CS603 Clock Synchronization February 4, 2002

What is the best we can do? Lundelius and Lynch ‘84 Assumptions: –No failures –No drift –Fully connected network of n nodes –Uncertainty of ε in message delivery time Best guarantee: –ε(1 – 1/n) –This is a tight lower bound

Lower bound proof Idea: Based on view of each node –Views indistinguishable even if real time not the same –Shift execution of a node relative to real time Shift of global view and local view equivalent if message delays changed –Can always shift by at least ε(1 – 1/n) without changing local views

Proof: Induction Clocks synchronized to within γ Assume messages one way take time μ, return takes time μ+ε (e 1 ) Induction: Assume node i-1 sends with delay μ, receives with delay μ+ε –Shift processes < i by ε Let V 1,…,V n be local times at termination of e 1. –In e 1, V n ≤ V 1 + γ –In e i, V i-1 ≤ V i + y – ε ∑ V i ≤ ∑ V i +nγ – (n-1) ε –(n-1) nγ –γ ≥ ε(1-1/n)

Synchronization with Faulty Clocks (Dolev, Halpern, Strong ‘84) Problem: What if some sites are really bad? –Bad clocks –Don’t follow protocol Notation –C: Logical clock –D: Physical clock –TAR: Time Adjustment Register C = D + TAR –Δ: Uncertainty in message delay –C(t), D(t) – value of clock at REAL time t

Assumptions Fully connected, but not necessarily complete Recipient knows source of message Given nodes p,q; H(p,q) and L(p,q) are upper/lower bounds on transmission time –ρ is min(H/L) A real time frame (not directly observable) Correct physical clock has bounded drift rate:  R such that  time u>v, (1/R)(u-v) ≤ D(u)-D(v) ≤ R(U-v) Correct processor has correct clock, implements algorithm No assumptions on behavior of faulty processor –Don’t care if faulty processor knows correct time All processors start within time B (can easily show B ≤ R(n-1)H)

Weak Synchronization Weak Clock Synchronization Condition: Constants PER, DMAX, ADJ such that: –TAR changes only at times that are multiples of PER by amount less than ADJ –Difference between clocks bounded by DMAX Theorem: There is an algorithm that achieves WCSC, independent of faults, for which C(t) is unbounded Proof: Set TAR(t’) = log PER (D(t))-D(t)

Real clock synchronization Clock Synchronization Condition: Add –PER > ADJ –Changes occur only first time C reads iPER If change when C(t)=iPER, then C(t’) ≠ iPER  t’<t Gives Linear Envelope Synchronization: –at+b 0 Theorem:Linear Envelope Synchronization impossible if  1/3 processors faulty

Proof Sketch Construct algorithm that forces a correct processor to run at rate greater than aρ n Idea: faulty processor p uses one algorithm for processor q, other for others –Two-faced behavior –Can’t tell which is two-faced –Correct processor caught in the middle – follow fast clock or slow clock?

Three-processor case (p, q, r) Assume algorithm A synchronizes in time N and tolerates one fault F 0 = A F m+1 : p pretends its clock runs at ρ times q’s rate p pretends r sends messages so C p (t) > aρ m D p (t)+b-mDMAX –F m gives these messages q cannot distinguish from case where p’s clock is fast, r is sending p messages according to F m C q (t) > C p (t) – DMAX > aρ m D p (t) + b – (m+1) DMAX = aρ m+1 D q (t)+b-(m+1) DMAX (since D p (t) = ρD q (t)

Possibility (Fischer, Lynch, Merritt) If no uncertainty in message delay, f faulty, can do with 2f+1 processors –Send messages to all neighbors –Send all messages back –Round trip gives time –Faulty processor will be detected if it tries to be worse than round-trip time Messages out of order

Possibility (Dolev Halpern Simons Strong) We CAN do better –Requires authentication Assumptions: –Messages will be received with bounded delay –Bounded drift –Digital signature –If p has set of messages M at time t with more than f distinct signers, one signer was correct at time signed –2ρ(f+1) < 1 Key: Synchronization time known in advance –At time, send signed “time is now” –If receive f+1 messages saying “time is now” before getting to that time, update local time

Recruiting Bulletin Harris Corporation is in the CS lobby until 3pm today