Impossibility of Consensus in Asynchronous Systems (FLP)Ali Ghodsi – UC Berkeley / KTH
alig(at)cs.berkeley.edu
Ali Ghodsi, alig(at)cs.berkeley.edu 2
Modified Model
A correct node can always make a “dummy” transition For state s of a node, there exists a transition ss There exists always an applicable event on every
process
There are no inbufs/outbufs, There is one set of messages M, i.e. “network cloud” Message consists of <sender, payload, destination> Messages are unique
Ali Ghodsi, alig(at)cs.berkeley.edu 3
Configurations
Each configuration contains the state of each node, and The set of messages in the network, M
Initial config is a config where M is empty and all nodes are in initial state
Configuration
< p1_state,
p2_state,
p3_state,
{m1, m2} >
Ali Ghodsi, alig(at)cs.berkeley.edu 4
Events, Applicable, Executions… An event <p,m> is the receipt of
message m After the receipt of m, node p
deterministically updates its state (transition function) and puts sent messages in M
<p,m> applicable in config C iff m is in C.M
Execution is a sequence of configurations An applicable event is applied between
configs
Ali Ghodsi, alig(at)cs.berkeley.edu 5
Intuition behind model
receive <tok, y> from qfor x:=1 to 3 dobegin
y:=y+1;send <tok, y> neighp[x];
endreceive <tok, z> from q;print z+y
Receipt event e
Initial state of p
State of p after receipt of e
Deterministic transition: update state, send
messages
Receipt event f
Deterministic transition
State of p after receipt of f
Ali Ghodsi, alig(at)cs.berkeley.edu 6
Consensus Correctness (weak) A 1-crash-robust consensus satisfies:
Termination All correct nodes eventually decide
Agreement In every config, decided nodes have decided same value (0
or 1)
Non-triviality (weak validity) There exists one possible input config with outcome decision
0, and There exists one possible input config with outcome decision
1 Example, maybe input “0,0,1”->0 while “0,1,1”->1 Validity implies non-triviality (”0,0,0” must be 0 and ”1,1,1” must
be 1)
Ali Ghodsi, alig(at)cs.berkeley.edu 7
Definitions
0-decided configuration A configuration with decide ”0” on some process
1-decided configuration A configuration with decide ”1” on some process
0-valent configuration A config in which every reachable decided configuration is a 0-
decide
1-valent configuration A config in which every reachable decided configuration is a 1-
decide
Bivalent configuration A configuration which can reach a 0-decided and 1-decided
configuration
Ali Ghodsi, alig(at)cs.berkeley.edu 8
Definitions Illustrated 1(4)
0-decided configuration A configuration with decide ”0” on some
process0-decided configuration
{ STATE2,
STATE,5
DECIDE-0,
STATE7
{msg1, msg2}
}
At least of them is in
state DECIDE-0msg1
msg
2
P1 state2
P2 state5
P4 state7
P3 decide0
Ali Ghodsi, alig(at)cs.berkeley.edu 9
Definitions Illustrated 2(4) 0-valent configuration
No 1-decided configurations are reachable Future determined, means ”everyone will decide 0”
0- valent configuration
{ P1_state,
P2_state,
P3_state,
P4_state,
{msg1}
}
0-valent configuration
{ P1_state,
P2_state2,
P3_state,
P4_state,
{msg1}
}
0-valent configuration
{ decide-0,
P2_state,
P3_state,
P4_state,
{msg1, msg2}
}
0-valent configuration
{ decide-0,
P2_state2,
P3_state2,
P4_state,
{msg1, msg2}
}
0-valent configuration
{ decide-0,
P2_state,
P3_state,
decide-0,
{ msg2}
}
0-valent configuration
{ decide-0,
P2_state2,
P3_state2,
decide-0,
{ msg2}
}
0-valent configuration
{ decide-0,
P2_state,
decide-0,
P4_state,
{msg1, msg2}
}
0-valent configuration
{ decide-0,
P2_state3,
P3_state,
decide-0,
{}
}
Ali Ghodsi, alig(at)cs.berkeley.edu 10
Definitions Illustrated 3(4) 1-valent configuration
No 0-decided configurations are reachable Future determined, means ”everyone will decide 1”
1- valent configuration
{ P1_state,
P2_state,
P3_state,
P4_state,
{msg1}
}
1-valent configuration
{ P1_state,
P2_state2,
P3_state,
P4_state,
{msg1}
}
1-valent configuration
{ decide-1,
P2_state,
P3_state,
P4_state,
{msg1, msg2}
}
1-valent configuration
{ decide-1,
P2_state,
P3_state,
decide-1,
{ msg2}
}
1-valent configuration
{ decide-1,
P2_state2,
P3_state2,
decide-1,
{ msg2}
}
1-valent configuration
{ decide-1,
P2_state,
decide-1,
P4_state,
{msg1, msg2}
}
1-valent configuration
{ decide-1,
P2_state3,
P3_state,
decide-1,
{}
}
1-valent configuration
{ decide-1,
P2_state2,
P3_state2,
P4_state,
{msg1, msg2}
}
Ali Ghodsi, alig(at)cs.berkeley.edu 11
Definitions Illustrated 4(4) Bivalent configuration
Both 0 and 1-decided configurations are reachable Future undetermined, could go either way…
Bivalent config.
