FLP Impossibility of Consensus

Slides:



Advertisements
Similar presentations
Distributed Computing 8. Impossibility of consensus Shmuel Zaks ©
Advertisements

Impossibility of Distributed Consensus with One Faulty Process
Impossibility of Consensus in Asynchronous Systems (FLP) Ali Ghodsi – UC Berkeley / KTH alig(at)cs.berkeley.edu.
The weakest failure detector question in distributed computing Petr Kouznetsov Distributed Programming Lab EPFL.
CSE 486/586, Spring 2012 CSE 486/586 Distributed Systems Consensus Steve Ko Computer Sciences and Engineering University at Buffalo.
6.852: Distributed Algorithms Spring, 2008 Class 16.
Distributed Computing 8. Impossibility of consensus Shmuel Zaks ©
CSE 486/586, Spring 2013 CSE 486/586 Distributed Systems Consensus Steve Ko Computer Sciences and Engineering University at Buffalo.
Announcements. Midterm Open book, open note, closed neighbor No other external sources No portable electronic devices other than medically necessary medical.
Distributed Algorithms – 2g1513 Lecture 10 – by Ali Ghodsi Fault-Tolerance in Asynchronous Networks.
CS 425 / ECE 428 Distributed Systems Fall 2014 Indranil Gupta (Indy) Lecture 13: Impossibility of Consensus All slides © IG.
Computer Science 425 Distributed Systems CS 425 / ECE 428 Consensus
Consensus Hao Li.
Distributed Computing 8. Impossibility of consensus Shmuel Zaks ©
Structure of Consensus 1 The Structure of Consensus Consensus touches upon the basic “topology” of distributed computations. We will use this topological.
Asynchronous Consensus (Some Slides borrowed from ppt on Web.(by Ken Birman) )
CPSC 668Set 9: Fault Tolerant Consensus1 CPSC 668 Distributed Algorithms and Systems Fall 2006 Prof. Jennifer Welch.
CPSC 668Set 9: Fault Tolerant Consensus1 CPSC 668 Distributed Algorithms and Systems Spring 2008 Prof. Jennifer Welch.
Impossibility of Distributed Consensus with One Faulty Process Michael J. Fischer Nancy A. Lynch Michael S. Paterson Presented by: Oren D. Rubin.
Distributed systems Module 2 -Distributed algorithms Teaching unit 1 – Basic techniques Ernesto Damiani University of Bozen Lesson 4 – Consensus and reliable.
 Idit Keidar, Principles of Reliable Distributed Systems, Technion EE, Spring Principles of Reliable Distributed Systems Lecture 6: Impossibility.
 Idit Keidar, Principles of Reliable Distributed Systems, Technion EE, Spring Principles of Reliable Distributed Systems Lecture 12: Impossibility.
Distributed Algorithms: Agreement Protocols. Problems of Agreement l A set of processes need to agree on a value (decision), after one or more processes.
Distributed Systems Tutorial 4 – Solving Consensus using Chandra-Toueg’s unreliable failure detector: A general Quorum-Based Approach.
On the Cost of Fault-Tolerant Consensus When There are no Faults Idit Keidar & Sergio Rajsbaum Appears in SIGACT News; MIT Tech. Report.
Systems of Distributed systems Module 2 - Distributed algorithms Teaching unit 2 – Properties of distributed algorithms Ernesto Damiani University of Bozen.
CSE 486/586, Spring 2012 CSE 486/586 Distributed Systems Consensus Steve Ko Computer Sciences and Engineering University at Buffalo.
Distributed Consensus Reaching agreement is a fundamental problem in distributed computing. Some examples are Leader election / Mutual Exclusion Commit.
Distributed Consensus Reaching agreement is a fundamental problem in distributed computing. Some examples are Leader election / Mutual Exclusion Commit.
Lecture 8-1 Computer Science 425 Distributed Systems CS 425 / CSE 424 / ECE 428 Fall 2010 Indranil Gupta (Indy) September 16, 2010 Lecture 8 The Consensus.
Distributed Algorithms – 2g1513 Lecture 9 – by Ali Ghodsi Fault-Tolerance in Distributed Systems.
CSCE 668 DISTRIBUTED ALGORITHMS AND SYSTEMS Fall 2011 Prof. Jennifer Welch CSCE 668 Set 11: Asynchronous Consensus 1.
For Distributed Algorithms 2014 Presentation by Ziv Ronen Based on “Impossibility of Distributed Consensus with One Faulty Process” By: Michael J. Fischer,
Consensus and Its Impossibility in Asynchronous Systems.
Computer Science 425 Distributed Systems (Fall 2009) Lecture 10 The Consensus Problem Part of Section 12.5 and Paper: “Impossibility of Distributed Consensus.
CS4231 Parallel and Distributed Algorithms AY 2006/2007 Semester 2 Lecture 8 Instructor: Haifeng YU.
DISTRIBUTED ALGORITHMS AND SYSTEMS Spring 2014 Prof. Jennifer Welch Set 11: Asynchronous Consensus 1.
CS294, Yelick Consensus revisited, p1 CS Consensus Revisited
CS 425/ECE 428/CSE424 Distributed Systems (Fall 2009) Lecture 9 Consensus I Section Klara Nahrstedt.
Sliding window protocol The sender continues the send action without receiving the acknowledgements of at most w messages (w > 0), w is called the window.
Chap 15. Agreement. Problem Processes need to agree on a single bit No link failures A process can fail by crashing (no malicious behavior) Messages take.
Impossibility of Distributed Consensus with One Faulty Process By, Michael J.Fischer Nancy A. Lynch Michael S.Paterson.
1 Fault tolerance in distributed systems n Motivation n robust and stabilizing algorithms n failure models n robust algorithms u decision problems u impossibility.
Alternating Bit Protocol S R ABP is a link layer protocol. Works on FIFO channels only. Guarantees reliable message delivery with a 1-bit sequence number.
Fault tolerance and related issues in distributed computing Shmuel Zaks GSSI - Feb
DISTRIBUTED ALGORITHMS Spring 2014 Prof. Jennifer Welch Set 9: Fault Tolerant Consensus 1.
CS4231 Parallel and Distributed Algorithms AY 2006/2007 Semester 2 Lecture 9 Instructor: Haifeng YU.
CSE 486/586 CSE 486/586 Distributed Systems Consensus Steve Ko Computer Sciences and Engineering University at Buffalo.
The consensus problem in distributed systems
When Is Agreement Possible
CSCE 668 DISTRIBUTED ALGORITHMS AND SYSTEMS
Lecture 16-A: Impossibility of Consensus
Cloud Computing Concepts
Alternating Bit Protocol
Distributed Consensus
Distributed Consensus
FLP Impossibility & Weakest Failure Detector
CS 425 / ECE 428 Distributed Systems Fall 2017 Indranil Gupta (Indy)
EEC 688/788 Secure and Dependable Computing
Consensus, FLP, and Paxos
EEC 688/788 Secure and Dependable Computing
CSCE 668 DISTRIBUTED ALGORITHMS AND SYSTEMS
CSCE 668 DISTRIBUTED ALGORITHMS AND SYSTEMS
EEC 688/788 Secure and Dependable Computing
EEC 688/788 Secure and Dependable Computing
EEC 688/788 Secure and Dependable Computing
EEC 688/788 Secure and Dependable Computing
Distributed systems Consensus
CSE 486/586 Distributed Systems Leader Election
CSE 486/586 Distributed Systems Consensus
Presentation transcript:

