Impossibility of Consensus in Asynchronous Systems (FLP)

Impossibility of Consensus in Asynchronous Systems (FLP) Ali Ghodsi – UC Berkeley / KTH alig(at)cs.berkeley.edu

Modified Model • A correctnode can always make a “dummy” transition • For state s of a node, there exists a transition ss • There exists always an applicable event on every process • There are no inbufs/outbufs, • There is one set of messages M, i.e. “network cloud” • Message consists of <sender, payload, destination> • Messages are unique Ali Ghodsi, alig(at)cs.berkeley.edu

Configurations • Each configuration contains the state of each node, and • The set of messages in the network, M • Initial config is a config where M is empty and all nodes are in initial state Configuration < p1_state, p2_state, p3_state, {m1, m2} > Ali Ghodsi, alig(at)cs.berkeley.edu

Events, Applicable, Executions… • An event <p,m> is the receipt of message m • After the receipt of m, node p deterministically updates its state (transition function) and puts sent messages in M • <p,m> applicable in config C iff • m is in C.M • Execution is a sequence of configurations • An applicable event is applied between configs Ali Ghodsi, alig(at)cs.berkeley.edu

Intuition behind model Initial state of p receive <tok, y> from q for x:=1 to 3 do begin y:=y+1; send <tok, y> neighp[x]; end receive <tok, z> from q; print z+y Receipt event e Deterministic transition: update state, send messages State of p after receipt of e Receipt event f Deterministic transition State of p after receipt of f Ali Ghodsi, alig(at)cs.berkeley.edu

Consensus Correctness (weak) • A 1-crash-robust consensus satisfies: • Termination • All correct nodes eventuallydecide • Agreement • In every config, decided nodes have decided same value (0 or 1) • Non-triviality (weak validity) • There exists one possible input config with outcome decision 0, and • There exists one possible input config with outcome decision 1 • Example, maybe input “0,0,1”->0 while “0,1,1”->1 • Validity implies non-triviality (”0,0,0” must be 0 and ”1,1,1” must be 1) Ali Ghodsi, alig(at)cs.berkeley.edu

Definitions • 0-decided configuration • A configuration with decide ”0” on some process • 1-decided configuration • A configuration with decide ”1” on some process • 0-valent configuration • A config in which every reachable decided configuration is a 0-decide • 1-valent configuration • A config in which every reachable decided configuration is a 1-decide • Bivalent configuration • A configuration which can reach a 0-decided and 1-decided configuration Ali Ghodsi, alig(at)cs.berkeley.edu

Definitions Illustrated 1(4) • 0-decided configuration • A configuration with decide ”0” on some process 0-decided configuration {STATE2, STATE,5 DECIDE-0, STATE7 {msg1, msg2} } P1 state2 msg2 At least of them is in state DECIDE-0 P2 state5 msg1 P3 decide0 P4 state7 Ali Ghodsi, alig(at)cs.berkeley.edu

Definitions Illustrated 2(4) 0-valent configuration {decide-0, P2_state2, P3_state2, decide-0, { msg2} } • 0-valent configuration • No 1-decided configurations are reachable • Future determined, means ”everyone will decide 0” 0-valent configuration {decide-0, P2_state2, P3_state2, P4_state, {msg1, msg2} } 0-valent configuration {decide-0, P2_state, decide-0, P4_state, {msg1, msg2} } 0-valent configuration { P1_state, P2_state2, P3_state, P4_state, {msg1} } 0- valent configuration { P1_state, P2_state, P3_state, P4_state, {msg1} } 0-valent configuration {decide-0, P2_state, P3_state, P4_state, {msg1, msg2} } 0-valent configuration {decide-0, P2_state3, P3_state, decide-0, {} } 0-valent configuration {decide-0, P2_state, P3_state, decide-0, { msg2} } Ali Ghodsi, alig(at)cs.berkeley.edu