{ P1_state,
P2_state,
P3_state,
P4_state,
{msg1}
}
0-valent config.
{ P1_state,
P2_state2,
P3_state,
P4_state,
{msg1}
}
1-valent config.
{ decide-1,
P2_state5,
P3_state6,
P4_state5,
{msg1, msg3}
}
0-valent config.
{ decide-0,
P2_state2,
P3_state2,
P4_state,
{msg1, msg2}
}
1-valent config.
{ decide-1,
P2_state5,
P3_state6,
decide-1,
{ msg2}
}
0-valent config.
{ decide-0,
P2_state2,
P3_state2,
decide-0,
{ msg2}
}
0-valent config.
{ decide-0,
P2_state,
decide-0,
P4_state,
{msg1, msg2}
}
1-valent config.
{ decide-1,
P2_state9,
P3_state6,
decide-1,
{}
}
FLP Impossibility Without Proofs
Ali Ghodsi, alig(at)cs.berkeley.edu 13
Bivalent Initial Configuration
Initial Bivalency Lemma (Lemma 1)
Any algorithm that solves the 1-crash consensus has an initial bivalent configuration
Ali Ghodsi, alig(at)cs.berkeley.edu 14
Main lemma: Staying Bivalent
Bivalency Preservation Lemma (Lemma 2) Given any bivalent config and any event e
applicable in There exists a reachable config where e is
applicable, and e() is bivalent
Bivalent …e
Bivalent …
e
…
…
eBivalent
Lemma 2 Illustration
(= possible)
Ali Ghodsi, alig(at)cs.berkeley.edu 15
FLP Impossibility Theorem
No deterministic 1-crash-robust consensus algorithm exists for the asynchronous model
Proof1. Start in a initial bivalent config (Lemma 1)2. Given the bivalent config, pick the event e that has
been applicable longest Pick the path taking us to another config
where e is applicable (might be empty) Apply e, and get a bivalent config (Lemma 2)
3. Repeat 2.
Termination violated
FLP Impossibility Proofs
Ali Ghodsi, alig(at)cs.berkeley.edu 17
Bivalent Initial Configuration
Initial Bivalency Lemma (Lemma 1)
Any algorithm that solves the 1-crash consensus has an initial bivalent configuration
Ali Ghodsi, alig(at)cs.berkeley.edu 18
Proof 1/(10)
We know that the algorithm must be non-trivial There should be some initial configuration
that will lead to a 0-decide There should be some initial configuration
that will lead to a 1-decide
Take two such configuration i1 and i2 E.g. 4 processes
initial values (0,1,0,1,1) lead to 1 Initial values (0,0,1,0,0) lead to 0
Ali Ghodsi, alig(at)cs.berkeley.edu 19
Proof 2/(10)
We know there exists inputsp1, p2, p3, p4, p5
(0,1,0,1,1) leading to 1
(0,0,1,0,0) leading to 0
Lets look at other initial configurations by flipping the inputs
transforming the upper input to the lower input
Ali Ghodsi, alig(at)cs.berkeley.edu 20
Proof 3/(10)
We know there exists inputsp1, p2, p3, p4, p5
(0,1,0,1,1) leading to 1 (0,0,0,1,1) leading to ?
(0,0,1,0,0) leading to 0
Lets look at other initial configurations by
flipping the inputs transforming the upper
input to the lower input
Ali Ghodsi, alig(at)cs.berkeley.edu 21
Proof 4/(10)
We know there exists inputsp1, p2, p3, p4, p5
(0,1,0,1,1) leading to 1 (0,0,0,1,1) leading to ? (0,0,1,1,1) leading to ?
