Impossibility of Consensus in Asynchronous Systems (FLP) Ali Ghodsi – UC Berkeley / KTH alig(at)cs.berkeley.edu

Ali Ghodsi, alig(at)cs.berkeley.edu 2 Modified Model A correct node can always make a “dummy” transition  For state s of a node, there exists a transition s  s  There exists always an applicable event on every process There are no inbufs/outbufs,  There is one set of messages M, i.e. “network cloud”  Message consists of  Messages are unique

Ali Ghodsi, alig(at)cs.berkeley.edu 3 Configurations Each configuration contains the state of each node, and  The set of messages in the network, M Initial config is a config where M is empty and all nodes are in initial state Configuration <p 1 _state, p 2 _state, p 3 _state, {m 1, m 2 } >

Ali Ghodsi, alig(at)cs.berkeley.edu 4 Events, Applicable, Executions… An event is the receipt of message m  After the receipt of m, node p deterministically updates its state (transition function) and puts sent messages in M applicable in config C iff  m is in C.M Execution is a sequence of configurations  An applicable event is applied between configs

Ali Ghodsi, alig(at)cs.berkeley.edu 5 Intuition behind model receive from q for x:=1 to 3 do begin y:=y+1; send neigh p [x]; end receive from q; print z+y Receipt event e Initial state of p State of p after receipt of e Deterministic transition: update state, send messages Receipt event f Deterministic transition State of p after receipt of f

Ali Ghodsi, alig(at)cs.berkeley.edu 6 Consensus Correctness (weak) A 1-crash-robust consensus satisfies:  Termination All correct nodes eventually decide  Agreement In every config, decided nodes have decided same value (0 or 1)  Non-triviality (weak validity) There exists one possible input config with outcome decision 0, and There exists one possible input config with outcome decision 1  Example, maybe input “0,0,1”->0 while “0,1,1”->1  Validity implies non-triviality (”0,0,0” must be 0 and ”1,1,1” must be 1)

Ali Ghodsi, alig(at)cs.berkeley.edu 7 Definitions 0-decided configuration  A configuration with decide ”0” on some process 1-decided configuration  A configuration with decide ”1” on some process 0-valent configuration  A config in which every reachable decided configuration is a 0-decide 1-valent configuration  A config in which every reachable decided configuration is a 1-decide Bivalent configuration  A configuration which can reach a 0-decided and 1-decided configuration

Ali Ghodsi, alig(at)cs.berkeley.edu 8 Definitions Illustrated 1(4) 0-decided configuration  A configuration with decide ”0” on some process 0-decided configuration { STATE2, STATE,5 DECIDE-0, STATE7 {msg1, msg2} } At least of them is in state DECIDE-0 msg1 msg2 P1 state2 P2 state5 P4 state7 P3 decide0

Ali Ghodsi, alig(at)cs.berkeley.edu 9 Definitions Illustrated 2(4) 0-valent configuration  No 1-decided configurations are reachable  Future determined, means ”everyone will decide 0” 0- valent configuration {P1_state, P2_state, P3_state, P4_state, {msg1} } 0-valent configuration {P1_state, P2_state2, P3_state, P4_state, {msg1} } 0-valent configuration {decide-0, P2_state, P3_state, P4_state, {msg1, msg2} } 0-valent configuration {decide-0, P2_state2, P3_state2, P4_state, {msg1, msg2} } 0-valent configuration {decide-0, P2_state, P3_state, decide-0, { msg2} } 0-valent configuration {decide-0, P2_state2, P3_state2, decide-0, { msg2} } 0-valent configuration {decide-0, P2_state, decide-0, P4_state, {msg1, msg2} } 0-valent configuration {decide-0, P2_state3, P3_state, decide-0, {} }

Ali Ghodsi, alig(at)cs.berkeley.edu 10 Definitions Illustrated 3(4) 1-valent configuration  No 0-decided configurations are reachable  Future determined, means ”everyone will decide 1” 1- valent configuration {P1_state, P2_state, P3_state, P4_state, {msg1} } 1-valent configuration {P1_state, P2_state2, P3_state, P4_state, {msg1} } 1-valent configuration {decide-1, P2_state, P3_state, P4_state, {msg1, msg2} } 1-valent configuration {decide-1, P2_state, P3_state, decide-1, { msg2} } 1-valent configuration {decide-1, P2_state2, P3_state2, decide-1, { msg2} } 1-valent configuration {decide-1, P2_state, decide-1, P4_state, {msg1, msg2} } 1-valent configuration {decide-1, P2_state3, P3_state, decide-1, {} } 1-valent configuration {decide-1, P2_state2, P3_state2, P4_state, {msg1, msg2} }