FLP Impossibility of Consensus Yan Ji Oct 26, 2017 Slides inspired by Lorenzo Alvisi (CS5414 FA16) slides and Philip Daian (CS6410 FA16) slides

I think you ought to know I'm feeling very depressed.

I think you ought to know I'm feeling very depressed. I have a million ideas, but, they all point to certain death…

FLP Impossibility of Consensus Yan Ji Oct 26, 2017 Slides inspired by Lorenzo Alvisi (CS5414 FA16) slides and Philip Daian (CS6410 FA16) slides

Timeline

Impossibility of distributed consensus with one faulty process (1985) 2001 Dijkstra prize for the most influential paper in distributed computing Michael Fischer, Yale University Distributed computing, Cryptography Nancy Lynch, MIT Distributed computing theory: Algorithms and lower bounds, Modeling and verification, Wireless networks, Biological algorithms Mike Paterson, University of Warwick Algorithms, Complexity The paper won the 2001 Dijkstra prize for the most influential paper in distributed computing. All three authors, Michael Fischer, Nancy Lynch and Mike Paterson are still very active and extremely eminent researchers in the field. Nancy Lynch, in particular, seems to have been involved in almost every important piece of work in distributed algorithms. Lorenzo shaked hands with all three of them!

FLP Result It is impossible to have a deterministic protocol that solves consensus in a message-passing asynchronous system in which at most one process may fail by crashing.

The Intuition Considering how Paxos works, what is the most difficult part for reaching consensus in an asynchronous distributed system?

When does liveness fail in Paxos P1 receives promises for n1

When does liveness fail in Paxos P1 receives promises for n1 P2 receives promises for n2 > n1 P1 sends proposal numbered n1, rejected

When does liveness fail in Paxos P1 receives promises for n1 P2 receives promises for n2 > n1 P1 sends proposal numbered n1, rejected P1 receives promises for n1′ > n2 P2 sends proposal numbered n2, rejected

When does liveness fail in Paxos P1 receives promises for n1 P2 receives promises for n2 > n1 P1 sends proposal numbered n1, rejected P1 receives promises for n1′ > n2 P2 sends proposal numbered n2, rejected P1 receives promises for n2′ > n1’ P1 sends proposal numbered n1′ , rejected

When does liveness fail in Paxos P1 receives promises for n1 P2 receives promises for n2 > n1 P1 sends proposal numbered n1, rejected P1 receives promises for n1′ > n2 P2 sends proposal numbered n2, rejected P1 receives promises for n2′ > n1’ P1 sends proposal numbered n1′ , rejected . . .

The Intuition Considering how Paxos works, what is the most difficult part for reaching consensus in an asynchronous distributed system?

The Intuition Considering how Paxos works, what is the most difficult part for reaching consensus in an asynchronous distributed system? CANNOT DISTINGUISH between processes: Crash failure Slow (e.g. in processing or network message delivering)

Assumption It is impossible to have a deterministic protocol that solves consensus in a message-passing asynchronous system in which at most one process may fail by crashing.

Assumption It is impossible to have a deterministic protocol that solves consensus in a message-passing asynchronous system in which at most one process may fail by crashing. No assumptions about the relative speeds of processes or about the delay time in delivering a message Processes don’t have access to synchronized clocks Unable to detect the death of a process

Assumption It is impossible to have a deterministic protocol that solves consensus in a message-passing asynchronous system in which at most one process may fail by crashing.

