computer if it is registered more than once). This is analogous to the use of fresh public k eys in fully p ermissionless proto cols. The intended meaning should be clear from con text. 3 Hybrid Consensus with Quan tum P osition V erification The prop osed proto col shares most of the ingredients of Solida. Recall that Solida runs Byzantine Agreemen t among a set of Committe Members, sp ecified by their (digital-signature) public k eys. The size of the committee is n , where the genesis committee is hard-wired as C 1 = [ pk 1 , . . . pk n ] . The committee has t wo main roles: (a) approving batches of transactions, and (b) p erforming r e c onfigur ation , in which a new mem b er is elected in a fair manner (based on an off-chain resource whic h preven ts Sybil attac ks and censorship), and the oldest mem b er lea ves. Role (a) in the ab o ve uses standard techniques[ 25 ]: the committee decides on a leader, which prop oses the batc h of transactions to appro ve. A malicious (Byzantine) leader cannot violate the safet y of the transaction (such as no double sp ends), but c an violate the progress. So, if there’s no progress, ev entually the committee elects a new leader, in a round-robin fashion from the curren t committee. The main challenge is role (b). Solida’s approac h is to use Proof-of-W ork to determine the next committee mem b er: A reconfiguration even t o ccurs whenever a Pro of-of-W ork puzzle is solved. This allows users to join the committee in an unbiased fashion: the probability of a user join- ing the committee is prop ortional 1 to its hashing p o w er. In the terminology of Lewis-Pye and Roughgarden[ 51 ], Solida and other h ybrid protocols use both on-chain (committee membership) and off-chain (computational pow er) resources. This w ork uses a differen t reconfiguration rule and off-c hain resource. The protocol defines a partition P of the physical space that participants can o ccupy . It also main tains a dictionary E of eligible p ositions and public k eys registered at that position. Sp ecifically , for ev ery registered p os ∈ P , E [ pos ] = [ pk 1 , . . . , pk k ] , (3.1) where [ pk 1 , . . . , pk k ] is a list of public k eys that were registered at p osition p os in the current reconfiguraiton step, in lexicographic order. Any participan t can publish their p osition and public k ey in order to b e include d in E . P osition registration itself is fully p ermissionless. T o prev en t spam at this stage, there is an option to require a pro of of quan tum ness by solving a discrete logarithm puzzle. Reconfiguration is then p erformed by sampling a p osition uniformly at random from E . k eys , using a randomness b eacon. An eligible committee member must ha ve a quan tum computer. 1 Up to corrections due to netw ork dela ys. 6 The main challenge is double-eligibility: making sure that a single computer would not allow a (dishonest) user to b e counted as eligible t wice. T o prev ent double eligibilit y , w e employ p osition verific ation , and for impro ved practicality , we utilize a classically verifiable p osition verification (CVPV) proto col [ 52 ]. Note that a user with one quan tum computer can in principle register t wo differen t lo cations, b y registering once, mo ving the quantum computer to a different cell in the partition P and registering again at the second location (which m ust b e at least a distance Γ from the first). This user would not b enefit from an increased probability of b eing elected onto the committee since he can only successfully run CVPV as the prov er from his current position. The committee then run CVPV, assuming the pro ver is at the sampled position from E . keys , verifying that the messages from the prov er are signed appropriately . By securit y of CVPV, the pro ver will succeed only if they p ossess a sufficiently p o werful quantum computer that that p osition. This mec hanism can b e used to construct a nov el form of Sybil resistance, with fav orable prop erties compared to classical alternatives. Next, we mak e our formulation more precise. Our proto col will require the following assump- tions: 1. T ruste d setup: The gen esis committee C 1 has at most (1 / 3 − ε ) n Byzantine nodes for some constan t ε . 2. CVPV r esolution: There is a fixed partition of space P in to cells of size Γ . A lo wer b ound on the p ossible size of the cells in the partition will b e set by the spatial resolution of CVPV, and it would be b eneficial to set this as small as p ossible. 3. Cel l availability: An honest no de can place a quantum computer in a cell’s center, and prev ent others from placing their computer in that cell. 4. R andomness b e ac on: W e mak e this assumption for conv enience since it is orthogonal to Sybil resistance whic h is our main concern, as in e.g. [ 62 , 6 ]. Decentralized randomness b eacons are generally a challenge for any protocol that do es not rely on Pro of-of-W ork [ 16 ]. Since a randomness beacon can b e constructed using a random oracle [ 4 ], it is not a stronger assumption. 5. Communic ation: i) Synchronous communication b etw een no des on the committee during SteadyState and ViewChange , with maximal message delay ∆ . ii) Sufficien tly low latency comm unication b et ween verifiers and prov ers in order to run CVPV in Reconfiguration . iii) All participan ts (whether on the committee or no) can comm unicate using a gossip proto col [ 31 , 43 ], but without any guarantee of consistency . 6. Assumptions requires for CVPV securit y (see Section 2.1 ). In particular, we assume quantum hardness of L WE. Securit y against adv ersaries pre-sharing un b ounded en tanglement requires the QROM, but as long as entanglemen t is p olynomially b ounded CVPV is secure in the standard model. It is also worth noting that sharing en tanglement across long distances that can then b e used for computation is an extremely challenging engineering problem, usually requiring transduction b etw een optical and memory qubits [ 48 ]. 7. All participants (byzan tine or honest) hav e p olynomially b ounded computational p o wer (b oth quan tum and/or classical). 8. Byzan tine no des control at most a fraction ρ of quan tum computers at any giv en time slot. Securit y of the protocol is guaran teed when ρ < 1 / 3 − ε . 9. (F or spam resistance) Random Oracle. It is imp ortant to note that w e only use the Random Oracle assumption to mitigate spam, unlik e PoW where it is essen tial to guarantee Sybil resistance and hence security . 7 10. (F or spam resistance) DLP assumption in QR p : Classical av erage-case hardness of the dis- crete logarithm problem in the subgroup of quadratic residues [ 13 , Definition 10.6]. More precisely , let p = 2 q + 1 where p and q are primes ( p is often called a safe prime), let QR p ⊆ Z ∗ p b e the quadratic residues subgroup of order q , and g a generator of QR p . F or h ∈ QR p , the discrete logarithm log g ( h ) is defined as the unique x ∈ Z q suc h that g x ≡ h (mod p ) . W e assume that for a uniformly random 2 h ∈ QR p , given p, g , h , computing the discrete logarithm log g ( h ) cannot be done classically b y a probabilistic p olynomial time algorithm, except with a success probability that is negligible in the security parameter. W e denote b y R H ( λ ) and R A ( λ ) a low er and upp er b ound resp ectiv ely on the rate at whic h an honest participan t and an adv ersary can solv e the discrete log problem with security parameter λ on a quantum computer. 