“The Stellar Consensus Protocol: A Federated Model for Internet-Level Consensus” is a paper published in 2015 by David Mazières, a professor of computer science at Stanford University and chief scientist at the Stellar Development Foundation. The paper introduces Federated Byzantine Agreement (FBA) — a consensus model that allows open network participation without requiring a pre-agreed validator set, achieving safety through overlapping trust relationships between participants.

> PDF hosting: The SCP paper is hosted at stellar.org/papers/stellar-consensus-protocol and is available via Stanford’s academic archive. It is distributed under a Creative Commons license permitting free redistribution.

---

Publication and Context

By 2015, two dominant consensus paradigms existed: Nakamoto Consensus (Bitcoin) requiring massive computational waste for Sybil resistance, and classical BFT (Practical Byzantine Fault Tolerance / PBFT) requiring a closed, pre-permissioned validator set. Neither worked for an open, global financial network.

Jed McCaleb had founded Stellar in 2014 (after leaving Ripple) specifically to handle cross-border payments for individuals without bank accounts. The original Stellar consensus was based on Ripple’s Federated Voting — an informal, incompletely specified protocol. Mazières’s paper was commissioned to provide a rigorous formal foundation for federated consensus and correct known safety flaws.

Key facts:

• Paper published: April 2015 (to IACR ePrint Archive prior; formal release 2015)
• Stellar Network launch: 2015, replacing the original consensus
• XLM: Native token; very low transaction fees (~0.00001 XLM)
• Co-founder: Jed McCaleb (founder of Mt. Gox, later co-founded Stellar after leaving Ripple)

---

The Core Problem: Open Membership Without a Trusted Authority

Traditional BFT requires a fixed validator set (e.g., Tendermint, PBFT) — secure but closed. Nakamoto Consensus is open but wasteful. The fundamental tension: how can an open, global network reach provably safe consensus without a central authority deciding who the validators are?

Mazières’s answer: each participant individually decides whom to trust. Safety emerges from the mathematical structure of overlapping trust, not from central coordination.

---

Federated Byzantine Agreement (FBA)

The core conceptual innovation:

Quorum Slice: Every node defines its own quorum slice — a subset of nodes whose votes it considers sufficient for agreement. For example, node A might trust {B, C, D, E} and declare any 3 of them sufficient.

Quorum: A quorum is a set of nodes Q (containing at least one quorum slice from each member) that is collectively sufficient for agreement. Think of it as a self-validating “trust cluster.”

Key safety condition: If any two quorums overlap — that is, share at least one honest node — then the network cannot produce conflicting decisions (no fork). Formally, the intersection property: every pair of quorums must share at least one node.

This contrasts with PBFT: in PBFT, there is one global validator set. In FBA, every node picks its own slice; safety emerges globally from the transitive overlaps.

---

The SCP Protocol: Nomination + Ballot

SCP runs in two sub-protocols per “round” (consensus on a specific slot in the ledger):

Nomination Protocol (convergence phase):

1. Each node starts by nominating a candidate value.
2. Nodes accept nominations they hear from their quorum slices.
3. Via federated voting, the set of candidate values converges to a single confirmed value.
4. This avoids the Byzantine “split brain” where nodes commit to different values.

Ballot Protocol (agreement phase):

1. Nodes vote to prepare a ballot (value + counter).
2. Once a ballot is prepared by a quorum, nodes vote to commit.
3. A ballot is externalized (confirmed) when a quorum votes to commit.
4. Monotonic counters prevent nodes from being stuck by conflicting votes.

The two-phase structure means that safety is maintained even if liveness is temporarily lost — the protocol never produces conflicting commits.

---

Sections of the Whitepaper

Section	Content
1. Introduction	The tension between open membership and Byzantine safety; why existing models fail
2. Federated Byzantine Agreement	Quorum slices, quorums, FBA systems; the intersection property
3. Federated Voting	The core abstraction: nodes accept/confirm statements via overlapping quorums
4. Nomination	How a ledger slot’s value converges to a single candidate
5. Ballot Protocol	Two-phase commit: prepare → commit → externalize
6. Analysis	Safety proofs; blocking vs. quorum thresholds; liveness conditions
7. Other Applications	SCP as a general-purpose consensus protocol beyond Stellar

---

Key Technical Properties

Property	SCP
Model	Federated Byzantine Agreement (open membership)
Safety	Guaranteed if quorums intersect (no two quorums are disjoint)
Liveness	Guaranteed if enough nodes are honest and quorums are reachable
Fault tolerance	Up to 1/3 of any quorum can be Byzantine (but depends on trust graph)
Finality	Deterministic once a ballot is externalized — no forks
Performance	O(n) messages per slot for a dense trust graph

---

Quorum Configuration in Practice

The Stellar network uses tier-based quorums: a small set of well-known organizations (Stellar Development Foundation, SDF validators, academic institutions, exchanges like Kraken, Coinbase) form the innermost trust tier. Outer-tier nodes include SDF validators in their quorum slices, providing transitive safety.

This means Stellar is practically more centralized than the paper’s open model suggests — the SDF acts as a trust anchor that most nodes include in their slices. The paper acknowledges this as a practical tradeoff: full decentralization is possible in theory but requires real-world institutions to bootstrap trust.

---

Reality Check: What the Paper Got Right and Wrong

What worked: The formalism is rigorous and the protocol is provably safe given its assumptions. The Stellar network has run continuously since 2015 without a major consensus failure. The paper’s federated model is genuinely novel and has influenced subsequent consensus research.

The centralization concern: The practical Stellar network is significantly more centralized than the paper’s open model suggests. Most validators include SDF’s validators in their quorum slices. In 2019, a bug caused the network to halt when SDF validators went offline — demonstrating that the network’s liveness was centrally dependent. The halt resolved quickly, but it revealed real-world tension between the paper’s model and the deployment.

---

Legacy

SCP influenced a generation of permissionless consensus research. The formal treatment of quorum slices and the intersection property provided a rigorous vocabulary for discussing trust in decentralized networks. The XRP Ledger uses a related (but distinct and less formally specified) model called UNL (Unique Node List). Hedera Hashgraph and Avalanche’s Snow* protocols were designed in explicit dialogue with FBA’s ideas.

---

Related Terms

• Stellar
• Ripple
• Ripple Whitepaper
• Bitcoin Whitepaper
• Avalanche Whitepaper
• Cosmos Whitepaper

---

Research

• Mazières, D. (2015). The Stellar Consensus Protocol: A Federated Model for Internet-Level Consensus. Stellar Development Foundation.

— Primary source. Sections 1–3 are accessible without cryptography background; the ballot protocol proof in §5–6 is dense.

• Lokhava, M., Losa, G., Mazières, D., Haeberlen, A., & Swanson, N. (2019). Fast and secure global payments with Stellar. SOSP 2019.

— Follow-up performance and safety analysis of SCP in production; includes the 2019 halt postmortem.

• Cachin, C., & Vukolic, M. (2017). Blockchain consensus protocols in the wild. arXiv.

— Comparative analysis of SCP vs. PBFT vs. Nakamoto consensus.