Assumption It is impossible to have a deterministic protocol that solves consensus in a message-passing asynchronous system in which at most one process may fail by crashing. Termination: all non-faulty processes eventually decide on a value Agreement: all processes that decide do so on the same value Validity: the value that has been decided must have been proposed by some process

Assumption It is impossible to have a deterministic protocol that solves consensus in a message-passing asynchronous system in which at most one process may fail by crashing. For simplicity, Termination: all non-faulty processes eventually decide on a value in {0, 1} Agreement: all processes that decide do so on the same value Validity: both 0 and 1 are possible decision values

Assumption It is impossible to have a deterministic protocol that solves consensus in a message-passing asynchronous system in which at most one process may fail by crashing.

Assumption It is impossible to have a deterministic protocol that solves consensus in a message-passing asynchronous system in which at most one process may fail by crashing. No Byzantine, no fail-stop, just CRASH. All processes follow the protocol except for that at most one might crash. Difference between knowing there is at most one faulty node and there is indeed one faulty node! The proof goes with the assumption of the knowledge of there is at most one node!

Model It is impossible to have a deterministic protocol that solves consensus in a message-passing asynchronous system in which at most one process may fail by crashing.

Model It is impossible to have a deterministic protocol that solves consensus in a message-passing asynchronous system in which at most one process may fail by crashing. (p, m) p

Model It is impossible to have a deterministic protocol that solves consensus in a message-passing asynchronous system in which at most one process may fail by crashing. Message Buffer M p

Model It is impossible to have a deterministic protocol that solves consensus in a message-passing asynchronous system in which at most one process may fail by crashing. Message Buffer M send(p, m) p

Model It is impossible to have a deterministic protocol that solves consensus in a message-passing asynchronous system in which at most one process may fail by crashing. (p, m) p

Model It is impossible to have a deterministic protocol that solves consensus in a message-passing asynchronous system in which at most one process may fail by crashing. (p, m) receive(p) p

Model It is impossible to have a deterministic protocol that solves consensus in a message-passing asynchronous system in which at most one process may fail by crashing. (p, m) p Deal with m

Model It is impossible to have a deterministic protocol that solves consensus in a message-passing asynchronous system in which at most one process may fail by crashing. Message Buffer M p

Model It is impossible to have a deterministic protocol that solves consensus in a message-passing asynchronous system in which at most one process may fail by crashing. Message Buffer M receive(p) p

Model It is impossible to have a deterministic protocol that solves consensus in a message-passing asynchronous system in which at most one process may fail by crashing. Message Buffer M p Deal with Ø

Model It is impossible to have a deterministic protocol that solves consensus in a message-passing asynchronous system in which at most one process may fail by crashing. (p, m) p

Model It is impossible to have a deterministic protocol that solves consensus in a message-passing asynchronous system in which at most one process may fail by crashing. (p, m) receive(p) p

Model It is impossible to have a deterministic protocol that solves consensus in a message-passing asynchronous system in which at most one process may fail by crashing. (p, m) p Deal with Ø

Model It is impossible to have a deterministic protocol that solves consensus in a message-passing asynchronous system in which at most one process may fail by crashing. All messages are delivered correctly and exactly once The message buffer acts nondeterministically Inserted with arbitrary number of empty messages Message Buffer M

Model It is impossible to have a deterministic protocol that solves consensus in a message-passing asynchronous system in which at most one process may fail by crashing.

Model It is impossible to have a deterministic protocol that solves consensus in a message-passing asynchronous system in which at most one process may fail by crashing. Configuration: C = (s, M) M: message buffer s: internal states of processes Input register Output register Internal storage Program counter Message Buffer M

Model It is impossible to have a deterministic protocol that solves consensus in a message-passing asynchronous system in which at most one process may fail by crashing. Configuration: C = (s, M) M: message buffer s: internal states of processes Input register, value in {0, 1} Output register, value in {b, 0, 1} Internal storage Program counter p1 0/1, b/0/1 C = (s, M) . M pk 0/1, b/0/1 s

Model It is impossible to have a deterministic protocol that solves consensus in a message-passing asynchronous system in which at most one process may fail by crashing. Event: e = (p, m) p1 0/1, b/0/1 ... (pi, m) pi 0/1, b/0/1 M ... pk 0/1, b/0/1 s

Model It is impossible to have a deterministic protocol that solves consensus in a message-passing asynchronous system in which at most one process may fail by crashing. Step: C’= e(C) = (s’, M’) p1 0/1, b/0/1 ... (pi, m) pi 0/1, b/0/1 M ... p1 0/1, b/0/1 C = (s, M) pk 0/1, b/0/1 . s M pk 0/1, b/0/1 s

Model It is impossible to have a deterministic protocol that solves consensus in a message-passing asynchronous system in which at most one process may fail by crashing. Step: C’= e(C) = (s’, M’) p1 0/1, b/0/1 ... (pi, m) pi 0/1, b/0/1 M ... p1 0/1, b/0/1 C = (s, M) pk p1 0/1, b/0/1 0/1, b/0/1 C = (s, M) . . s M M pk pk 0/1, b/0/1 0/1, b/0/1 s s

Model It is impossible to have a deterministic protocol that solves consensus in a message-passing asynchronous system in which at most one process may fail by crashing. Step: C’= e(C) = (s’, M’) p1 0/1, b/0/1 ... (pi, m) pi 0/1, b/0/1 M ... p1 0/1, b/0/1 C = (s, M) pk p1 0/1, b/0/1 0/1, b/0/1 C = (s, M) . ... s pi (pi, m) 0/1, b M (pi, m) M ... pk pk 0/1, b/0/1 0/1, b/0/1 s s

Model It is impossible to have a deterministic protocol that solves consensus in a message-passing asynchronous system in which at most one process may fail by crashing. Step: C’= e(C) = (s’, M’) p1 0/1, b/0/1 ... (pi, m) pi 0/1, b/0/1 M ... p1 0/1, b/0/1 C = (s, M) pk p1 0/1, b/0/1 0/1, b/0/1 C = (s, M) . ... s p’i 0/1, b 0 M (pi, m) M ... pk pk 0/1, b/0/1 0/1, b/0/1 s s’