11. The cost of running a quantum computer, whether for solving the discrete log or CVPV, sig- nifican tly outw eighs the cost of running CVPV as a v erifier b y the entire committee (whic h requires only classical computation and communication) and running PBFT. This is reason- able given the significan t ov erheads of quan tum error correction, whic h are fundamental in leading hardware platforms suc h as sup erconducting qubits due to their lo cal connectivity constrain ts [ 5 ]. The operation of the protocol can be divided in to distinct stages: • SteadyState : The “normal” op eration mo de in whic h blo c ks of transactions are proposed by a leader on the committee and other members v ote in order to finalize the blocks. • ViewChange : If a Byzan tine leader does not prop ose blocks withing a time frame (ultimately set b y the maximal message dela y , ∆ ), the committee replaces the leader by initiating a view c hange. • Reconfiguration : The committee is modified by adding a mem b er that has prov ed it holds some external resource in order to guarantee Sybil resistance. An existing mem b er is remov ed in the pro cess. SteadyState and ViewChange depend solely on on-c hain resources so we leav e them unchanged from the Solida proto col [ 2 ]. F or completeness, we include a description of these parts of the algorithm in Section A . Reconfiguration is Solida is based on PoW (and is consequently even t- driv en). W e replace it b y a pro cedure based on CVPV that o ccurs ev ery fixed num b er of times steps. The basic protoc ol is presen ted below. No des in C i are identified by their public keys. Other participan ts sp ecified in the algorithm are (honest) entities that can control quantum computers at some p oin t in time during the execution. Stages in the algorithm which require interaction are assumed to b e run for a time that allo ws an honest pla yer to participate (for example, when registration requires computing the discrete log, we assume the time betw een registration perio ds is sufficien t to compute on a quan tum computer). All steps below, unless specified otherwise (in a righ t-justified comment), can be performed b y an y party wishing to keep up with the protocol, and rely only on public information. Any classical part y can efficiently v erify the state of the proto col in this w ay , and for example read off the current mak eup of the committee C i . Pro cessing pks one at a time in some arbitrary order ensures that all committee members are considering the same candidate at each stage. The purp ose of the publishing of the results in Algorithm 2 is to enable other participants not on the committee to k eep trac k of the state of the committee. Since the published v j are the outputs of Byzantine Agreement, all honest mem b ers 2 Equiv alently , and as we will do later, h ma y be sampled as h := t 2 (mod p ) for uniform t ← Z ∗ p . 8 Algorithm 1 Hybrid consensus with Quan tum Pro of-of-P osition 1: Initialize committee C 1 , eligible p osition dictionary E = ∅ , t = 1 , i = 1 . 2: while T rue do 3: if t = 0 mo d τ reconfig then 4: Up date E using Algorithm 3 . 5: while |E | > 0 do 6: Use randomness b eacon to sample candidate p os from E . keys . 7: Set ( cpos , cpks ) ← ( p os , E [ pos ]) 8: Remo ve pos from E . keys . 9: Run Algorithm 2 with ( cp os , cpks ) . ▷ C i and pro ver. 10: if Algorithm 2 returns Success then 11: break 12: end if 13: end while 14: else 15: Run SteadyState for T ′ slots (and ViewChange as needed). ▷ C i . 16: end if 17: Incremen t t . 18: end while Algorithm 2 Position V erification with Committee C and claimed position and k eys ( p os , pks ) 1: for pk ∈ pks do 2: for j ∈ C do ▷ (Bet ween times t 0 + ( j − 1) τ v and t 0 + j τ v ) 3: Run CVPV as verifier, assuming prov er at p os . ▷ j. 4: Run CVPV as prov er, signing messages with pk . ▷ (Honest) prov er. 5: if CVPV succeeds and all messages signed b y pk then ▷ j. 6: Set r j = 1 . 7: else 8: Set r j = 0 . 9: end if 10: end for 11: Run Byzan tine Agreemen t with inputs r j , returning v j . ▷ C . 12: Eac h committee mem b er publishes v j . ▷ C . 13: if A t least 2 n/ 3 mem b ers of C i published 1 then 14: A dd ( pk , p os ) to C i , kic k out most senior member. 15: Incremen t i . 16: Return Success 17: end if 18: end for 19: Return F ailure 9 will publish the same v alue, and hence a simple quorum of 2 / 3 provides sufficient evidence for an y external part y whether CVPV succeeded or failed. The CVPV steps refer to running either Construction 5.10 or Construction 6.2 from [ 52 ], dep ending on whether the adversary is assumed to possess an arbitrary amoun t of pre-shared entanglemen t or not. Algorithm 3 Lo cation registration Sp am-r esistant version: 1: A public parameter p = 2 q + 1 for p, q primes ( p is often called a safe prime), and a generator g for the (cyclic) subgroup of quadratic residues of Z ∗ p . 2: Use randomness b eacon to sample a string r . Start timer t ′ = 0 . 3: while t ′ < τ register : do 4: Publish ( pk , pos , log g ( H ( pk | p os | r ) 2 (mo d p ))) ▷ An y part y . 5: end while 6: W ait un til t ′ = τ register + ∆ . 7: for Eac h message ( pk , pos , x ) receiv ed do 8: if g x ≡ H ( pk | p os | r ) 2 (mo d p ) then 9: App end pk to E [ p os ] , main taining order. 10: end if 11: end for ( OR ) Plain version: 1: Start timer t ′ = 0 . 2: while t ′ < τ register : do 3: Publish ( pk , pos ) . ▷ An y part y . 4: end while 5: W ait un til t ′ = τ register + ∆ . 6: for Eac h message receiv ed do 7: App end pk to E [ p os ] , main taining order. 8: end for Denote b y H a public hash function, mo deled as a Random Oracle, and b y log g ( h ) the discrete logarithm of h (see the DLP assumption for more details on p. 8 ). Note that the steps ab ov e that up date of E can b e p erformed using public information by an y participant. The ordering of E . keys is arbitrary but fixed, and so also public kno wledge, whic h renders the sampling in Algorithm 1 of Algorithm 1 unbiased and indep endent b etw een reconfigurations. The random string r is chosen such that the DLOG problem is secure with securit y parameter κ . 4 Consistency , Liveness and Spam prev en tion W e prov e that our proto col satisfies the following: Prop ert y 1 (Consistency and Liveness) . Exc ept with ne gligible pr ob ability, up to some T = p oly( λ ) : 1. Consistency: • No r ol lb acks: If a tr ansaction tr is c onfirme d by p articip ant p at some time t , it r emains finalize d for every t ′ > t 3 . 3 Confirmation can be formalized as a function that maps a set of messages to a subset of messages that are v alid w.r.t. the initial resource distribution (in our case the Genesis committee C 1 ), as in [ 51 ]. The longest-chain confirmation rule of Bitcoin for example, is that a transaction is sufficien tly deep on the longest c hain. 10 • No c onflicts: If T , T ′ ar e c onfirme d tr ansactions for honest p, p ′ at times t, t ′ , then T ∪ T ′ is a valid set of tr ansactions with r esp e ct to the initial c ommitte e C 1 . 