Quorum and Byzantine-tolerant confidence: counting independent witnesses
A system earns confidence in a claim by counting independent corroboration, not by trusting any one source's certainty. A quorum is the minimum overlapping subset needed so that any two decisions are guaranteed to share at least one honest witness; Byzantine fault tolerance pushes that threshold to more than two-thirds honest so that lying or faulty nodes can't forge agreement. The hard part is independence: N copies of one source is not N witnesses, because correlated error and Sybil identities let one actor vote many times. HiveMind layers trust on its shared memory through corroboration — "two or three witnesses" — so confidence is earned by distinct sources agreeing, never declared by an agent about itself.
The question is never “how sure,” it’s “how many, how separate”
A single source telling you it is certain conveys nothing about whether the claim is true — the confidence and the content come from the same machinery. So a trustworthy system never asks one source how sure it is. It asks a different question: how many independent sources corroborate this, and could they have disagreed? Everything below is machinery for answering that question without being fooled.
Quorums and quorum intersection
A quorum is a minimum subset of nodes whose agreement counts as a decision. The point of requiring a subset rather than unanimity is liveness: you can decide while some nodes are slow or offline. The point of requiring a large enough subset is safety, and the safety property is quorum intersection — any two quorums must share at least one node in common.
Intersection is what prevents split-brain. If a “commit” quorum and a later “read” quorum are guaranteed to overlap, the overlapping node carries the committed value forward, so no two decisions can contradict. For simple crash faults with n nodes, majority quorums of ⌊n/2⌋ + 1 always intersect in at least one node. That one shared node is the entire safety argument.
Byzantine fault tolerance: when nodes lie
Crash-fault quorums assume an absent node is merely silent. The Byzantine generals problem asks the harder version: what if a node is actively malicious or arbitrarily broken — present, but telling different observers different things to manufacture false agreement?
To survive up to f such faulty nodes, intersection alone isn’t enough; any two quorums must overlap in more than f nodes, so the overlap still contains at least one honest node. Working that out gives quorums of size more than (n + f) / 2, which can only exist when n > 3f. The headline result: Byzantine agreement needs strictly more than two-thirds honest participants. Cross below that line and the liars control enough of every quorum to show one story to half the network and the opposite story to the other half — and both halves think they have a valid quorum.
Consensus versus corroboration
It’s tempting to reach for full consensus here, but consensus and corroboration answer different questions.
- Consensus produces one agreed value that every honest node commits to, total-ordered. It answers “what is the canonical state?”
- Corroboration accumulates independent evidence for a belief. It answers “how much should I trust this claim?”
Consensus is the right tool for the CRDT convergence layer, which guarantees every replica agrees on what was written. But agreeing on what was written says nothing about whether it’s true. Trust is a gradient, not a commit: it should rise as distinct witnesses corroborate and fall when they contradict. That is a corroboration problem, and it sits as a separate layer on top of convergence.
Why N copies is not N witnesses
The failure mode that breaks naive vote-counting is correlated error. Counting attestations only works if the attestors fail independently — if their errors aren’t correlated, two of them agreeing is unlikely to be coincidence. The moment one source’s output becomes another’s input, their agreement stops being evidence and becomes an echo: one claim counted twice.
The adversarial version is a Sybil attack — one actor spins up many identities so a single source casts many “independent” votes. Defeating it requires Sybil resistance: a cost or a cryptographic identity that makes each distinct witness provably distinct. Without it, an attacker simply manufactures a quorum. This is the same principle as the simple case — an agent re-reading its own note is the degenerate one-node Sybil — and it’s why source independence is the genuinely hard part of confidence. Counting is trivial; certifying that the things you counted are separate is the whole problem. Provenance has to be tracked so an echo is never mistaken for a second source; see the Merkle DAG provenance deep-dive for how that lineage is made tamper-evident.
Modeling confidence as independent attestation
Put together, the design rule is: model confidence as a function of independent, distinct attestations — never of self-assertion. A claim’s standing should climb when separate sources that could have disagreed arrive at it on their own, and when checkable outcomes bear it out; it should ignore a source repeating itself entirely.
This is exactly how HiveMind layers trust on its shared corpus. The corpus is append-mostly, fully replicated to every machine, and synced peer-to-peer, so the raw record converges on its own. On top of that, confidence is built by corroboration — the “two or three witnesses” rule — and no agent certifies its own truth. Because every device signs its writes with its own key, two agreeing sources are provably separate machines, not one node wearing two masks. The count means something because independence is enforced, not assumed. Confidence, in the end, is earned by independent witnesses — never declared by the witness about itself.
Frequently asked
What's the difference between consensus and corroboration?
Consensus produces one agreed value that every honest node commits to — it answers 'what is the canonical state?' Corroboration accumulates independent evidence for a belief and answers 'how much should I trust this claim?' Consensus is binary and total-ordered; corroboration is a confidence gradient that can keep rising as new independent witnesses arrive and fall when they contradict. HiveMind needs the second: its CRDT layer already agrees on what was written, and corroboration decides what to trust.
Why does Byzantine fault tolerance require more than two-thirds honest nodes?
A BFT quorum must intersect any other quorum in at least one honest node despite up to f nodes lying. With n total nodes you need quorums of size more than (n+f)/2 to guarantee that two quorums overlap by more than f, and you need n > 3f for such a quorum to exist at all. So at most f < n/3 can be faulty — equivalently, strictly more than two-thirds must be honest. Below that, Byzantine nodes can present different stories to different observers and split agreement.
Why isn't one agent re-asserting a claim enough to raise confidence?
Because it adds no independent information. A source repeating itself, or an agent reading back what it just wrote, is one witness counted twice — the textbook Sybil pattern. Confidence should only move when genuinely distinct sources, which could have disagreed, land on the same thing. In HiveMind every device signs what it writes with its own key, so two agreeing sources are provably separate rather than one machine writing under two names.
Related
Take yourself out of the loop.
Let your agents do the lifting while you keep the judgment.
Get the Playbook