Model It is impossible to have a deterministic protocol that solves consensus in a message-passing asynchronous system in which at most one process may fail by crashing. Step: C’= e(C) = (s’, M’) p1 0/1, b/0/1 ... (pi, m) pi 0/1, b/0/1 M ... p1 0/1, b/0/1 C = (s, M) pk p1 0/1, b/0/1 0/1, b/0/1 C = (s, M) . ... s p’i send 0/1, b 0 M (pi, m) M ... pk pk 0/1, b/0/1 0/1, b/0/1 s s’

Model It is impossible to have a deterministic protocol that solves consensus in a message-passing asynchronous system in which at most one process may fail by crashing. Step: C’= e(C) = (s’, M’) p1 0/1, b/0/1 ... (pi, m) pi 0/1, b/0/1 M ... p1 0/1, b/0/1 C = (s, M) pk p1 0/1, b/0/1 0/1, b/0/1 C’ = (s’, M’) . ... s p’i 0/1, b 0 M’ (pi, m) M ... pk pk 0/1, b/0/1 0/1, b/0/1 s s’

Model It is impossible to have a deterministic protocol that solves consensus in a message-passing asynchronous system in which at most one process may fail by crashing. Step: C’= e(C) = (s’, M’) p1 0/1, b/0/1 ... (pi, m) pi 0/1, b/0/1 M ... p1 0/1, b/0/1 C = (s, M) pk p1 0/1, b/0/1 0/1, b/0/1 C’ = (s’, M’) . ... s p’i 0/1, b 0 M’ (pi, m) M ... pk pk 0/1, b/0/1 0/1, b/0/1 s s’

Proof It is impossible to have a deterministic protocol that solves consensus in a message-passing asynchronous system in which at most one process may fail by crashing. How to prove impossibility?

Proof It is impossible to have a deterministic protocol that solves consensus in a message-passing asynchronous system in which at most one process may fail by crashing. How to prove impossibility? Assume to the contrary that there exists a consensus protocol P such that… How to define P?

More terms A schedule S of P is a finite or infinite sequence of events (e1, e2, …, ek)of P, S(C) = ek(...(e2(e1(C)))...)

More terms A schedule S of P is a finite or infinite sequence of events (e1, e2, …, ek)of P, S(C) = ek(...(e2(e1(C)))...) A run of P is a sequence of steps associating a schedule S, in other words, a run is a pair of a configuration C and a schedule S, written as (C, S)

More terms A configuration C’ is reachable from a configuration C if there exist a schedule S such that C’ = S(C)

More terms A configuration C’ is reachable from a configuration C if there exist a schedule S such that C’ = S(C) A configuration C′ is accessible from an initial configuration C0 if C’ is reachable from C0

More terms A configuration C’ is reachable from a configuration C if there exist a schedule S such that C’ = S(C) A configuration C′ is accessible from an initial configuration C0 if C’ is reachable from C0 e1(p1, m1) e2(pk, m2) p1 p’1 p’1 0/1, b C0 = (s0, M0) 0/1, b C1 = (s1, M1) 0/1, b C2 = (s2, M2) . . . M0 M1 M2 pk 0/1, b pk p’k 0/1, b 0/1, b 0 s0 s1 s2

More terms A configuration C has decision value v if some process p is in a decision state with output=v, which is “write-once”/irreversible

More terms A configuration C has decision value v if some process p is in a decision state with output=v, which is “write-once”/irreversible A run is a deciding run if some process reaches a decision state.

More terms A configuration C has decision value v if some process p is in a decision state with output=v, which is “write-once”/irreversible A run is a deciding run if some process reaches a decision state. e1(p1, m1) p1 0/1, b C0 = (s0, M0) p’1 0/1, b C1 = (s1, M1) . . M0 M1 pk 0/1, b pk 0/1, b s0 s1

More terms A configuration C has decision value v if some process p is in a decision state with output=v, which is “write-once”/irreversible A run is a deciding run if some process reaches a decision state. e1(p1, m1) e2(pk, m2) p1 p’1 p’1 0/1, b C0 = (s0, M0) 0/1, b C1 = (s1, M1) 0/1, b C2 = (s2, M2) . . . M0 M1 M2 pk 0/1, b pk p’k 0/1, b 0/1, b 0 s0 s1 s2

More terms A consensus protocol P is partially correct if: No accessible configuration has more than one decision value (agreement) For each v in {0, 1}, some accessible configuration has decision value v (validity) A run is admissible if every process, except possibly one (faulty process), takes infinitely many steps in S

Assume to the contrary that there exists P such that P is partially correct Agreement + Validity

Assume to the contrary that there exists P such that P is partially correct Agreement + Validity Every admissible run of P is a deciding run Termination

Assume to the contrary that there exists P such that P is partially correct Agreement + Validity Every admissible run of P is a deciding run Termination What kind of contradiction should possibly be like?