2. Liveness: A valid tr ansaction r e c eive d by an honest player at some time t is eventual ly (after time t + poly ( n, ∆ , K ) , wher e K is the maximum numb er of p osition r e gistr ations) c onfirme d by every other honest no de that is active at that time. Our proto col enforces Sybil resistance based on p osition verification. Sp ecifically , it p ossesses the follo wing prop ert y: Prop ert y 2 (Sybil resistance from Quan tum-Pro of-of-Position) . Given N p articip ants e ach p os- sessing µ i quantum c omputers at distinct c el ls in the p artition P that ar e online during the j th r e c onfigur ation step, P [ p articip ant i is adde d to C j ] = µ i N P k =1 µ k , (4.1) and mor e over these events ar e indep endent b etwe en r e c onfigur ation r ounds 4 . In proving liv eness of our proto col, w e will sho w that it satisfies Prop ert y 2 as part of an inductiv e argumen t (since this property can be used to guaran tee safet y of the committee up to a certain reconfiguration step j , whic h in turn implies that this prop ert y also applies when C j p erforms reconfiguration). W e will additionally be interested in spam mitigation, since the p osition registration pro cess is effectively fully-p ermissionless. T o be more precise, w e ensure the follo wing Prop ert y 3 (Quan tum Spam-Resistance) . i) A message m that is invalid (either not signe d by a valid authority or not c ontaining a c orr e ct solution to the discr ete lo garithm puzzle) c an b e identifie d by an efficient, lo c al, classic al c omputation. ii) A message m that c ontains a c orr e ct solution to the discr ete lo garithm puzzle c annot b e pr o- duc e d without c ost (i.e. without ac c ess to a quantum c omputer). iii) A ny honest p arty with a quantum c omputer c an send valid messages. The imp ortance of Item i ab ov e is that it allo ws an y participan t to detect an inv alid discrete logarithm solution lo cally and preven t such messages (whic h can b e from any source) from b eing propagated further in the net work, since the public ledger used b y the proto col is usually imple- men ted using a gossip proto col. This is analogous to in v alid claims of a solution to a P oW puzzle b eing detectable lo cally , and preven ts the o verhead of propagating suc h messages to the rest of the net work. Safet y and liv e ness of Solida, conditioned on safet y of eac h committee, follows directly from results for the corresp onding PBFT proto col. W e leav e this unc hanged in our version: Theorem 1 (Safety and Liveness of Solida[ 2 ]) . The pr oto c ol achieves safety and liveness if e ach c ommitte e has no mor e than f < n/ 3 Byzantine memb ers. In order to mo dify Solida to work with p osition v erification, we only need to modify Theorem 2: Theorem 2 (Safety and Liv eness of Solida Reconfiguration[ 2 ]) . Assuming f < n/ 3 holds for C 1 , then f < n/ 3 holds for e ach subse quent c ommitte e exc ept for a pr ob ability exp onential ly smal l in n if ρ ′ ( ρ, D , ∆) < 1 / 3 5 . 4 This assumes all parties are using the computers in their p ossession to participate in the proto col, including Byzantine nodes, which is the worst-case scenario from the persp ective of honest nodes. If this were not the case, the equalit y could b e replaced with an ≥ . 5 This theorem as stated in [ 2 ] cannot hold for arbitrarily large times T . Rather, this result applies for an y specific time slot t , and can then be uniformized. 11 Here ρ ′ ≥ ρ is the effective proportion of external resource held by Byzan tine no des. It is a function of ρ , the maximal message dela y ∆ and the exp ected time for the netw ork to solv e the P oW puzzle D , and increases with ∆ . Denote by f i the num b er of b yzantine committee members on the committee C i . This is a random v ariable that dep ends on the randomness of b oth position verification and sampling a lo cation from the list of registered lo cations E . keys . W e show the following: Theorem 3 (Safet y of Committee in Algorithm 1 ) . Denote by K an upp er b ound on the numb er of c andidate lo c ations |E . keys | . Assume that for some c onstant ε < 1 / 3 , i) f 1 < (1 / 3 − ε ) n. (4.2) ii) ρ < 1 / 3 − ε. (4.3) iii) CVPV is se cur e with se curity p ar ameter λ , and λ > log K . (4.4) iv) n > λ c (4.5) for some absolute c onstant c (which c an b e smal ler than 1 ). Then ther e is a c onstant c ( ε ) such that for any T = p oly( λ ) and sufficiently lar ge n , the pr oto c ol in Algorithm 1 ob eys P [ ∀ t ≤ T : f t < n/ 3] ≥ 1 − e − c ( ε ) λ . (4.6) Pr o of. The assumption on λ implies that (for any adversary mo del chosen and large enough λ , see Section 2.1 for details), the success probabilit y of an adversary breaking a single instance of CVPV is at most e − c ′ λ for some absolute constant c ′ . A t eac h reconfiguration step, eac h committee mem b er runs CVPV with eac h of the at most K candidates (since the while loop in Algorithm 1 of Algorithm 1 terminates after at most K steps). Therefore, b y a union b ound, the probability that securit y of CVPV holds for all 1 ≤ t ≤ T is at least 1 − K nT e − λ > 1 − e − cλ (4.7) for some c, c ′ and sufficiently large λ . The randomness here is in ternal to CVPV and indep endent of any other randomness in the protocol. W e henceforth condition on the ev ent E ′ that CVPV is secure for all T reconfigurations. When sampling of an eligible candidate lo cation from E . keys (Step 6 of Algorithm 1 ), the probabilit y that a Byzantine no de is sampled at reconfiguration step i is at most ρ , and these ev ents are independent b etw een rounds (since the sampling is independent b etw een rounds, and b y our assumption on the resource distribution, honest no des holding a fraction at least 1 − ρ of the quantum computers will also b e registered in E ). W e will argue that as a consequence, as long as at least 2 / 3 of the committee members at step i are honest, the probability that f i +1 ≥ n/ 3 is negligible in λ . Consider the even t in which a committee at any reconfiguration step t < T is unsafe , meaning f t ≥ n/ 3 . W e can b ound the probabilit y of this even t by partitioning the corresp onding sample space based on the first time step at whic h this condition was satisfied. Since these even ts are all 12 disjoin t and their union is simply the ev ent that an unsafe committee w as formed at some time, this is a v alid partition. This gives P [ ∃ t ≤ T : f t ≥ n/ 3 |E ′ ] = T X t =1 P " f t ≥ n/ 3 ∩ t − 1 \ i =1 f i < n/ 3      E ′ # = T X t =1 P " f t ≥ n/ 3      E ′ ∩ t − 1 \ i =1 f i < n/ 3 # P " t − 1 \ i =1 f i < n/ 3      E ′ # ≤ T X t =1 P " f t ≥ n/ 3      E ′ ∩ t − 1 \ i =1 f i < n/ 3 # (4.8) Consider a single term in the abov e sum at round t . In rounds t − n, . . . , t − 1 , a Byzan tine node is added to the committee iff it is sampled from E . keys (since the election pro cess succeeds deter- ministically conditioned on E ′ and all committees w ere safe up to t ). Then, due to indep endence of sampling betw een rounds, f t is a random v ariable equal to a sum of n indep enden t Bernoulli v ariables, eac h with parameter (at most) ρ . W e then hav e f t = f t − 1 − 1 [ Winner at t − n was Byzan tine ] + 1 [ Winner at t is Byzan tine ] . E [ f t ] = E [ f t − 1 ] − P [ Winner at t − n was Byzantine ] + P [ Winner at t is Byzantine ] = E [ f t − 1 ] − ρ + ρ = E [ f t − 1 ] = E [ f 0 ] = nρ. (4.9) In the ab o ve, if t − n < 1 we in terpret “ Winner at t − n was Byzantine" to mean “the t -th mem b er of the Genesis committee is Byzan tine”. It then follo ws from Chernoff ’s inequalit y that P " f t ≥ (1 + δ ) nρ      E ′ ∩ t − 1 \ i =1 f i < n/ 3 # ≤ e − δ nρ ln(1+ δ ) / 2 . (4.10) Pic king δ = 1 / (3 ρ ) − 1 and using ρ < 1 / 3 − ε gives P " f t ≥ n/ 3      E ′ ∩ t − 1 \ i =1 f i < n/ 3 # ≤ e n (1 − 3 ρ ) ln(3 ρ ) / 6 ≤ e − c ( ε ) n (4.11) for a constant c ( ε ) that is independent of n . Plugging this in to Equation (4.8) gives P [ ∃ t ≤ T : f t ≥ n/ 3 |E ′ ] ≤ T e − c ( ε ) n ≤ T e − c ( ε ) λ c 0 ≤ e − c ′ ( ε ) λ c 0 (4.12) for appropriately c hosen c ′ ( ε ) and large enough λ , where w e used T = p oly( λ ) and n > λ c 0 . 