Ali Ghodsi, alig(at)cs.berkeley.edu 11 Definitions Illustrated 4(4) Bivalent configuration  Both 0 and 1-decided configurations are reachable  Future undetermined, could go either way… Bivalent config. {P1_state, P2_state, P3_state, P4_state, {msg1} } 0-valent config. {P1_state, P2_state2, P3_state, P4_state, {msg1} } 1-valent config. {decide-1, P2_state5, P3_state6, P4_state5, {msg1, msg3} } 0-valent config. {decide-0, P2_state2, P3_state2, P4_state, {msg1, msg2} } 1-valent config. {decide-1, P2_state5, P3_state6, decide-1, { msg2} } 0-valent config. {decide-0, P2_state2, P3_state2, decide-0, { msg2} } 0-valent config. {decide-0, P2_state, decide-0, P4_state, {msg1, msg2} } 1-valent config. {decide-1, P2_state9, P3_state6, decide-1, {} }

FLP Impossibility Without Proofs

Ali Ghodsi, alig(at)cs.berkeley.edu 13 Bivalent Initial Configuration Initial Bivalency Lemma (Lemma 1)  Any algorithm that solves the 1-crash consensus has an initial bivalent configuration

Ali Ghodsi, alig(at)cs.berkeley.edu 14 Main lemma: Staying Bivalent Bivalency Preservation Lemma (Lemma 2)  Given any bivalent config  and any event e applicable in  There exists a reachable config  where e is applicable, and e(  ) is bivalent Bivalent … e … e … … e    Lemma 2 Illustration (  =  possible)

Ali Ghodsi, alig(at)cs.berkeley.edu 15 FLP Impossibility Theorem No deterministic 1-crash-robust consensus algorithm exists for the asynchronous model Proof 1.Start in a initial bivalent config (Lemma 1) 2.Given the bivalent config, pick the event e that has been applicable longest Pick the path taking us to another config where e is applicable (might be empty) Apply e, and get a bivalent config (Lemma 2) 3.Repeat 2. Termination violated

FLP Impossibility Proofs

Ali Ghodsi, alig(at)cs.berkeley.edu 17 Bivalent Initial Configuration Initial Bivalency Lemma (Lemma 1)  Any algorithm that solves the 1-crash consensus has an initial bivalent configuration

Ali Ghodsi, alig(at)cs.berkeley.edu 18 Proof 1/(10) We know that the algorithm must be non- trivial  There should be some initial configuration that will lead to a 0-decide  There should be some initial configuration that will lead to a 1-decide Take two such configuration i 1 and i 2  E.g. 4 processes initial values (0,1,0,1,1) lead to 1 Initial values (0,0,1,0,0) lead to 0

Ali Ghodsi, alig(at)cs.berkeley.edu 19 Proof 2/(10) We know there exists inputs p 1, p 2, p 3, p 4, p 5  (0,1,0,1,1) leading to 1  (0,0,1,0,0) leading to 0 Lets look at other initial configurations by flipping the inputs transforming the upper input to the lower input

Ali Ghodsi, alig(at)cs.berkeley.edu 20 Proof 3/(10) We know there exists inputs p 1, p 2, p 3, p 4, p 5  (0,1,0,1,1) leading to 1  (0,0,0,1,1) leading to ?  (0,0,1,0,0) leading to 0 Lets look at other initial configurations by flipping the inputs transforming the upper input to the lower input

Ali Ghodsi, alig(at)cs.berkeley.edu 21 Proof 4/(10) We know there exists inputs p 1, p 2, p 3, p 4, p 5  (0,1,0,1,1) leading to 1  (0,0,0,1,1) leading to ?  (0,0,1,1,1) leading to ?  (0,0,1,0,0) leading to 0 Lets look at other initial configurations by flipping the inputs transforming the upper input to the lower input