Categories of configurations Univalent, or i-valent (i in {0, 1}) A configuration C is univalent or i-valent if some process has decided i in C, or if all configurations accessible from C are i-valent

Categories of configurations Univalent, or i-valent (i in {0, 1}) A configuration C is univalent or i-valent if some process has decided i in C, or if all configurations accessible from C are i-valent ... S1 p1 0, b C = (s, M) . ... S2 Decide on 0 M pk 0, b ... S3 s

Categories of configurations Univalent, or i-valent (i in {0, 1}) A configuration C is univalent or i-valent if some process has decided i in C, or if all configurations accessible from C are i-valent ... S1 p1 1, b C = (s, M) . ... S2 Decide on 1 M pk 1, b ... S3 s

Categories of configurations Bivalent A configuration C is bivalent if some of the configurations accessible from it are 0-valent while others are 1-valent ... S1 p1 Decide on 0 0, b C = (s, M) . ... S2 Decide on 1 M pk 1, b ... S3 Decide on 0 s

Categories of configurations Bivalent (see Bivalent, read Undeciding) A configuration C is bivalent if some of the configurations accessible from it are 0-valent while others are 1-valent ... S1 p1 Decide on 0 0, b C = (s, M) . ... S2 Decide on 1 M pk 1, b ... S3 Decide on 0 s

What kind of contradiction should possibly be like? INDISTINGUISHABILITY between processes: Crashed Simply slow in processing or having a terrible network condition

What kind of contradiction should possibly be like? INDISTINGUISHABILITY between processes: Crashed Simply slow in processing or having a terrible network condition For any protocol, there exists a configuration that is always bivalent.

What kind of contradiction should possibly be like? INDISTINGUISHABILITY between processes: Crashed Simply slow in processing or having a terrible network condition For any protocol, there exists a configuration that is always bivalent. Remaining UNDECIDED in the value

What kind of contradiction should possibly be like? INDISTINGUISHABILITY between processes: Crashed Simply slow in processing or having a terrible network condition For any protocol, there exists a configuration that is always bivalent. Remaining UNDECIDED in the value

Proof Outline For any protocol, there is an initial configuration that is bivalent Then there is another bivalent configuration reachable from it after applying some event And another reachable bivalent configuration … An infinite undeciding run

Most exciting part!!! Lemma 1 (commutativity of schedules) Suppose that from some C, the schedules S1, S2 lead to C1, C2 respectively. If the steps in S1 and in S2 are disjoint, then S2 can be applied to C1 and S1 can be applied to C2 and both lead to the same C3.

Most exciting part!!! Lemma 1 (commutativity of schedules) Suppose that from some C, the schedules S1, S2 lead to C1, C2 respectively. If the steps in S1 and in S2 are disjoint, then S2 can be applied to C1 and S1 can be applied to C2 and both lead to the same C3. C S1 S2 C1 C2 S2 S1 C3

Proof Outline For any protocol, there is an initial configuration that is bivalent Then there is another bivalent configuration reachable from it after applying some event And another reachable bivalent configuration … An infinite undeciding run

Most exciting part!!! Lemma 2 P has a bivalent initial configuration.

Most exciting part!!! Lemma 2 P has a bivalent initial configuration. Assume all initial configurations are either 0-valent or 1-valent. p1 0, b 1, b 0, b 0, b 1, b 0, b 1, b 1, b 1, b 0, b 1, b 0, b 1, b 0, b p2 p3

Most exciting part!!! Lemma 2 P has a bivalent initial configuration. Assume all initial configurations are either 0-valent or 1-valent. p1 0, b 1, b 0, b 0, b 1, b 0, b 1, b 1, b 1, b 0, b 1, b 0, b 1, b 0, b p2 p3 1

Most exciting part!!! Lemma 2 P has a bivalent initial configuration. Assume all initial configurations are either 0-valent or 1-valent. p1 0, b 1, b 0, b 0, b 1, b 0, b 1, b 1, b 1, b 0, b 1, b 0, b 1, b 0, b p2 p3 1

Most exciting part!!! Lemma 2 P has a bivalent initial configuration. Assume all initial configurations are either 0-valent or 1-valent. p1 0, b 1, b 0, b 0, b 1, b 0, b 1, b 1, b 1, b 0, b 1, b 0, b 1, b 0, b p2 p3 1

Most exciting part!!! Lemma 2 P has a bivalent initial configuration. Assume all initial configurations are either 0-valent or 1-valent. p1 0, b 1, b 0, b 0, b 1, b 0, b 1, b 1, b 1, b 0, b 1, b 0, b 1, b 0, b p2 p3 1

Most exciting part!!! Lemma 2 P has a bivalent initial configuration. Assume all initial configurations are either 0-valent or 1-valent. Adjacent: differ in the initial state of a single process C1 C2

... ... Most exciting part!!! Lemma 2 P has a bivalent initial configuration. Assume all initial configurations are either 0-valent or 1-valent. Adjacent: differ in the initial state of a single process ... ... C1 C2 Ci Ci+1 Ck

... ... Most exciting part!!! Lemma 2 P has a bivalent initial configuration. Assume all initial configurations are either 0-valent or 1-valent. Adjacent: differ in the initial state of a single process ... ... C1 C2 Ci Ci+1 Ck 1 1

... ... Most exciting part!!! Lemma 2 P has a bivalent initial configuration. Assume all initial configurations are either 0-valent or 1-valent. Adjacent: differ in the initial state of a single process ... ... C1 C2 Ci Ci+1 Ck 1 1

... ... Most exciting part!!! Lemma 2 differ in the initial state of a single process p Ci Ci+1 Lemma 2 P has a bivalent initial configuration. Assume all initial configurations are either 0-valent or 1-valent. Adjacent: differ in the initial state of a single process ... ... C1 C2 Ci Ci+1 Ck 1 1 Even when there is no faulty node!