13 Com bining this with the b ound on E ′ not holding that was shown earlier gives P [ ∃ t ≤ T : f t ≥ n/ 3] ≤ P [ ∃ t ≤ T : f t ≥ n/ 3 |E ′ ] + P [ E ′ c ] ≤ e − c ( ε ) λ c 0 + e − c ′ λ ≤ e − c ′′ ( ε ) λ c 0 (4.13) for appropriate constants and sufficiently large λ . Note that in this result, the effective amount of resource held b y honest pla y ers does not dep end on ∆ . This is is in contrast to PoW-based proto cols [ 68 ] and others based on longest-chain consensus [ 30 ]. The security of the proto col will still dep end on computation time, and arguably the spatial resolution of the proto col is somewhat analogous to the message dela y and will degrade securit y , but propagation delays in themselv es do not impact securit y (and are in fact essen tial for securit y of p osition v erification). Theorem 4. A lgorithm 1 satisfies liveness, with sp am r esistanc e ( Pr op erty 3 ) in the R andom Or acle mo del. Assume the r e gistr ation time τ r e gister is chosen so that an honest p arty c an c omplete the DLOG puzzle with se curity p ar ameter κ . Pr o of. An y transaction submitted during SteadyState or ViewChange is guaranteed to b e processed b y the liveness guaran tee of the PBFT proto col used by Solida. It remains to chec k liveness of registration ( Algorithm 3 ). This is satisfied trivially in the v anilla v ersion, albeit adversarial no des ma y send m ultiple registration messages without p ossessing quantum computers at the corresp onding lo cations. This will lead to ov erhead for the committee when attempting to v erify these positions. W e next consider the spam-resistant v ersion. W e hav e the following: Completeness: Since H ( pk | p os | r ) is a p oly ( λ ) -bit integer, the complexity of solving the discrete logarithm using Shor’s algorithm is p oly( λ ) [ 65 ]. By Assumption 7 , any honest party in p ossession of a quantum computer ma y publish a registration message. The adversary cannot prev ent an y honest party from submitting a registration message, and it will b e pro cessed by ev ery other honest no de. Soundness: By the hardness assumption of the discrete logarithm problemm, there is no clas- sical algorithm for solving it in time p oly( λ ) . Thus an adversary without a quantum computer cannot costlessly publish v alid registration messages. The size preliminary candidate set E . keys , denoted b y K , is also finite due to Assumption 7 and the limited time τ register , and the runtime of eac h reconfiguration is O ( K ) . Every other stage in the proto col terminates in finite time, and ev ery message arriv es with dela y at most ∆ . Com bining these results, w e ha v e the follo wing Corollary 1. Assume i) Sub-exp onential quantum har dness of L WE. ii) The adversary c an pr e-shar e at most O ( λ k ) Bel l p airs for some known k . iii) f 1 < (1 / 3 − ε ) n. (4.14) iv) ρ < 1 / 3 − ε. (4.15) v) n > λ c (4.16) for some 0 < c < 1 . 14 Then, for any T = poly ( λ ) , Algorithm 1 satisfies c onsistency and liveness ( Pr op erty 1 ), and guar ante es Sybil r esistanc e as define d in Pr op erty 2 . A dditional ly, if we assume vi) The R andom Or acle assumption. vii) λ > log( R A ( λ ) /R H ( λ )) , then Algorithm 1 also satisfies sp am-r esistanc e ( Pr op erty 3 ). Pr o of. By assumptions i and ii , we can construct secure CVPV with security parameter λ . Liv eness of the spam-resistan t v ersion is guaranteed b y pic king τ register = 1 /R H ( λ ) , (4.17) so that honest no des can register their p ositions. This implies the adv ersary can make at most R A ( λ ) /R H ( λ ) registrations in this time p erio d. Hence K = R A ( λ ) /R H ( λ ) and Assumption vii guaran tees λ > log ( K ) . Note that λ > log( R A ( λ ) /R H ( λ )) (4.18) can b e satisfied for sufficiently large λ since the problem is efficiently solv able using a quantum computer and hence R A , R H are polynomials. Consistency of SteadyState and ViewChange follows from the safet y of the committee at all times, whic h is guaranteed by Theorem 3 . All steps in the registration pro cess are publicly v erifiable conditioned on the initial committee C 1 , and thus consistency of the registration pro cess is also assured. Liv eness follows from Theorem 4 . W e reiterate that the b ounded pre-shared entanglemen t assumption can b e replaced by any p olynomial entanglemen t, at the price of moving to the QR OM. Note that b ecause of the mild (logarithmic) dependence on R A , R H , it is sufficient to use v ery lo ose bounds on these functions that need not b e highly sensitive to implementation details. 4.1 Notable prop erties Ha ving sho wn that the proto col satisfies safety and liveness, we no w analyze v arious asp ects and highligh t adv antages relative to existing classical protocols Securit y . In hybrid proto cols based on PoW like Solida, the time b etw een reconfigurations is set b y the difficulty of the PoW puzzle. This difficulty parameter and the securit y of the proto col is inextricably linked to the maximal message delay ∆ (see e.g. [ 30 ]). This is due to the sto chastic nature of the PoW puzzle. Since our reconfiguration mechanism is completely different, there is no coupling betw een the reconfiguration frequency and the properties of the net work or security . A t the limit of the frequency going to zero, the proto col approac hes a fully p ermissioned setting with a fixed committee. As it is increased, new participan ts will b e able to participate with less dela y , albeit at the cost of increased resource requirements. This frequency is also indep endent of the frequency of the PBFT protocol run b y the committee at an y giv en time. Because of this, the Random Oracle assumption is needed only as a spam mitigation measure, and not for securit y of the position verification-based Sybil resistance mec hanism. 