Definitions Illustrated 3(4) 1-valent configuration {decide-1, P2_state2, P3_state2, decide-1, { msg2} } • 1-valent configuration • No 0-decided configurations are reachable • Future determined, means ”everyone will decide 1” 1-valent configuration {decide-1, P2_state2, P3_state2, P4_state, {msg1, msg2} } 1-valent configuration {decide-1, P2_state, decide-1, P4_state, {msg1, msg2} } 1-valent configuration { P1_state, P2_state2, P3_state, P4_state, {msg1} } 1- valent configuration { P1_state, P2_state, P3_state, P4_state, {msg1} } 1-valent configuration {decide-1, P2_state, P3_state, P4_state, {msg1, msg2} } 1-valent configuration {decide-1, P2_state3, P3_state, decide-1, {} } 1-valent configuration {decide-1, P2_state, P3_state, decide-1, { msg2} } Ali Ghodsi, alig(at)cs.berkeley.edu

Definitions Illustrated 4(4) 0-valent config. {decide-0, P2_state2, P3_state2, decide-0, { msg2} } • Bivalent configuration • Both 0 and 1-decided configurations are reachable • Future undetermined, could go either way… 0-valent config. {decide-0, P2_state2, P3_state2, P4_state, {msg1, msg2} } 0-valent config. {decide-0, P2_state, decide-0, P4_state, {msg1, msg2} } 0-valent config. { P1_state, P2_state2, P3_state, P4_state, {msg1} } Bivalent config. { P1_state, P2_state, P3_state, P4_state, {msg1} } 1-valent config. {decide-1, P2_state9, P3_state6, decide-1, {} } 1-valent config. {decide-1, P2_state5, P3_state6, decide-1, { msg2} } 1-valent config. {decide-1, P2_state5, P3_state6, P4_state5, {msg1, msg3} } Ali Ghodsi, alig(at)cs.berkeley.edu

FLP Impossibility Without Proofs

Bivalent Initial Configuration • Initial Bivalency Lemma (Lemma 1) • Any algorithm that solves the 1-crash consensus has an initial bivalent configuration Ali Ghodsi, alig(at)cs.berkeley.edu

Main lemma: Staying Bivalent • Bivalency Preservation Lemma (Lemma 2) • Given any bivalent config and anyevent e applicable in  • There exists a reachable config  where e is applicable, and e() is bivalent • (= possible) Lemma 2 Illustration    e e Bivalent e … … Bivalent Bivalent … … Ali Ghodsi, alig(at)cs.berkeley.edu

FLP Impossibility Theorem • No deterministic 1-crash-robust consensus algorithm exists for the asynchronous model • Proof • Start in a initial bivalent config (Lemma 1) • Given the bivalent config, pick the event e that has been applicable longest • Pick the path taking us to another config where e is applicable (might be empty) • Apply e, and get a bivalent config (Lemma 2) • Repeat 2. Termination violated Ali Ghodsi, alig(at)cs.berkeley.edu

FLP Impossibility Proofs

Bivalent Initial Configuration • Initial Bivalency Lemma (Lemma 1) • Any algorithm that solves the 1-crash consensus has an initial bivalent configuration Ali Ghodsi, alig(at)cs.berkeley.edu

Proof 1/(10) • We know that the algorithm must be non-trivial • There should be some initial configuration that will lead to a 0-decide • There should be some initial configuration that will lead to a 1-decide • Take two such configuration i1 and i2 • E.g. 4 processes • initial values (0,1,0,1,1) lead to 1 • Initial values (0,0,1,0,0) lead to 0 Ali Ghodsi, alig(at)cs.berkeley.edu

Proof 2/(10) • We know there exists inputs p1, p2, p3, p4, p5 • (0,1,0,1,1) leading to 1 • (0,0,1,0,0) leading to 0 Lets look at other initial configurations by flipping the inputs transforming the upper input to the lower input Ali Ghodsi, alig(at)cs.berkeley.edu

Proof 3/(10) • We know there exists inputs p1, p2, p3, p4, p5 • (0,1,0,1,1) leading to 1 • (0,0,0,1,1) leading to ? • (0,0,1,0,0) leading to 0 Lets look at other initial configurations by flipping the inputs transforming the upper input to the lower input Ali Ghodsi, alig(at)cs.berkeley.edu