(0,0,1,0,0) leading to 0
Lets look at other initial configurations by
flipping the inputs transforming the upper
input to the lower input
Ali Ghodsi, alig(at)cs.berkeley.edu 22
Proof 5/(10)
We know there exists inputsp1, p2, p3, p4, p5
(0,1,0,1,1) leading to 1 (0,0,0,1,1) leading to ? (0,0,1,1,1) leading to ? (0,0,1,0,1) leading to ? (0,0,1,0,0) leading to 0
Lets look at other initial configurations by
flipping the inputs transforming the upper
input to the lower input
Ali Ghodsi, alig(at)cs.berkeley.edu 23
Proof 6/(10)
We know there exists inputsp1, p2, p3, p4, p5
(0,1,0,1,1) leading to 1 (0,0,0,1,1) leading to ? (0,0,1,1,1) leading to ? (0,0,1,0,1) leading to ? (0,0,1,0,0) leading to 0
There must exist two neighboring
configurations here, with two
different outcomes
Lets look at other initial configurations by
flipping the inputs transforming the upper
input to the lower input
Ali Ghodsi, alig(at)cs.berkeley.edu 24
Proof 7/(10)
We know there exists inputsp1, p2, p3, p4, p5
(0,1,0,1,1) leading to 1 (0,0,0,1,1) leading to 1 (0,0,1,1,1) leading to 1 (0,0,1,0,1) leading to 0 (0,0,1,0,0) leading to 0
Assume the following two
Lets look at other initial configurations by flipping the inputs
Ali Ghodsi, alig(at)cs.berkeley.edu 25
Proof 8/(10)
We know there exists inputsp1, p2, p3, p4, p5
(0,1,0,1,1) leading to 1 (0,0,0,1,1) leading to 1 (0,0,1,1,1) leading to 1 (0,0,1,0,1) leading to 0 (0,0,1,0,0) leading to 0
Assume the following two
Identical configurations except for
process p4
Ali Ghodsi, alig(at)cs.berkeley.edu 26
Proof 9/(10)
We know there exists inputsp1, p2, p3, p4, p5
(0,0,1,1,1) leading to 1 (0,0,1,0,1) leading to 0
The consensus algorithm should tolerate if p4 crashes! (0,0,1,X,1), leads to ? (either 0 or 1)
Assume the following two
Ali Ghodsi, alig(at)cs.berkeley.edu 27
Proof 10/(10)
We know there exists inputs p1, p2, p3, p4, p5
(0,0,1,1,1) leading to 1 (0,0,1,0,1) leading to 0
The consensus algorithm should tolerate if p4 crashes! (0,0,1,X,1), leads to ? (either 0 or 1)
If it leads to 1, then depending on whether p4 crashes or not (0,0,1,0,1) either leads to 0 or 1 (bivalent)
If it leads to 0, then depending on whether p4 crashes or not(0,0,1,1,1) either leads to 0 or 1 (bivalent)
Assume the following two
Ali Ghodsi, alig(at)cs.berkeley.edu 28
Initial Bivalence
Intuition Given any algorithm, we can find some start state, that
depending on the failure of one process, will either lead to a 0-decide or a 1-decide
Bivalent Initial Config
{ P1_state,
P2_state,
P3_state,
P4_state,
{msg1}
}
1-valent configuration
{ P1_state,
P2_state2,
P3_state,
P4_state,
{msg1}
}
0-valent configuration
{ P1_state,
P2_state,
P3_state,
P4_state,
{msg1, msg2}
}
1-valent configuration
{ decide-1,
P2_state2,
P3_state2,
P4_state,
{msg1, msg2}
}
0-valent configuration
{ decide-0,
P2_state,
P3_state,
P4_state,
{ msg2}
}
1-valent configuration
{ P1_state,
P2_state,
decide-1,
P4_state,
{msg1, msg2}
}
0-valent configuration
{ decide-0,
decide-0,
P3_state,
decide-0,
{}
}
Ali Ghodsi, alig(at)cs.berkeley.edu 29
Order of events
Intuition The order in which two applicable events are
executed is not important!
Order Theorem Let ep and eq be two events on two different
nodes p and q which are both applicable in config C, then ep can be applied to eq(C), eq can be applied to ep(C), and ep(eq(C)) = eq(ep(C) ).