15 Energy efficiency . The only steps in our algorithm requiring a quantum computer are Algo- rithm 2 of Algorithm 2 and Algorithm 3 of Algorithm 3 . Eac h honest part y needs to operate their computer only once p er registration and once in order to run CVPV as the pro ver and join the committee. This is in con trast to Pro of-of-W ork proto cols that effectively require constan t mining, and in particular the Bitcoin protocol [ 55 ]. W e are not aw are of secure h ybrid protocols not based on Proof-of-W ork, and in particular secure in the Standard Model or Random Oracle Mo del. While Solana [ 72 ] is an energy-efficien t h ybrid protocol that com bines Proof-of-Stake with Pro of-of-History based on hashc hains, the pro- to col is not fully kno wn and does not come with security guarantees. Pro o-of-History is meant to serv e as a verifiable record of elapsed time, related to the formal notion of V erifiable Delay F unc- tions [ 15 , 12 ] (and such hashchains are in fact referred to as “pseudo-VDF s” in [ 15 ]). There is some evidence that there are issues with Pro of-of-History as a Sybil resistance mec hanism [ 67 ], whic h could be related to the outages Solana has experienced ov er the y ears. VDF s are generally difficult to construct since they require an exp onen tial gap betw een the time required for ev aluation and v erification, and parallelization of the former is hard to rule out [ 54 , 10 ]. In fact, it w as recen tly sho wn that VDF s are not secure in the ROM, and hence m ust require more exotic assumptions [ 41 ]. P ermissionlessness. W e note that the pro cess of building a quantum computer and registering its p osition is fully p ermissionless, in the sense that this can be done indep enden tly of any other participan t and the committee in particular. As long as the committee is safe, committee members also hav e no control ov er which p osition gets selected as the next committee member. As discussed earlier, this circumv ents the w ealth concen tration issues faced by proto cols based on Proof-of-Stake. The proto col w e present also naturally handles participant inactivit y . A participant can run CVPV only when their quantum computer at the sampled lo cation is online. If this is not the case, the proto col proceeds to sampling a different lo cation. 5 Resource requiremen ts While our proto col is infeasible to implement on to day’s hardw are and our analysis is asymptotic, one can get a sense of the scale of run times and achiev able spatial resolution from kno wn resource estimates for related problems. 5.1 Discrete Logarithm Resource estimates from sev eral y ears ago indicate that computing the discrete logarithm in our setting (i.e., the quadratic residues subgroup of Z ∗ p for a safe-prime p ) with 2048 bit requires 7 hours on a noisy quan tum computer with 26 million ph ysical qubits [ 38 , T able 5]. W e note that the security parameters required by a protocol like ours will most likely be significan tly smaller than 2048 bits. V arious optimizations ha v e reduced the space-time ov erhead of factoring by a factor of 20 [ 37 ], and while some of these optimizations are tailored to factoring, others (suc h as T-state cultiv ation[ 39 ]) reduce the cost of generic resource states and would lik ely imply improv ed estimates for the discrete logarithm problem as well. 5.2 Pro ofs of Quan tumness P osition v erification based on classical comm unication requires the prov er to run pro ofs of quan- tumness. There are constructions of highly efficient pro ofs of quan tumness that are not quantum- secure and hence unsuited for our purposes [ 44 ]. How ever, quan tum-secure, efficien t constructions in the ROM hav e also b een dev elop ed [ 20 ], as well as ones in the SM requiring only constan t-depth quan tum circuits (requiring un b ounded fanout gates) [ 42 ]. The proposal of Ref. [ 20 ] is estimated 16 to require 8 log 2 ( λ ) λ qubits to pro vide a pro of of quan tumness with securit y parameter λ . Indeed, these proposals w ere used as the basis for demonstrations on ion-trap quan tum computers (alb eit not in a classically-hard regime) [ 75 , 49 ], sho wing that pro of of quan tumness are within reac h of existing noisy devices. Concrete estimates in these works [ 49 ] claim that one needs ≈ 10 3 qubits and ≈ 10 5 depth circuits to construct pro ofs of quantumness secure against classical adv ersaries. 5.3 P osition verification Quan tum p osition verification has recen tly b een exp erimen tally demonstrated in one spatial dimen- sion, achieving a resolution of about 50 m [ 45 ]. Ho wev er, the demonstration did not use classically v erifiable p osition verification, and instead required quantum comm unication (as in the original form ulation [ 21 ]) whic h is difficult to perform ov er long distances and large bandwidths. It does serv e as an indication that at least in principle, reasonable spatial resolutions can b e achiev ed with this method. CVPV will ha ve greatly reduced resource requirements from the verifier. In one spatial di- mension, the v erifier requires tw o classical sources and receivers, suitably p ositioned, that can comm unicate using optical wireless comm unication with the pro ver. Existing classical telecommu- nications hardw are could serve this purpose. The more stringent requiremen ts are from the pro ver required to run a pro of of quan tumness. This is suitable for our proto col since w e envisage this as the scarce economic resource conferring Sybil resistance. 6 Discussion W e hav e sho wn that the use of quantum resources in solving distributed consensus has the p otential to substan tially improv e up on some of the shortcomings of classical protocols, in particular those related to energy consumption, censorship, and the assumptions needed for guaran teeing securit y . While p erhaps not immediately implemen table, our construction suggests that the uniquely frag- ile nature of quantum information, whic h has no classical analog, can b e useful in building the economic scarcit y that is indisp ensable for constructing Sybil-resistan t decen tralized proto cols. Our proto col serv es as a pro of of principle that incorp orating to ols and capabilities from quan- tum information theory with mo dern classical approac hes to the consensus problem can lead to no vel proto cols with improv ed performance. Our w ork leads to sev eral op en questions and possible a ven ues for impro vemen ts: • Can quan tum Sybil resistance (whether based on position v erification or otherwise) enable secure, fully p ermissionless consensus in the standard mo del? The b est classical attempts require fine-grained complexity results [ 6 ]. The non-transferabilit y of p osition verification migh t mak e suc h a construction difficult to base on p osition verification, and indeed this is the reason for including a committee in our proto col, and the corresp onding on-chain resource of committee membership. • Can spam mitigation be achiev ed in the standard model? This w ould require pro ducing a puzzle that dep ends on inputs provided by each participan t wishing to register (to prev ent solutions from b eing copied), so migh t be difficult to achiev e without additional in teraction. • Can the p osition of a participan t remain hidden until being elected to the committee? This is reminiscen t of recen t results on zero-kno wledge position verification [ 40 ], in which a pro ver can prov e some zero-kno wledge statemen t ab out their p osition without revealing it. The issue with