Ali Ghodsi, alig(at)cs.berkeley.edu 22 Proof 5/(10) We know there exists inputs p 1, p 2, p 3, p 4, p 5  (0,1,0,1,1) leading to 1  (0,0,0,1,1) leading to ?  (0,0,1,1,1) leading to ?  (0,0,1,0,1) leading to ?  (0,0,1,0,0) leading to 0 Lets look at other initial configurations by flipping the inputs transforming the upper input to the lower input

Ali Ghodsi, alig(at)cs.berkeley.edu 23 Proof 6/(10) We know there exists inputs p 1, p 2, p 3, p 4, p 5  (0,1,0,1,1) leading to 1  (0,0,0,1,1) leading to ?  (0,0,1,1,1) leading to ?  (0,0,1,0,1) leading to ?  (0,0,1,0,0) leading to 0 There must exist two neighboring configurations here, with two different outcomes Lets look at other initial configurations by flipping the inputs transforming the upper input to the lower input

Ali Ghodsi, alig(at)cs.berkeley.edu 24 Proof 7/(10) We know there exists inputs p 1, p 2, p 3, p 4, p 5  (0,1,0,1,1) leading to 1  (0,0,0,1,1) leading to 1  (0,0,1,1,1) leading to 1  (0,0,1,0,1) leading to 0  (0,0,1,0,0) leading to 0 Assume the following two Lets look at other initial configurations by flipping the inputs

Ali Ghodsi, alig(at)cs.berkeley.edu 25 Proof 8/(10) We know there exists inputs p 1, p 2, p 3, p 4, p 5  (0,1,0,1,1) leading to 1  (0,0,0,1,1) leading to 1  (0,0,1,1,1) leading to 1  (0,0,1,0,1) leading to 0  (0,0,1,0,0) leading to 0 Assume the following two Identical configurations except for process p 4

Ali Ghodsi, alig(at)cs.berkeley.edu 26 Proof 9/(10) We know there exists inputs p 1, p 2, p 3, p 4, p 5  (0,0,1,1,1) leading to 1  (0,0,1,0,1) leading to 0 The consensus algorithm should tolerate if p 4 crashes!  (0,0,1,X,1), leads to ? (either 0 or 1) Assume the following two

Ali Ghodsi, alig(at)cs.berkeley.edu 27 Proof 10/(10) We know there exists inputs p 1, p 2, p 3, p 4, p 5  (0,0,1,1,1) leading to 1  (0,0,1,0,1) leading to 0 The consensus algorithm should tolerate if p 4 crashes!  (0,0,1,X,1), leads to ? (either 0 or 1)  If it leads to 1, then depending on whether p 4 crashes or not (0,0,1,0,1) either leads to 0 or 1 (bivalent)  If it leads to 0, then depending on whether p 4 crashes or not (0,0,1,1,1) either leads to 0 or 1 (bivalent) Assume the following two

Ali Ghodsi, alig(at)cs.berkeley.edu 28 Initial Bivalence Intuition  Given any algorithm, we can find some start state, that depending on the failure of one process, will either lead to a 0-decide or a 1-decide Bivalent Initial Config {P1_state, P2_state, P3_state, P4_state, {msg1} } 1-valent configuration {P1_state, P2_state2, P3_state, P4_state, {msg1} } 0-valent configuration {P1_state, P2_state, P3_state, P4_state, {msg1, msg2} } 1-valent configuration {decide-1, P2_state2, P3_state2, P4_state, {msg1, msg2} } 0-valent configuration {decide-0, P2_state, P3_state, P4_state, { msg2} } 1-valent configuration {P1_state, P2_state, decide-1, P4_state, {msg1, msg2} } 0-valent configuration {decide-0, decide-0, P3_state, decide-0, {} }

Ali Ghodsi, alig(at)cs.berkeley.edu 29 Order of events Intuition  The order in which two applicable events are executed is not important! Order Theorem  Let e p and e q be two events on two different nodes p and q which are both applicable in config C, then e p can be applied to e q (C), e q can be applied to e p (C), and e p (e q (C)) = e q (e p (C) ).