Ali Ghodsi, alig(at)cs.berkeley.edu 30
Definitions
A schedule is a sequence of events <e1, e2,…,ek>
A schedule =<e1, e2,…,ek> is applicable in config C iff e1 is applicable in C, e2 is applicable in e1(C) e3 is applicable in e2(e1(C)) ...
If the resulting config is D we write (C)=D
Ali Ghodsi, alig(at)cs.berkeley.edu 31
Order of sequences
Diamond Theorem Let sequences 1 and 2 be applicable in
configuration C, and let no node participate in both 1 and 2, then: 2 is applicable in 1(C)
1 is applicable in 2(C), and 1(2(C))=2(1(C))
Proof By induction using the order theorem
Ali Ghodsi, alig(at)cs.berkeley.edu 32
Illustration of Diamond Theorem
C
1 2
1(C) 2(C)
D
2 1
D =2(1(C))=1(2(C))
Ali Ghodsi, alig(at)cs.berkeley.edu 33
Bivalent Configuration
Any configuration of the 1-robust consensus algorithm is exactly one of these three Bivalent 0-valent 1-valent
Why? Any configuration leads to a decide (termination) We know bivalent configurations exist If it is not bivalent, it must lead to either 0-decide or
1-decide, so it is either 0-valent or 1-valent
Ali Ghodsi, alig(at)cs.berkeley.edu 34
Bivalent Configurations
In any bivalent config , either one applicable event goes to a bivalent config,
or there exists two applicable events, leading to
a 0-valent and 1-valent configurations (respectively)
1-valent
0-valent
Case 1 Case 2
BivalentBivalent
Bivalent
Ali Ghodsi, alig(at)cs.berkeley.edu 35
Main lemma: Staying Bivalent
Bivalency Preservation Lemma Given any bivalent config and any event e
applicable in There exists a reachable config where e is
applicable, and e() is bivalent
Bivalent …e
Bivalent …
e
…
…
eBivalent
Lemma 2 Illustration
(= possible)
Ali Ghodsi, alig(at)cs.berkeley.edu 36
Proof definitions
Assume e involves process p
Let C be all possible configs reachable from without applying e is in C as well
Apply event e to all configs in C and call the resulting configs D
Bivalent
…
e
Lemma 2 Illustration
…
…
…
…
……
…
e
e…
…
e
…eC D
…
e
Ali Ghodsi, alig(at)cs.berkeley.edu 37
Proof intuition
We will prove that D contains a bivalent config by contradiction
That is, assume there is no bivalent config in D, show that this will lead to a contradiction
Bivalent
…
e
Lemma 2 Illustration
…
…
…
…
……
…
…
e
e
e
…
…
e
…e
C
D
Ali Ghodsi, alig(at)cs.berkeley.edu 38
Proof Map
Assume there is no bivalent config in D
Then all configs in D are 0-valent or 1-valent
Show that exists a 0-valent and 1-valent config in D
Show exists two neighboring configs c1=f(c0), in C d0=e(c0) and d1=e(c1) d0 is 0-valent, d1 is 1-valent
Show this is a contradiction
Assumption must be incorrectD must contain a bivalent configuration
fc0 c1
d0 d1
e e
C
D
Ali Ghodsi, alig(at)cs.berkeley.edu 39
Proof
Assume D contains no bivalent configs i.e. all configs in D are either 0-valent or 1-
valent
We next show that there exists a 0-valent config in D, and there
exists a 1-valent config in D
Ali Ghodsi, alig(at)cs.berkeley.edu 40
Proof We can reach a 0- and 1-valent config from (bivalency of
) Call the 0-valent one 0 and the 1-valent one 1
If 0 is in C, then e(0) is in D and is 0-valent
If 0 not in C, then exists 0 on the path to 0 such that 0 is in C,e(0) is in D and is 0-valent (NB: assumed no bivalent D)
Symmetric argument shows there is a 1-valent config in D
Bivalent
…
e
0
…
…
…
……
…
…
e
e
e
…
…
e
…e
C
1 is in C
Bivalent
…
e
0
…
…
…
…
0
…
e
e
e
…
…
e
…e
C
1 is not in C
Ali Ghodsi, alig(at)cs.berkeley.edu 41
Reflection
Now we know D must contain a 0-valent and a 1-valent config
Call the 0/1-valent configs in D: d0 and d1
Ali Ghodsi, alig(at)cs.berkeley.edu 42
f
Deriving the contradiction
There must exist two configs c0 and c1
in C such that c1=f(c0), and d0=e(c0)
and d1=e(c1)
c0 c1
d0 d1
e e
C
D
Let’s see why!