... ... Most exciting part!!! Lemma 2 differ in the initial state of a single process p Ci Ci+1 S in which p takes no step Lemma 2 P has a bivalent initial configuration. Assume all initial configurations are either 0-valent or 1-valent. C/p Adjacent: differ in the initial state of a single process ... ... C1 C2 Ci Ci+1 Ck 1 1

... ... Most exciting part!!! Lemma 2 differ in the initial state of a single process p Ci Ci+1 S in which p takes no step S in which p takes no step Lemma 2 P has a bivalent initial configuration. Assume all initial configurations are either 0-valent or 1-valent. C/p Adjacent: differ in the initial state of a single process ... ... C1 C2 Ci Ci+1 Ck 1 1

... ... Most exciting part!!! Lemma 2 differ in the initial state of a single process p Ci Ci+1 S in which p takes no step S in which p takes no step Lemma 2 P has a bivalent initial configuration. Assume all initial configurations are either 0-valent or 1-valent. C/p Adjacent: differ in the initial state of a single process ... ... C1 C2 Ci Ci+1 Ck 1 1

... ... Most exciting part!!! Lemma 2 0/1 Most exciting part!!! differ in the initial state of a single process p Ci Ci+1 S in which p takes no step S in which p takes no step Lemma 2 P has a bivalent initial configuration. Assume all initial configurations are either 0-valent or 1-valent. C/p Adjacent: differ in the initial state of a single process ... ... C1 C2 Ci Ci+1 Ck 1 1

... ... Most exciting part!!! Lemma 2 differ in the initial state of a single process p Ci Ci+1 S in which p takes no step S in which p takes no step Lemma 2 P has a bivalent initial configuration. Assume all initial configurations are either 0-valent or 1-valent. C/p Adjacent: differ in the initial state of a single process ... ... 1 C1 C2 Ci Ci+1 Ck 1 1

... ... Most exciting part!!! Lemma 2 0/1 Most exciting part!!! differ in the initial state of a single process p Ci Ci+1 S in which p takes no step S in which p takes no step Lemma 2 P has a bivalent initial configuration. Assume all initial configurations are either 0-valent or 1-valent. C/p Adjacent: differ in the initial state of a single process ... ... 1 C1 C2 Ci Ci+1 Ck 1 1

Proof Outline For any protocol, there is an initial configuration that is bivalent Then there is another bivalent configuration reachable from it after applying some event And another reachable bivalent configuration … An infinite undeciding run

Most exciting part!!! Lemma 3 Let C be a bivalent configuration of P, and e=(p, m) be an event that is applicable to C. Let E be the set of configurations reachable from C without applying e, and let D=e(E), the set of configurations after applying e to all those in E. Then, D contains a bivalent configuration.

Most exciting part!!! Lemma 3 Let C be a bivalent configuration of P, and e=(p, m) be an event that is applicable to C. Let E be the set of configurations reachable from C without applying e, and let D=e(E), the set of configurations after applying e to all those in E. Then, D contains a bivalent configuration. C 0/1

... Most exciting part!!! Lemma 3 Let C be a bivalent configuration of P, and e=(p, m) be an event that is applicable to C. Let E be the set of configurations reachable from C without applying e, and let D=e(E), the set of configurations after applying e to all those in E. Then, D contains a bivalent configuration. Any schedule without applying e E1 C E2 E3 ... 0/1 E

... ... Most exciting part!!! Lemma 3 Let C be a bivalent configuration of P, and e=(p, m) be an event that is applicable to C. Let E be the set of configurations reachable from C without applying e, and let D=e(E), the set of configurations after applying e to all those in E. Then, D contains a bivalent configuration. Any schedule without applying e E1 Apply e D1 C E2 D2 E3 D3 ... ... 0/1 E D

... ... Most exciting part!!! Lemma 3 Let C be a bivalent configuration of P, and e=(p, m) be an event that is applicable to C. Let E be the set of configurations reachable from C without applying e, and let D=e(E), the set of configurations after applying e to all those in E. Then, D contains a bivalent configuration. Any schedule without applying e E1 Apply e D1 C E2 D2 E3 D3 0/1 ... ... 0/1 E D

Most exciting part!!! Assume all configurations in D are univalent.

Most exciting part!!! Assume all configurations in D are univalent. There exists both 0-valent configuration and 1-valent configuration in D.

Most exciting part!!! Assume all configurations in D are univalent. There exists both 0-valent configuration and 1-valent configuration in D. C is bivalent, so for i in {0, 1} there exists a Ci reachable from C that is i-valent.

Most exciting part!!! Assume all configurations in D are univalent. There exists both 0-valent configuration and 1-valent configuration in D. C is bivalent, so for i in {0, 1} there exists a Ci reachable from C that is i-valent. Consider C0 without loss of generality,

Most exciting part!!! Assume all configurations in D are univalent. There exists both 0-valent configuration and 1-valent configuration in D. C is bivalent, so for i in {0, 1} there exists a Ci reachable from C that is i-valent. Consider C0 without loss of generality, C0 C 0/1

Most exciting part!!! Assume all configurations in D are univalent. There exists both 0-valent configuration and 1-valent configuration in D. C is bivalent, so for i in {0, 1} there exists a Ci reachable from C that is i-valent. Consider C0 without loss of generality, A schedule without applying e C0 C 0/1

Most exciting part!!! Assume all configurations in D are univalent. There exists both 0-valent configuration and 1-valent configuration in D. C is bivalent, so for i in {0, 1} there exists a Ci reachable from C that is i-valent. Consider C0 without loss of generality, A schedule without applying e Apply e C0 D0 C 0/1

Most exciting part!!! Assume all configurations in D are univalent. There exists both 0-valent configuration and 1-valent configuration in D. C is bivalent, so for i in {0, 1} there exists a Ci reachable from C that is i-valent. Consider C0 without loss of generality, A schedule without applying e Apply e C0 D0 C 0/1