Ali Ghodsi, alig(at)cs.berkeley.edu 30 Definitions A schedule is a sequence of events A schedule  = is applicable in config C iff  e 1 is applicable in C,  e 2 is applicable in e 1 (C)  e 3 is applicable in e 2 (e 1 (C)) ... If the resulting config is D we write  (C)=D

Ali Ghodsi, alig(at)cs.berkeley.edu 31 Order of sequences Diamond Theorem  Let sequences  1 and  2 be applicable in configuration C, and let no node participate in both  1 and  2, then:  2 is applicable in  1 (C)  1 is applicable in  2 (C), and  1 (  2 (C))=  2 (  1 (C)) Proof  By induction using the order theorem

Ali Ghodsi, alig(at)cs.berkeley.edu 32 Illustration of Diamond Theorem C 11 22 1(C)1(C) 2(C)2(C) D 22 11 D =  2 (  1 (C) )=  1 (  2 (C))

Ali Ghodsi, alig(at)cs.berkeley.edu 33 Bivalent Configuration Any configuration of the 1-robust consensus algorithm is exactly one of these three  Bivalent  0-valent  1-valent Why?  Any configuration leads to a decide (termination)  We know bivalent configurations exist  If it is not bivalent, it must lead to either 0-decide or 1- decide, so it is either 0-valent or 1-valent

Ali Ghodsi, alig(at)cs.berkeley.edu 34 Bivalent Configurations In any bivalent config , either  one applicable event goes to a bivalent config, or  there exists two applicable events, leading to a 0- valent and 1-valent configurations (respectively) 1-valent 0-valent Case 1Case 2 Bivalent

Ali Ghodsi, alig(at)cs.berkeley.edu 35 Main lemma: Staying Bivalent Bivalency Preservation Lemma  Given any bivalent config  and any event e applicable in  There exists a reachable config  where e is applicable, and e(  ) is bivalent Bivalent … e … e … … e    Lemma 2 Illustration (  =  possible)

Ali Ghodsi, alig(at)cs.berkeley.edu 36 Proof definitions Assume e involves process p Let C be all possible configs reachable from  without applying e   is in C as well Apply event e to all configs in C and call the resulting configs D Bivalent … e Lemma 2 Illustration … … … … … … … e e … … e … e C D … e 

Ali Ghodsi, alig(at)cs.berkeley.edu 37 Proof intuition We will prove that D contains a bivalent config by contradiction That is, assume there is no bivalent config in D, show that this will lead to a contradiction Bivalent … e Lemma 2 Illustration … … … … … … … … e e e … … e … e C D

Ali Ghodsi, alig(at)cs.berkeley.edu 38 Proof Map Assume there is no bivalent config in D  Then all configs in D are 0-valent or 1-valent  Show that exists a 0-valent and 1-valent config in D  Show exists two neighboring configs c 1 =f(c 0 ), in C d 0 =e(c 0 ) and d 1 =e(c 1 ) d 0 is 0-valent, d 1 is 1-valent Show this is a contradiction Assumption must be incorrect D must contain a bivalent configuration f c0c0 c1c1 d0d0 d1d1 e e C D

Ali Ghodsi, alig(at)cs.berkeley.edu 39 Proof Assume D contains no bivalent configs  i.e. all configs in D are either 0-valent or 1-valent We next show that there  exists a 0-valent config in D, and there exists a 1-valent config in D

Ali Ghodsi, alig(at)cs.berkeley.edu 40 Proof We can reach a 0- and 1-valent config from  (bivalency of  )  Call the 0-valent one  0 and the 1-valent one  1 If  0 is in C, then e(  0 ) is in D and is 0-valent If  0 not in C, then exists  0 on the path to  0 such that  0 is in C, e(  0 ) is in D and is 0-valent (NB: assumed no bivalent D) Symmetric argument shows there is a 1-valent config in D Bivalent … e 00 … … … … … … … e e e … … e … e C  1 is in C Bivalent … e  0 … … … … 00 … e e e … … e … e C  1 is not in C

Ali Ghodsi, alig(at)cs.berkeley.edu 41 Reflection Now we know D must contain  a 0-valent and a 1-valent config Call the 0/1-valent configs in D: d 0 and d 1

Ali Ghodsi, alig(at)cs.berkeley.edu 42 f Deriving the contradiction There must exist two configs c 0 and c 1 in C such that c 1 = f ( c 0 ), and d 0 = e ( c 0 ) and d 1 = e ( c 1 ) c0c0 c1c1 d0d0 d1d1 e e C D Let ’ s see why!