Proof 4/(10) • We know there exists inputs p1, p2, p3, p4, p5 • (0,1,0,1,1) leading to 1 • (0,0,0,1,1) leading to ? • (0,0,1,1,1) leading to ? • (0,0,1,0,0) leading to 0 Lets look at other initial configurations by flipping the inputs transforming the upper input to the lower input Ali Ghodsi, alig(at)cs.berkeley.edu

Proof 5/(10) • We know there exists inputs p1, p2, p3, p4, p5 • (0,1,0,1,1) leading to 1 • (0,0,0,1,1) leading to ? • (0,0,1,1,1) leading to ? • (0,0,1,0,1) leading to ? • (0,0,1,0,0) leading to 0 Lets look at other initial configurations by flipping the inputs transforming the upper input to the lower input Ali Ghodsi, alig(at)cs.berkeley.edu

Proof 6/(10) • We know there exists inputs p1, p2, p3, p4, p5 • (0,1,0,1,1) leading to 1 • (0,0,0,1,1) leading to ? • (0,0,1,1,1) leading to ? • (0,0,1,0,1) leading to ? • (0,0,1,0,0) leading to 0 Lets look at other initial configurations by flipping the inputs transforming the upper input to the lower input There must exist two neighboring configurations here, with two different outcomes Ali Ghodsi, alig(at)cs.berkeley.edu

Proof 7/(10) • We know there exists inputs p1, p2, p3, p4, p5 • (0,1,0,1,1) leading to 1 • (0,0,0,1,1) leading to 1 • (0,0,1,1,1) leading to 1 • (0,0,1,0,1) leading to 0 • (0,0,1,0,0) leading to 0 Lets look at other initial configurations by flipping the inputs Assume the following two Ali Ghodsi, alig(at)cs.berkeley.edu

Proof 8/(10) • We know there exists inputs p1, p2, p3, p4, p5 • (0,1,0,1,1) leading to 1 • (0,0,0,1,1) leading to 1 • (0,0,1,1,1) leading to 1 • (0,0,1,0,1) leading to 0 • (0,0,1,0,0) leading to 0 Assume the following two Identical configurations except for process p4 Ali Ghodsi, alig(at)cs.berkeley.edu

Proof 9/(10) • We know there exists inputs p1, p2, p3, p4, p5 • (0,0,1,1,1) leading to 1 • (0,0,1,0,1) leading to 0 • The consensus algorithm should tolerate if p4crashes! • (0,0,1,X,1), leads to ? (either 0 or 1) Assume the following two Ali Ghodsi, alig(at)cs.berkeley.edu

Proof 10/(10) • We know there exists inputs p1, p2, p3, p4, p5 • (0,0,1,1,1) leading to 1 • (0,0,1,0,1) leading to 0 • The consensus algorithm should tolerate if p4crashes! • (0,0,1,X,1), leads to ? (either 0 or 1) • If it leads to 1, then depending on whether p4 crashes or not (0,0,1,0,1) either leads to 0 or 1 (bivalent) • If it leads to 0, then depending on whether p4 crashes or not (0,0,1,1,1) either leads to 0 or 1 (bivalent) Assume the following two Ali Ghodsi, alig(at)cs.berkeley.edu

Initial Bivalence • Intuition • Given any algorithm, we can find some start state, that depending on the failure of one process, will either lead to a 0-decide or a 1-decide 1-valent configuration {decide-1, P2_state2, P3_state2, P4_state, {msg1, msg2} } 1-valent configuration { P1_state, P2_state, decide-1, P4_state, {msg1, msg2} } 1-valent configuration { P1_state, P2_state2, P3_state, P4_state, {msg1} } Bivalent Initial Config { P1_state, P2_state, P3_state, P4_state, {msg1} } 0-valent configuration { P1_state, P2_state, P3_state, P4_state, {msg1, msg2} } 0-valent configuration {decide-0, decide-0, P3_state, decide-0, {} } 0-valent configuration {decide-0, P2_state, P3_state, P4_state, { msg2} } Ali Ghodsi, alig(at)cs.berkeley.edu