Most exciting part!!! Assume all configurations in D are univalent. There exists both 0-valent configuration and 1-valent configuration in D. C is bivalent, so for i in {0, 1} there exists a Ci reachable from C that is i-valent. Consider C0 without loss of generality, A schedule already applied e C0 C 0/1

Most exciting part!!! Assume all configurations in D are univalent. There exists both 0-valent configuration and 1-valent configuration in D. C is bivalent, so for i in {0, 1} there exists a Ci reachable from C that is i-valent. Consider C0 without loss of generality, Apply e C C’ D0 C’’ C0 0/1

Most exciting part!!! Assume all configurations in D are univalent. There exists both 0-valent configuration and 1-valent configuration in D. C is bivalent, so for i in {0, 1} there exists a Ci reachable from C that is i-valent. Consider C0 without loss of generality, Apply e C C’ D0 C’’ C0 0/1

Most exciting part!!! Assume all configurations in D are univalent. There exists both 0-valent configuration and 1-valent configuration in D. C is bivalent, so for i in {0, 1} there exists a Ci reachable from C that is i-valent. Consider C0 without loss of generality, There exists D0 that is 0-valent.

Most exciting part!!! Assume all configurations in D are univalent. There exists both 0-valent configuration and 1-valent configuration in D. Without loss of generality, assume D0=e(C) in D is 0-valent

Most exciting part!!! Assume all configurations in D are univalent. There exists both 0-valent configuration and 1-valent configuration in D. Without loss of generality, assume D0=e(C) in D is 0-valent Neighbor: one result from the other in a single step C E1

Most exciting part!!! Assume all configurations in D are univalent. There exists both 0-valent configuration and 1-valent configuration in D. Without loss of generality, assume D0=e(C) in D is 0-valent Neighbor: one result from the other in a single step ... ... C E1 Ei Ei+1 Ek e=(p, m) Dk 1

Most exciting part!!! Assume all configurations in D are univalent. There exists both 0-valent configuration and 1-valent configuration in D. Without loss of generality, assume D0=e(C) in D is 0-valent Neighbor: one result from the other in a single step ... ... C E1 Ei Ei+1 Ek e=(p, m) e=(p, m) D0 Dk 1

Most exciting part!!! Assume all configurations in D are univalent. There exists both 0-valent configuration and 1-valent configuration in D. Without loss of generality, assume D0=e(C) in D is 0-valent Neighbor: one result from the other in a single step ... ... C E1 Ei Ei+1 Ek e=(p, m) D0 D1 Di Di+1 Dk 1 1

Most exciting part!!! Assume all configurations in D are univalent. There exists both 0-valent configuration and 1-valent configuration in D. Without loss of generality, assume D0=e(C) in D is 0-valent Neighbor: one result from the other in a single step ... ... e’=(p’, m’) C E1 Ei Ei+1 Ek e=(p, m) D0 D1 Di Di+1 Dk 1 1

... ... Most exciting part!!! Case 1: p’ != p Ei e e’ Di Ei+1 e Di+1 Neighbor: one result from the other in a single step ... ... e’=(p’, m’) C E1 Ei Ei+1 Ek e=(p, m) D0 D1 Di Di+1 Dk 1 1

... ... Most exciting part!!! Case 1: p’ != p Apply Lemma 1 Ei e e’ Di Neighbor: one result from the other in a single step ... ... e’=(p’, m’) C E1 Ei Ei+1 Ek e=(p, m) D0 D1 Di Di+1 Dk 1 1

... ... Most exciting part!!! Case 1: p’ != p Apply Lemma 1 Ei e e’ Di Neighbor: one result from the other in a single step ... ... e’=(p’, m’) C E1 Ei Ei+1 Ek e=(p, m) D0 D1 Di Di+1 Dk 1 1

... ... Most exciting part!!! Case 1: p’ != p Apply Lemma 1 Ei e e’ Di Neighbor: one result from the other in a single step ... ... e’=(p’, m’) C E1 Ei Ei+1 Ek e=(p, m) D0 D1 Di Di+1 Dk 1 1

... ... Most exciting part!!! Case 2: p’ = p e Ei e’ Di Ei+1 e Di+1 Neighbor: one result from the other in a single step ... ... e’=(p’, m’) C E1 Ei Ei+1 Ek e=(p, m) D0 D1 Di Di+1 Dk 1 1

... ... Most exciting part!!! Case 2: p’ = p e Ei e’ Di Ei+1 e A deciding S (p takes no steps) Di+1 Case 2: p’ = p A Neighbor: one result from the other in a single step ... ... e’=(p’, m’) C E1 Ei Ei+1 Ek e=(p, m) D0 D1 Di Di+1 Dk 1 1

... ... Most exciting part!!! Case 2: p’ = p Apply Lemma 1 e Ei e’ Di A deciding S (p takes no steps) Di+1 Case 2: p’ = p Apply Lemma 1 S A e C0 Neighbor: one result from the other in a single step ... ... e’=(p’, m’) C E1 Ei Ei+1 Ek e=(p, m) D0 D1 Di Di+1 Dk 1 1

... ... Most exciting part!!! Case 2: p’ = p Apply Lemma 1 e Ei e’ Di A deciding S (p takes no steps) Di+1 Case 2: p’ = p Apply Lemma 1 S A e C0 Neighbor: one result from the other in a single step ... ... e’=(p’, m’) C E1 Ei Ei+1 Ek e=(p, m) D0 D1 Di Di+1 Dk 1 1

... ... Most exciting part!!! Case 2: p’ = p Apply Lemma 1 e Ei e’ Di A deciding S (p takes no steps) Di+1 Case 2: p’ = p Apply Lemma 1 S S A e’ e e C0 C1 Neighbor: one result from the other in a single step ... ... e’=(p’, m’) C E1 Ei Ei+1 Ek e=(p, m) D0 D1 Di Di+1 Dk 1 1