Ali Ghodsi, alig(at)cs.berkeley.edu 43 Proofing two neighbors exist 1(4) We know  is bivalent, and e (  ) is in D and is either 0-valent or 1-valent, assume 0-valent  0-valent e C D

Ali Ghodsi, alig(at)cs.berkeley.edu 44 Proofing two neighbors exist 2(4) We know  is bivalent, and e (  ) is in D and is either 0-valent or 1-valent, assume 0-valent There is a reachable 1-valent config in D f0f0  11 0-valent e e C 22 … mm 1-valent D

Ali Ghodsi, alig(at)cs.berkeley.edu 45 Proofing two neighbors exist 3(4) We know  is bivalent, and e (  ) is in D and is either 0-valent or 1-valent, assume 0-valent There is a reachable 1-valent config in D e is applicable in each  i, and must be 0-valent or 1-valent  11 0-valent 1-valent e e C 22 … mm x-valent y-valent z-valent D eee f0f0

Ali Ghodsi, alig(at)cs.berkeley.edu 46 There exists two neighbors, one 1- valent and one 0- valent Proofing two neighbors exist 4(4)  11 0-valent 1-valent e e C 22 … mm 0-valent 1-valent z-valent D eee f0f0 f1f1 f2f2 f3f3 We know  is bivalent, and e (  ) is in D and is either 0-valent or 1-valent, assume 0-valent There is a reachable 1-valent config in D e is applicable in each  i, and must be 0-valent or 1-valent

Ali Ghodsi, alig(at)cs.berkeley.edu 47 There exists two neighbors, one 1- valent and one 0- valent Proofing two neighbors exist 4(4) We know  is bivalent, and e (  ) is in D and is either 0-valent or 1-valent, assume 0-valent There is a reachable 1-valent config in D e is applicable in each  i, and is 0/1-valent f 11 C 22 0-valent 1-valent D ee

Ali Ghodsi, alig(at)cs.berkeley.edu 48 There exists two neighbors, one 1- valent and one 0- valent Neighbors lead to contradiction 1(3) Either events e & f happen on same node or not  both cases will lead to contradictions f 11 C 22 0-valent 1-valent D ee

Ali Ghodsi, alig(at)cs.berkeley.edu 49 Neighbors lead to contradiction 2(3) We now know there exist two configs c 0 and c 1 in C such that c 1 = f ( c 0 ), and d 0 = e ( c 0 ) and d 1 = e ( c 1 ) Assume e and f happen on two different processes p and q  Then, the order of their execution can be exchanged (diamond thm) f c0c0 c1c1 d1d1 e e C D 0-valent1-valent f d0d0 Contradiction as d 0 is 0-valent, but it leads to a 1-valent config, hence d 0 must be bivalent, but we assumed no bivalent configs exist in D

Ali Ghodsi, alig(at)cs.berkeley.edu 50 Neighbors lead to contradiction 3(3) We know there exist two configs c 0 and c 1 in C s.t. c 1 =f(c 0 ), and d 0 =e(c 0 ) and d 1 =e(c 1 ) Assume e and f happen on the same node p. If p is silent, then algo must still terminate correctly f c0c0 c1c1 d1d1 e e C 0-valent1-valent d0d0 Contradiction as all nodes in A decided, A cannot be bivalent f xx e e A If p is silent, algo should terminate with everyone deciding in a config A 00 by diamond thm 11 0-valent1-valent   

Ali Ghodsi, alig(at)cs.berkeley.edu 51 FLP Impossibility Theorem No deterministic 1-crash-robust consensus algorithm exists for the asynchronous model Proof 1.Start in a initial bivalent config (Lemma 1) 2.Given the bivalent config, pick the event e that has been applicable longest Pick the execution taking us to another config where e is applicable Apply e, and get a bivalent config (Lemma 2) 3.Repeat 2.

Ali Ghodsi, alig(at)cs.berkeley.edu 52 Summary We have proved that a 1-crash resilient deterministic consensus algorithm does not exist  Hence, there exists always an execution which stays in bivalent configs and still keeps applying all applicable events in a fair order!  All correct nodes execute infinite number of events, messages delivered, and still leads to no decision! Circumventing FLP impossibility  Probabilistically  Randomization  Partial Synchrony (e.g. failure detectors)