Order of events • Intuition • The order in which two applicable events are executed is not important! • Order Theorem • Let ep and eq be two events on two different nodes p and q which are both applicable in config C, then • ep can be applied to eq(C), • eq can be applied to ep(C), and • ep(eq(C)) = eq(ep(C) ). Ali Ghodsi, alig(at)cs.berkeley.edu

Definitions • A schedule is a sequence of events <e1, e2,…,ek> • A schedule =<e1, e2,…,ek> is applicable in config C iff • e1 is applicable in C, • e2 is applicable in e1(C) • e3 is applicable in e2(e1(C)) • ... • If the resulting config is D we write (C)=D Ali Ghodsi, alig(at)cs.berkeley.edu

Order of sequences • Diamond Theorem • Let sequences 1 and 2 be applicable in configuration C, and let no node participate in both 1 and 2, then: • 2 is applicable in 1(C) • 1 is applicable in 2(C), and • 1(2(C))=2(1(C)) • Proof • By induction using the order theorem Ali Ghodsi, alig(at)cs.berkeley.edu

Illustration of Diamond Theorem C 1 2 2(C) 1(C) 2 1 D D =2(1(C))=1(2(C)) Ali Ghodsi, alig(at)cs.berkeley.edu

Bivalent Configuration • Any configuration of the 1-robust consensus algorithm is exactly one of these three • Bivalent • 0-valent • 1-valent • Why? • Any configuration leads to a decide (termination) • We know bivalent configurations exist • If it is not bivalent, it must lead to either 0-decide or 1-decide, so it is either 0-valent or 1-valent Ali Ghodsi, alig(at)cs.berkeley.edu

Bivalent Configurations • In any bivalent config , either • one applicable event goes to a bivalent config, or • there exists two applicable events, leading to a 0-valent and 1-valent configurations (respectively) Case 1 Case 2 0-valent Bivalent Bivalent Bivalent 1-valent Ali Ghodsi, alig(at)cs.berkeley.edu

Main lemma: Staying Bivalent • Bivalency Preservation Lemma • Given any bivalent config and anyevent e applicable in  • There exists a reachable config  where e is applicable, and e() is bivalent • (= possible) Lemma 2 Illustration    e e Bivalent e … … Bivalent Bivalent … … Ali Ghodsi, alig(at)cs.berkeley.edu

Proof definitions • Assume e involves process p • Let C be all possible configs reachable from  without applying e •  is in C as well • Apply event e to all configs in C and call the resulting configsD Lemma 2 Illustration … … e … … e  e … … … Bivalent e … e … C … D e … … Ali Ghodsi, alig(at)cs.berkeley.edu

Proof intuition • We will prove that D contains a bivalent config by contradiction • That is, assume there is no bivalent config in D, show that this will lead to a contradiction Lemma 2 Illustration C … … e … … e e … … … Bivalent e … e … … D e … … Ali Ghodsi, alig(at)cs.berkeley.edu

Proof Map Assume there is no bivalent config in D • Then all configs in D are 0-valent or 1-valent • Show that exists a 0-valent and 1-valent config in D • Show existstwoneighboringconfigs c1=f(c0), in C • d0=e(c0) and d1=e(c1) • d0 is 0-valent, d1 is 1-valent • Show this is a contradiction Assumption must be incorrect D must contain a bivalent configuration f C c0 c1 e e d0 d1 D Ali Ghodsi, alig(at)cs.berkeley.edu

Proof • Assume D contains no bivalent configs • i.e. all configs in D are either 0-valent or 1-valent • We next show that there • exists a 0-valent config in D, andthereexists a 1-valent config in D Ali Ghodsi, alig(at)cs.berkeley.edu