using suc h results is that there appears to b e a fundamental assumption of an honest v erifier in this setting. The v erifier effectively runs p osition v erification with all p ositions at all times, since if they only ran it with a single pro ver position the pro ver w ould inevitably 17 fail and this p osition could be ruled out. Since we must accommo date byzan tine committee mem b ers in our protocol, there is no clear w ay to work around this. • Existing CVPV results apply to a single spatial dimension. It w ould b e in teresting to extend these to more realistic 2 or 3-dimensional settings, and accoun t for finite computation time. • One of the main concerns with our proto col is the time required to run L WE-based pro ofs of quan tumness, giv en the time-sensitivity of position v erification. It would b e of great in terest to understand b etter whether quan tum-secure Pro of-of-Quantumness could b e made more efficien t. It is known that other proofs of quantumness can be made v ery efficien t and small instances can even be implemen ted on quan tum computers to da y [ 44 , 50 ]. In this context, it is worth noting that position verification is also possible using quan- tum comm unication, whic h significan tly reduces the quantum computational o verhead of the pro ver [ 69 , 45 ]. This is somewhat at o dds with the goal of using the quantum computers serving as pro vers as a costly resource to ensure Sybil resistance, since it instead shifts the burden onto the v erifiers, but suggests there could b e wa ys to mak e such schemes more efficien t if needed. • W e make a randomness beacon assumption, yet quan tum devices can also pro duce certified randomness (or min-en tropy) [ 18 , 3 , 63 ]. It w ould b e of great in terest if suc h protocols could b e adapted to generate randomness in a decentralized setting, whic h may be useful for other consensus proto cols as w ell. V ery recently , it was shown that quantum computers can b e used to generate transferable certified min-entrop y using only classical communication (though verification requires a quantum computer) [ 24 ]. If this result could b e strengthened from min-entrop y to uniform randomness it could p oten tially be used to remo ve the random b eacon assumption (at least among participants with quantum computers). Giv en the extensive dev elopments in classical consensus in recent y ears, and the natural suit- abilit y of v arious quantum capabilities and primitiv es to the requirements of consensus, w e b elieve there could be other fruitful applications of quan tum tools to these problems, which will b ecome increasingly relev an t as more pow erful quan tum computers come online. Th us, while on the one hand p osing a security risk to existing classical proto cols, quantum computers may unlo ck new p ossibilities in this space. A ckno wledgemen ts The authors would lik e to thank Y uv al Efron and Scott Aaronson for helpful discussions. S.J. w as partially supp orted b y an Amazon AI F ello wship. O.S. was supp orted b y the Israel Science F oundation (grant No. 2527/24). O.S. w as funded by the Europ ean Union (ERC-2022- COG, ACQUA, 101087742). Views and opinions expressed are how ever those of the author(s) only and do not necessarily reflect those of the Europ ean Union or the Europ ean Researc h Council Executiv e Agency . Neither the European Union nor the granting authority can be held resp onsible for them. 18 References [1] Scott Aaronson. “ Quantum copy-protection and quan tum money”. In: 24th Annual IEEE Confer enc e on Computational Complexity . IEEE Computer So c., Los Alamitos, CA, 2009, pp. 229–242. [2] Ittai Abraham et al. Solida: A Blo ckchain Pr oto c ol Base d on R e c onfigur able Byzantine Con- sensus . 2016. eprint: 1612.02916 (cs.CR). [3] Ry an Amos et al. “ One-shot signatures and applications to hybrid quan tum/classical au- then tication”. en. In: Pr o c e e dings of the 52nd A nnual A CM SIGACT Symp osium on The ory of Computing . New Y ork, NY, U SA: A CM, 2020. [4] Marcin Andryc howicz and Stefan Dziembowski. “ Distributed cryptograph y based on the pro ofs of work”. In: Cryptolo gy ePrint A r chive (2014). [5] Ry an Babbush et al. “ F o cus beyond quadratic sp eedups for error-corrected quan tum adv an- tage”. en. In: PRX quantum 2.1 (2021), p. 1. [6] Marshall Ball et al. “ T o wards Permissionless Consensus in the Standard Mo del via Fine- Grained Complexit y”. In: Cryptolo gy ePrint Ar chive (2024). [7] Shalev Ben-David and Or Sattath. “ Quantum T ok ens for Digital Signatures”. In: Quantum 7 (2023), p. 901. eprin t: 1609.09047v8 . [8] Mic hael Ben-Or and A vinatan Hassidim. “ F ast quan tum byzan tine agreement”. en. In: Pr o- c e e dings of the thirty-seventh annual ACM symp osium on The ory of c omputing . New Y ork, NY, USA: ACM, 2005. [9] Charles H Bennett and Gilles Brassard. “ Quantum cryptograph y: Public k ey distribution and coin tossing”. In: Pr o c e e dings of IEEE International Confer enc e on Computers, Systems and Signal Pr o c essing . 1984, pp. 175–179. [10] Alex Biryuk ov et al. “ Cryptanalysis of algebraic v erifiable delay functions”. In: Annual In- ternational Cryptolo gy Confer enc e . 2024, pp. 457–490. [11] Andreas Bluhm, Matthias Christandl, and Florian Sp eelman. A single-qubit p osition verific a- tion pr oto c ol that is se cur e against multi-qubit attacks . 2021. eprint: 2104.06301 (quant-ph). [12] Dan Boneh, Benedikt Bünz, and Ben Fisc h. “ A survey of tw o v erifiable delay functions using pro of of exp onentiation”. In: IACR Communic ations in Cryptolo gy 1.1 (2024). [13] Dan Boneh and Victor Shoup. “ A graduate course in applied cryptography”. In: Dr aft 0.6 (2023). url : https://toc.cryptob o ok.us/b o ok.p df . [14] Dan Boneh et al. “ Random oracles in a quan tum w orld”. In: International c onfer enc e on the the ory and applic ation of cryptolo gy and information se curity . 2011, pp. 41–69. [15] Dan Boneh et al. “ V erifiable dela y functions”. In: A nnual international cryptolo gy c onfer enc e . 2018, pp. 757–788. [16] Joseph Bonneau and V aleria Nikolaenk o. Public r andomness and r andomness b e ac ons . en. h ttps://a16zcrypto.com/p osts/article/public- randomness- and- randomness- b eacons/ . 2022. [17] Mic Bo wman et al. “ On elapsed time consensus protocols”. In: L e ctur e Notes in Computer Scienc e . Lecture notes in computer science. Cham: Springer In ternational Publishing, 2021, pp. 559–583. [18] Zvik a Brakerski et al. “ A cryptographic test of quantumness and certifiable randomness from a single quantum device”. en. In: J. ACM 68.5 (2021), pp. 1–47. [19] Zvik a Brakerski et al. “ Simple tests of quan tumness also certify qubits”. en. In: L e ctur e Notes in Computer Scienc e . Lecture notes in computer science. Cham: Springer Nature Switzerland, 2023, pp. 162–191. 19 [20] Zvik a Brakerski et al. Simpler Pr o ofs of Quantumness . 2020. eprin t: 2005.04826 (quant-ph). [21] Harry Buhrman et al. “ Position-based quan tum cryptograph y: Imp ossibilit y and construc- tions”. en. In: SIAM J. Comput. 