Ali Ghodsi, alig(at)cs.berkeley.edu 43
Proofing two neighbors exist 1(4) We know is bivalent, and e() is in D and is either 0-
valent or 1-valent, assume 0-valent
0-valent
e
C
D
Ali Ghodsi, alig(at)cs.berkeley.edu 44
Proofing two neighbors exist 2(4) We know is bivalent, and e() is in D and is either 0-
valent or 1-valent, assume 0-valent
There is a reachable 1-valent config in D
f0 1
0-valent
e e
C 2 … m
1-valent
D
Ali Ghodsi, alig(at)cs.berkeley.edu 45
Proofing two neighbors exist 3(4) We know is bivalent, and e() is in D and is either 0-
valent or 1-valent, assume 0-valent
There is a reachable 1-valent config in D
e is applicable in each i, and must be 0-valent or 1-valent
1
0-valent 1-valent
e e
C 2 … m
x-valent y-valent z-valent
D
e e e
f0
Ali Ghodsi, alig(at)cs.berkeley.edu 46
There exists two neighbors, one
1-valent and one 0-valent
Proofing two neighbors exist 4(4)
1
0-valent 1-valent
e e
C 2 … m
0-valent 1-valent z-valent
D
e e e
f0 f1 f2 f3
We know is bivalent, and e() is in D and is either 0-valent or 1-valent, assume 0-valent
There is a reachable 1-valent config in D
e is applicable in each i, and must be 0-valent or 1-valent
Ali Ghodsi, alig(at)cs.berkeley.edu 47
There exists two neighbors, one
1-valent and one 0-valent
Proofing two neighbors exist 4(4) We know is bivalent, and e() is in D and is either 0-
valent or 1-valent, assume 0-valent
There is a reachable 1-valent config in D
e is applicable in each i, and is 0/1-valent
f1C 2
0-valent 1-valent
D
e e
Ali Ghodsi, alig(at)cs.berkeley.edu 48
There exists two neighbors, one
1-valent and one 0-valent
Neighbors lead to contradiction 1(3)
Either events e & f happen on same node or not both cases will lead to contradictions
f1C 2
0-valent 1-valent
D
e e
Ali Ghodsi, alig(at)cs.berkeley.edu 49
Neighbors lead to contradiction 2(3) We now know there exist two configs c0 and c1 in C such
that c1=f(c0), and d0=e(c0) and d1=e(c1)
Assume e and f happen on two different processes p and q Then, the order of their execution can be exchanged (diamond
thm) fc0 c1
d1
e e
C
D
0-valent 1-valentf
d0
Contradiction as d0 is 0-valent, but it leads to a 1-valent config, hence d0 must be bivalent, but
we assumed no bivalent configs exist in D
Ali Ghodsi, alig(at)cs.berkeley.edu 50
Neighbors lead to contradiction 3(3) We know there exist two configs c0 and c1 in C s.t. c1=f(c0), and
d0=e(c0) and d1=e(c1)
Assume e and f happen on the same node p. If p is silent, then algo must still terminate correctly
fc0 c1
d1e e
C
0-valent 1-valentd0
Contradiction as all nodes in A decided, A cannot be bivalent
fx ee A
If p is silent, algo should terminate
with everyone deciding in a config A
0
by diamond thm
1
by diamond thm
0-valent 1-valent
Ali Ghodsi, alig(at)cs.berkeley.edu 51
FLP Impossibility Theorem
No deterministic 1-crash-robust consensus algorithm exists for the asynchronous model
Proof1. Start in a initial bivalent config (Lemma 1)
2. Given the bivalent config, pick the event e that has been applicable longest
Pick the execution taking us to another config where e is applicable
Apply e, and get a bivalent config (Lemma 2)3. Repeat 2.
Ali Ghodsi, alig(at)cs.berkeley.edu 52
Summary
We have proved that a 1-crash resilient deterministic consensus algorithm does not exist
Hence, there exists always an execution which stays in bivalent configs and still keeps applying all applicable events in a fair order!
All correct nodes execute infinite number of events, messages delivered, and still leads to no decision!
Circumventing FLP impossibility Probabilistically Randomization Partial Synchrony (e.g. failure detectors)