... ... Most exciting part!!! Case 2: p’ = p Apply Lemma 1 e Ei e’ Di A deciding S (p takes no steps) Di+1 Case 2: p’ = p Apply Lemma 1 S S A e’ e e C0 C1 Neighbor: one result from the other in a single step ... ... e’=(p’, m’) 1 C E1 Ei Ei+1 Ek e=(p, m) D0 D1 Di Di+1 Dk 1 1

... ... Most exciting part!!! Case 2: p’ = p Apply Lemma 1 e Ei e’ Di A deciding S (p takes no steps) Di+1 Case 2: p’ = p Apply Lemma 1 S S A e’ e e C0 C1 Neighbor: one result from the other in a single step ... ... e’=(p’, m’) 1 C E1 Ei Ei+1 Ek e=(p, m) D0 D1 Di Di+1 Dk 1 1

Most exciting part!!! Assume all configurations in D are univalent. There exists both 0-valent configuration and 1-valent configuration in D. Without loss of generality, assume D0=e(C) in D is 0-valent Contradiction!

Proof Outline For any protocol, there is an initial configuration that is bivalent Then there is another bivalent configuration reachable from it after applying some event And another reachable bivalent configuration … An infinite undeciding run

Most exciting part!!! Construct an infinite undeciding admissible run

Most exciting part!!! Construct an infinite undeciding admissible run By Lemma 2 0/1

Most exciting part!!! Construct an infinite undeciding admissible run S1 applying e1 = receive(p1) last C0 C1 By Lemma 2 By Lemma 3 0/1 0/1

Most exciting part!!! Construct an infinite undeciding admissible run S2 applying e2 = receive(p2) last S1 applying e1 = receive(p1) last C0 C1 C2 By Lemma 2 By Lemma 3 By Lemma 3 0/1 0/1 0/1

Most exciting part!!! Construct an infinite undeciding admissible run S2 applying e2 = receive(p2) last S1 applying e1 = receive(p1) last S3 applying e3 = receive(p3) last C0 C1 C2 C3 By Lemma 2 By Lemma 3 By Lemma 3 By Lemma 3 0/1 0/1 0/1 0/1

Most exciting part!!! Construct an infinite undeciding admissible run S2 applying e2 = receive(p2) last S4 applying e4 = receive(p1) last S1 applying e1 = receive(p1) last S3 applying e3 = receive(p3) last C0 C1 C2 C3 C4 By Lemma 2 By Lemma 3 By Lemma 3 By Lemma 3 By Lemma 3 0/1 0/1 0/1 0/1 0/1

Most exciting part!!! Construct an infinite undeciding admissible run S2 applying e2 = receive(p2) last S4 applying e4 = receive(p1) last S1 applying e1 = receive(p1) last S3 applying e3 = receive(p3) last ... C0 C1 C2 C3 C4 By Lemma 2 By Lemma 3 By Lemma 3 By Lemma 3 By Lemma 3 0/1 0/1 0/1 0/1 0/1

Most exciting part!!! Construct an infinite undeciding admissible run S2 applying e2 = receive(p2) last S4 applying e4 = receive(p1) last S1 applying e1 = receive(p1) last S3 applying e3 = receive(p3) last ... C0 C1 C2 C3 C4 By Lemma 2 By Lemma 3 By Lemma 3 By Lemma 3 By Lemma 3 0/1 0/1 0/1 0/1 0/1 An infinite UNDECIDING run

Assume to the contrary that there exists P such that P is partially correct Agreement + Validity Every admissible run of P is a deciding run Termination

Assume to the contrary that there exists P such that P is partially correct Agreement + Validity Every admissible run of P is a deciding run Termination Contradiction!

Wrap-up Computation determinism Deterministic Probabilistic Timing assumptions Synchronous Asynchronous Failure model Fail-stop Crash Byzantine Permissionless Byzantine

Wrap-up Computation determinism Deterministic Probabilistic Timing assumptions Synchronous Asynchronous Failure model Fail-stop Crash Byzantine Permissionless Byzantine

Wrap-up Impossibility Computation determinism Deterministic Probabilistic Timing assumptions Synchronous Asynchronous Failure model Fail-stop Crash Byzantine Permissionless Byzantine Impossibility

Takeaway You CANNOT guarantee safety and liveness at the same time!

Takeaway You CANNOT guarantee safety and liveness at the same time! But you CAN get around FLP: Release the failure model

Release the failure model The majority are non-faulty No process dies during the execution of the protocol Two-stage protocol: Listens for messages from L- 1 other processes, L=N/2+1 (WHY?), and construct the incoming stream graph G Construct G+ and make decision upon values from the unique initial clique

Takeaway You CANNOT guarantee safety and liveness at the same time! But you CAN get around FLP: Release the failure model Terminate with probability of 1 instead of ALWAYS

Terminate with probability of 1 instead of ALWAYS Use randomization to terminate with arbitrarily high probability M. Ben Or. “Another advantage of free choice: completely asynchronous agreement protocols” (PODC 1983, pp. 27-30)

Takeaway You CANNOT guarantee safety and liveness at the same time! But you CAN get around FLP: Release the failure model Terminate with probability of 1 instead of ALWAYS Use failure detector

Use failure detector Introduce failure detectors to distinguish between crashed processes and very slow processes Chandra, T.D., Hadzilacos, V. and Toueg, S., 1996. The weakest failure detector for solving consensus. Journal of the ACM (JACM), 43(4), pp.685-722.