43.1 (2014), pp. 150–178. [22] Vitalik Buterin et al. “ A next-generation smart contract and decen tralized application plat- form”. In: white p ap er 3.37 (2014), pp. 2–1. [23] Vitalik Buterin. What in the Ether eum applic ation e c osystem excites me . h ttps://vitalik.eth. limo/general/2022/12/05/excited.h tml . 2022. [24] Ofer Casp er, Barak Nehoran, and Or Sattath. “ Publicly Certifiable Min-Entrop y Without Quan tum Communication”. In: Cryptolo gy ePrint A r chive (2026). [25] Miguel Castro and Barbara Lisk ov. “ Practical Byzantine fault tolerance”. en. In: Pr o c e e dings of the thir d symp osium on Op er ating systems design and implementation . OSDI ’99. USA: USENIX Association, 1999, pp. 173–186. [26] Nishan th Chandran et al. “ P osition Based Cryptograph y”. In: A dvanc es in Cryptolo gy - CR YPTO 2009 . Lecture notes in computer science. Berlin, Heidelberg: Springer Berlin Hei- delb erg, 2009, pp. 391–407. [27] B Cohen and Krzysztof Pietrzak. The Chia Network Blo ckchain . 2019. [28] Andrea Coladangelo and Or Sattath. “ A Quantum Money Solution to the Block chain Scal- abilit y Problem”. In: Quantum 4 (2020), p. 297. doi : 10 . 22331 / Q - 2020 - 07 - 16 - 297 . url : h ttps://doi.org/10.22331/q- 2020- 07- 16- 297 . [29] Phil Daian, Rafael Pass, and Elaine Shi. “ Snow white: Robustly reconfigurable consensus and applications to pro v ably secure pro of of stak e”. en. In: Financial Crypto gr aphy and Data Se curity . Lecture Notes in Computer Science. Cham: Springer International Publishing, 2019, pp. 23–41. [30] Amir Dem b o et al. “ Everything is a Race and Nak amoto Alw ays Wins”. In: Pr o c e e dings of the 2020 ACM SIGSAC Confer enc e on Computer and Communic ations Se curity . New Y ork, NY, USA: ACM, 2020. [31] Alan Demers et al. “ Epidemic algorithms for replicated database maintenance”. en. In: Pr o- c e e dings of the sixth annual A CM Symp osium on Principles of distribute d c omputing - PODC ’87 . New Y ork, New Y ork, USA: A CM Press, 1987. [32] Dann y Dolev and H Raymond Strong. “ Authenticated algorithms for Byzantine agreemen t”. In: SIAM Journal on Computing 12.4 (1983), pp. 656–666. [33] Stefan Dziembowski et al. “ Pro ofs of space”. In: Annual Cryptolo gy Confer enc e . 2015, pp. 585– 605. [34] Giulia F an ti et al. “ Comp ounding of wealth in pro of-of-stak e crypto currencies”. In: Interna- tional c onfer enc e on financial crypto gr aphy and data se curity . 2019, pp. 42–61. [35] Dm ytro Ga vinsky. Quantum money with classic al verific ation . 2011. eprint: 1109.0372 (quant- ph). [36] Dm ytro Ga vinsky et al. Anonymous quantum tokens with classic al verific ation . 2025. eprin t: 2510.06212 (quan t-ph). [37] Craig Gidney. How to factor 2048 bit RSA inte gers with less than a mil lion noisy qubits . 2025. eprin t: 2505.15917 (quan t-ph). [38] Craig Gidney and Martin Ek erå. “ How to factor 2048 bit RSA in tegers in 8 hours using 20 million noisy qubits”. In: Quantum 5 (2021), p. 433. eprint: 1905.09749v3 . [39] Craig Gidney, Noah Sh utty, and Cody Jones. Magic state cultivation: gr owing T states as che ap as CNOT gates . 2024. eprint: 2409.17595 (quant-ph). 20 [40] Uma Girish et al. Private pr o ofs of when and wher e . 2026. eprin t: 2601.18961 (quan t-ph). [41] Ziyi Guan, Artur Riazanov, and W eiqiang Y uan. “ Breaking v erifiable delay functions in the random oracle mo del”. In: A dvanc es in cryptolo gy—CR YPTO 2025. Part VII . V ol. 16006. Lecture Notes in Comput. Sci. Springer, 2025, pp. 161–191. isbn : 978-3-032-01906-6; 978-3- 032-01907-3. [42] Sh uichi Hirahara and F rançois Le Gall. T est of quantumness with smal l-depth quantum cir- cuits . 2021. eprint: 2105.05500 (quant-ph). [43] Márk Jelasit y et al. “ Gossip-based peer sampling”. en. In: A CM T r ans. Comput. Syst. 25.3 (2007), p. 8. [44] Gregory D Kahanamoku-Meyer et al. “ Classically v erifiable quantum adv antage from a com- putational Bell test”. en. In: Nat. Phys. 18.8 (2022), pp. 918–924. [45] Gautam A Ka vuri et al. Quantum p osition verific ation with r emote untruste d devic es . 2026. eprin t: 2601.16892 (quan t-ph). [46] Aggelos Kiayias et al. “ Ourob oros: A Pro v ably Secure Proof-of-Stake Block chain Protocol”. In: A nnual International Cryptolo gy Confer enc e (CR YPTO) . 2017, pp. 357–388. [47] Eleftherios Kok oris-Kogias et al. Enhancing Bitc oin se curity and p erformanc e with str ong c onsistency via c ol le ctive signing . 2016. eprin t: 1602.06997 (cs.CR). [48] Nik olai Lauk et al. “ Perspectives on quan tum transduction”. In: Quantum Sci. T e chnol. 5.2 (2020), p. 020501. [49] Laura Lewis et al. “ Exp erimental implementation of an efficient test of quantumness”. In: Phys. R ev. A 109 (1 Jan. 2024), p. 012610. doi : 10 . 1103 / PhysRevA . 109 . 012610 . url : h ttps://link.aps.org/doi/10.1103/PhysRevA.109.012610 . [50] Laura Lewis et al. “ Exp erimental implemen tation of an efficient test of quan tumness”. en. In: Phys. R ev. A (Col l. Park.) 109.1 (2024), p. 012610. [51] Andrew Lewis-Pye and Tim Roughgarden. Permissionless Consensus . 2023. eprint: 2304 . 14701 (cs.DC). [52] Jiah ui Liu, Qip eng Liu, and Luo wen Qian. Be ating classic al imp ossibility of p osition verifi- c ation . en. 2022. [53] Urmila Mahadev. “ Classical verification of quantum computations”. en. In: SIAM J. Comput. 51.4 (2022), pp. 1172–1229. [54] Mohammad Mahmo o dy, Caleb Smith, and Da vid J W u. “ Can V erifiable Dela y F unctions b e Based on Random Oracles?” In: Cryptolo gy ePrint Ar chive (2019). [55] Satoshi Nak amoto. Bitc oin: A Pe er-to-Pe er Ele ctr onic Cash System . 2008. [56] Rafael Pass and Elaine Shi. “ Hybrid Consensus: Efficient Consensus in the Permissionless Mo del”. In: Cryptolo gy ePrint A r chive (2016). [57] Oded Regev. “ An efficien t quantum factoring algorithm”. en. In: J. ACM 72.1 (2025), pp. 1– 13. [58] Oded Regev. “ The learning with errors problem (invited surv ey)”. en. In: 2010 IEEE 25th A nnual Confer enc e on Computational Complexity . IEEE, 2010. [59] Tim Roughgarden. “ The computer in the sky (k eynote)”. en. In: Pr o c e e dings of the 56th A nnual ACM Symp osium on The ory of Computing . New Y ork, NY, USA: A CM, 2024, pp. 1– 1. [60] Or Sattath. Unclone able Crypto gr aphy . 2022. eprint: 2210.14265 (quant-ph). 21 [61] Johannes Sedlmeir et al. “ The energy consumption of block chain tec hnology: Beyond m yth”. In: Business and Information Systems Engine ering 62 (2020), pp. 599–608. [62] Elaine Shi. “ F oundations of distributed consensus and blo ck chains”. In: Bo ok manuscript (2020). [63] Omri Shm ueli and Mark Zhandry. “ On One-Shot Signatures, Quan tum vs Classical Binding, and Obfuscating Perm utations”. In: Cryptolo gy ePrint Ar chive (2025). [64] Omri Shmueli and Mark Zhandry. “ Unclonable Cryptograph y in Linear Quantum Memory”. In: Cryptolo gy ePrint Ar chive (2025). [65] P W Shor. “ Algorithms for quantum computation: discrete logarithms and factoring”. In: Pr o c e e dings 35th Annual Symp osium on F oundations of Computer Scienc e . IEEE Comput. So c. Press, 1994. [66] Victor Shoup. Pr o of of history: What is it go o d for? 2022. [67] Jakub Sliwinski et al. “ Halting the Solana blo ck chain with epsilon stak e”. en. In: Pr o c e e dings of the 25th International Confer enc e on Distribute d Computing and Networking . New Y ork, NY, USA: ACM, 2024, pp. 45–54. [68] Y onatan Somp