Proof • We can reach a 0- and 1-valent config from  (bivalency of ) • Call the 0-valent one 0 and the 1-valent one 1 • If 0 is in C, then e(0) is in D and is 0-valent • If 0 not in C, then exists 0 on the path to 0 such that 0 is in C,e(0) is in D and is 0-valent (NB: assumed no bivalent D) • Symmetric argument shows there is a 1-valent config in D 1 is in C 1 is not in C C C 0 … … … e e … … … … e e e e 0 0 … … … … Bivalent Bivalent e e … … e e … … e e … … … … … Ali Ghodsi, alig(at)cs.berkeley.edu

Reflection • Now we know D must contain • a 0-valent and a 1-valent config • Call the 0/1-valent configsin D: d0and d1 Ali Ghodsi, alig(at)cs.berkeley.edu

Deriving the contradiction • There must exist two configs c0 and c1 in C such that c1=f(c0), and d0=e(c0) and d1=e(c1) f C c0 c1 e e d0 d1 D • Let’s see why! Ali Ghodsi, alig(at)cs.berkeley.edu

Proofing two neighbors exist 1(4) • We know  is bivalent, and e() is in D and is either 0-valent or 1-valent, assume 0-valent C  e 0-valent D Ali Ghodsi, alig(at)cs.berkeley.edu

Proofing two neighbors exist 2(4) • We know  is bivalent, and e() is in D and is either 0-valent or 1-valent, assume 0-valent • There is a reachable 1-valent config in D f0 2 … m C  1 e e 1-valent 0-valent D Ali Ghodsi, alig(at)cs.berkeley.edu

Proofing two neighbors exist 3(4) • We know  is bivalent, and e() is in D and is either 0-valent or 1-valent, assume 0-valent • There is a reachable 1-valent config in D • e is applicable in each i, and must be 0-valent or 1-valent f0 2 … m C  1 e e e e e x-valent z-valent 1-valent y-valent 0-valent D Ali Ghodsi, alig(at)cs.berkeley.edu

Proofing two neighbors exist 4(4) • We know  is bivalent, and e() is in D and is either 0-valent or 1-valent, assume 0-valent • There is a reachable 1-valent config in D • e is applicable in each i, and must be 0-valent or 1-valent f0 f1 f3 f2 2 … m C  1 e e e e e There exists two neighbors, one 1-valent and one 0-valent 0-valent z-valent 1-valent 1-valent 0-valent D Ali Ghodsi, alig(at)cs.berkeley.edu

Proofing two neighbors exist 4(4) • We know  is bivalent, and e() is in D and is either 0-valent or 1-valent, assume 0-valent • There is a reachable 1-valent config in D • e is applicable in each i, and is 0/1-valent f 2 C 1 e e There exists two neighbors, one 1-valent and one 0-valent 0-valent 1-valent D Ali Ghodsi, alig(at)cs.berkeley.edu

Neighbors lead to contradiction 1(3) • Either events e & f happen on same node or not • both cases will lead to contradictions f 2 C 1 e e There exists two neighbors, one 1-valent and one 0-valent 0-valent 1-valent D Ali Ghodsi, alig(at)cs.berkeley.edu

f Neighbors lead to contradiction 2(3) • We now know there exist two configs c0 and c1 in C such that c1=f(c0), and d0=e(c0) and d1=e(c1) • Assume e and f happen on two different processes p and q • Then, the order of their execution can be exchanged (diamond thm) f C c0 c1 e e d0 d1 0-valent 1-valent D Contradiction as d0 is 0-valent, but it leads to a 1-valent config, hence d0 must be bivalent, but we assumed no bivalent configs exist in D Ali Ghodsi, alig(at)cs.berkeley.edu

f e e x 0-valent 0-valent 1-valent 1-valent Neighbors lead to contradiction 3(3) • We know there exist two configs c0 and c1 in C s.t. c1=f(c0), and d0=e(c0) and d1=e(c1) • Assume e and f happen on the same node p. If p is silent, then algo must still terminate correctly C f e e c0 c1 d0 d1 If p is silent, algo should terminate with everyone deciding in a config A    by diamond thm by diamond thm A 0 1 Contradiction as all nodes in A decided, A cannot be bivalent Ali Ghodsi, alig(at)cs.berkeley.edu

Impossibility of Consensus in Asynchronous Systems (FLP)