olinsky and A viv Zohar. “ Secure high-rate transaction pro cessing in bitcoin”. en. In: Financial Crypto gr aphy and Data Se curity . Lecture Notes in Computer Science. Berlin, Heidelb erg: Springer Berlin Heidelb erg, 2015, pp. 507–527. [69] Dominique Unruh. “ Quantum p osition v erifi cation in the random oracle mo del”. en. In: A d- vanc es in Cryptolo gy – CR YPTO 2014 . Lecture notes in computer science. Berlin, Heidelberg: Springer Berlin Heidelb erg, 2014, pp. 1–18. [70] Thomas Vidic k. “ V erifying quantum computations at scale: A cryptographic leash on quan- tum devices”. en. In: Bul l. New Ser. Am. Math. So c. 57.1 (2019), pp. 39–76. [71] Stephen Wiesner. “ Conjugate co ding”. In: SIGACT News 15.1 (1983), pp. 78–88. [72] Anatoly Y ak ov enko. Solana: A new ar chite ctur e for a high p erformanc e blo ckchain v0.8.13 . T ech. rep. Solana Labs, 2018. [73] Mark Zhandry. “ Quantum lightning nev er strikes the same state twice”. en. In: A dvanc es in Cryptolo gy – EUROCR YPT 2019 . Lecture notes in computer science. Cham: Springer In ternational Publishing, 2019, pp. 408–438. [74] Rong Zhang and W ai Kin Chan. “ Ev aluation of energy consumption in blo c k-chains with pro of of work and pro of of stak e”. In: Journal of physics: Confer enc e series . V ol. 1584. 2020, p. 012023. [75] Daiw ei Zh u e t al. Inter active pr oto c ols for classic al ly-verifiable quantum advantage . 2021. eprin t: 2112.05156 (quan t-ph). 22 A Solida Consensus Algorithms F or completeness, we present the Steady State and View Change algorithms lifted almost v erbatim from Solida[ 2 ]. While Solida has to handle P oW solution even ts that update the committee leader, w e do not, hence our proto col is ev en simpler and do es not require keeping track of the lifespan n umber of a committee. W e denote by c the committee index (i.e. the num b er of reconfigurations p erformed), s the curren t time slot (ranging from 1 to T ′ ), and b y v the view n umber. W e use these to index the committee at ev ery step of the proto col, using notation C ( c, v , s ) . Since our committee is ordered, the leader in an y reconfiguration step and view, denoted by L ( c, v ) , defined to by the v mod n -th mem b er of C c . W e denote by ⟨ x ⟩ i the message x signed by the i -th committee mem b er using their priv ate k ey (with the corresp onding public key kno wn to all participants). ⟨ x ⟩ i corresp ondingly indicates a signature by the current round leader L . When the signer is clear from context, we simply use ⟨ x ⟩ . This follo ws the standard structure of BPFT proto cols, in which t wo rounds of v oting are used to construct a quorum certificate, and unresp onsive leaders are replaced as needed. Here f is the n umber of Byzan tine members, and the proto col is secure as long as f < n/ 3 . 4.2 Steady State • (Prop ose) The leader L picks a batch of v alid transactions { tx } and then broadcasts { tx } and ⟨ propose , c, v , s, h ⟩ L where h is the hash digest of { tx } . After receiving { tx } and ⟨ prop ose , c, v , s, h ⟩ L , a member M ∈ C ( c, v , s ) chec ks: – L = L ( c, v ) and L has not sen t a differen t prop osal, – s is a fresh slot. – { tx } is a set of v alid transactions whose digest is h . • (Prepare) If all the ab o ve chec ks pass, M broadcasts ⟨ prepare , c, v , s, h ⟩ . After receiving 2 f + 1 matc hing prepare messages, a member M ∈ C ( c, v , s ) accepts the proposal (represented b y its digest h ), and concatenates the 2 f + 1 matc hing prepare messages into an accept certificate A . • (Commit) Up on accepting h , M broadcasts ⟨ commit , c, v , s, h ⟩ . After receiving 2 f +1 match- ing commit messages, a member M ∈ C ( c, v , s ) commits { tx } in to slot s , and concatenates the 2 f + 1 matching commit messages in to a commit certificate Q . There is an additional notification step that propagates the new blo c k to no des outside the committee: • (Notify) Up on committing h , M sends ⟨⟨ notify , c, v , s, h ⟩ , Q⟩ to all other mem b ers to notify them ab out the decision. M also starts propagating this decision on the p eer-to-p eer netw ork to miners, users and merc hants, etc. M then mo ves to slot s + 1 . Up on receiving a notify message lik e the ab ov e, a member commits h , sends and propagates its o wn notify message if it has not already done so, and then mov es to slot s + 1 . 4.3 View Change This protocol handles an unresponsive leader b y replacing them: 23 • (View-c hange) Whenev er a member M mov es to a new slot s in a steady state, it starts a timer T . If T reaches 4∆ and M still has not committed slot s , then M abandons the curren t leader and broadcasts ⟨ view-change , c, v ⟩ . Up on receiving 2 f + 1 matching view-c hange messages for ( c, v ) , if a member M is not in a view higher than ( c, v ) , it forwards the 2 f + 1 view-change messages to the new leader L ′ = L ( c, v + 1) . After that, if M do es not receive a new-view message from L ′ within 2∆ , then M abandons L ′ and broadcasts ⟨ view-change , c, v + 1 ⟩ . • (New-view) Up on receiving 2 f + 1 matching view-c hange messages for ( c, v ) , the new leader L ′ = L ( c, v + 1) concatenates them into a view-c hange certificate V , broadcasts ⟨ new-view , c, v + 1 , V ⟩ L and en ters view ( c, v + 1) . Up on receiving a ⟨ new-view , c, v , V ⟩ mes- sage, if a member M is not in a view higher than ( c, v ) , it enters view ( c, v ) and starts a timer T . If T reaches 8∆ and still no new slot is committed, then M abandons L ′ and broadcasts ⟨ view-c hange , c, v ⟩ . • (Status) Upon entering a new view ( c, v ) , M sends ⟨⟨ status , c, v , s − 1 , h, s, h ′ ⟩ , Q , A⟩ (A.1) to the new leader L ′ = L ( c, v ) . In the ab ov e message, h is the v alue committed in s − 1 and Q is the corresp onding commit certificate; h ′ is the v alue accepted by M in slot s and A is the corresp onding accept certificate ( h ′ = A = ⊥ if M has not accepted an y v alue for slot s ). W e call the inner part of the message (i.e., excluding Q , A ) its header. Up on receiving 2 f + 1 status, L ′ concatenates the 2 f + 1 status headers to form a status certificate S . L ′ then picks a status message that rep orts the highest last-committed slot s ∗ ; if there is a tie, L ′ pic ks the one that rep orts the highest rank ed accepted v alue in slot s ∗ + 1 . Let the tw o certificates in this message b e Q ∗ and A ∗ ( A ∗ migh t b e ⊥ ). • (Re-prop ose) The new leader L ′ broadcasts ⟨ reprop ose , c, v , s ∗ + 1 , h ′ , S , Q ∗ , A ∗ ⟩ L ′ . (A.2) In the ab o ve message, s ∗ should b e the highest last-committed slot reported in S . h ′ should matc h the v alue in A if A ∗  = ⊥ ; If A ∗ = ⊥ then L ′ can c ho ose h ′ freely . The repropose message is inv alid if an y of these conditions is violated: s ∗ is not the highest committed slot, Q is not for slot s ∗ , A is not for the highest rank ed accepted v alue for s ∗ + 1 , or h ′ is not the v alue certified by A . Up on receiving a v alid repropose message, a member M commits slot s ∗ if it has not already; M then executes the prepare/commit/notify steps as in the steady state for slot s ∗ + 1 and marks all slots > s ∗ + 1 fresh for view ( c, v ) . Securit y of these protocols is pro ved in [ 2 ]. 24