Easy Impossibility Proofs for Distributed Consensus Problems

Distributed Computing (1986) 1:26 39

Easy impossibility proofs for distributed consensus problems

Michael J. Fischer 1, Nancy A. Lynch 2, and Michael Merritt 3 Department of Computer Science, Yale University, P.O. Box 2158, New Haven, CT 06520, USA 2 Laboratory for Computer Science, Massachusetts Institute of Technology, 545 Technology Square, Cambridge, M A 02139, USA s AT & T Bell Laboratories, 600 Mountain Ave, Murray Hill, NJ 07974, USA and Laboratory for Computer Science, Massachusetts Institute of Technology, 545 Technology Square, Cambridge, M A 02139, US A

Michael J. Fischer is cur- 1972. She has served on the .klculty of Tufts University, the rently Professor of Computer University of Southern California, Florida International Science at Yale University, University, Georgia Tech. New Haven, CT, where he heads the Theory of Compu- Michael Merritt is currently tation Group. He is also Edi- a member of the technical tor_in_Chief of the Journal of stq[] with AT& T Bell the Association .for Comput- Laboratories. During the 1984 ing Machinery. His research 85 academic year, he was interests include theory of a visiting lecturer at M.I.7:, distributed systems, crypto- sponsered by Bell Labs. His graphic protocols, and compu- research interests include dis- tational complexity. tributed computation, cryptog- Dr. Fischer received the raphy and security. Dr. Merritt B. S. degree in mathematics received the B. S. degree in j?om the University of Mi- computer science and philo- chigan, Ann Arbor, in 1963, sophy from Yale in 1978 and and the M. A. and Ph.D. degrees in applied mathematics the M. Sc. and Ph.D. degrees J?om Harvard University, Cambridge, MA, in 1965 and in 1980 and 1983, respectively, 1968, respectively. He has taught previously at Carnegie- both in inJormation and com- Mellon University, the Massachusetts Institute ~?f Tech- puter science j?om Georgia Tech. He is a member of nology, and the University of Washington. SIGACT and of Computer prqfessionals jor Social Re- sponsibility.

Nancy Lynch is currently As- sociate Professor of Com- Abstract. Easy proofs are given, of the impossi- puter Science at M.I.T., and bility of solving several consensus problems heads the Theory of Distrib- (Byzantine agreement, weak agreement, Byzan- uted Systems group in tine firing squad, approximate agreement and M.I.T.'s Laboratory .for Com- puter Science. Her interests clock synchronization) in certain communi- are in all aspects of distribut- cation graphs. ed computing theory, includ- It is shown that, in the presence of m faults, ing fi)rmal models, algorithms, no solution to these problems exists for com- analysis, and correctness munication graphs with fewer than 3m+ 1 no- pro@. Dr. Lynch received ~he B.S. degree in mathematics des or less than 2m+l connectivity. While .from Brooklyn College in some of these results had previously been 1968 and the Ph.D. degree proved, the new proofs are much simpler, pro- in mathematics fi'om M.I.Z in vide considerably more insight, apply to more general models of computation, and (particular- ly in the case of clock synchronization) signifi- OJfprint requests to: M.J. Fischer cantly strengthen the results. This paper has appeared in the ACM Conference Pro- ceedings of PODC 1985. 9 1985, Association for Com- Key words: Agreement - Distributed computing puting Machinery, reprinted by permission - Fault tolerance M.J. Fischer et al.: Easy impossibility proofs for distributed consensus problems 27

1 Introduction [7], while the 2m+1 connectivity requirement was previously unknown. in this paper, we present easy proofs for the For clock synchronization, the 3m+ 1 node impossibility of solving several consensus prob- bound was proved in [6], with a complicated lems in particular communication graphs. We proof. The authors of [6] also claimed that they prove results for Byzantine agreement, weak knew how to prove the corresponding 2m+ 1 agreement, the Byzantine firing squad problem, connectivity lower bound, but we presume that approximate agreement and clock synchroni- such a proof would also be complicated. We zation. The bounds are all the same: tolerating prove both the 3m+l node and the 2m+1 m faults requires at least 3m+l nodes, and connectivity bounds, for a much more general requires at least 2m + 1 connectivity in the com- notion of clock synchronization than in [6]. munication graph. (The connectivity of a graph These synchronization bounds assume that is the minimum number of nodes whose re- there is no direct way nodes measure the pas- moval disconnects the graph. Also, we assume sage of time, other than by reading their in- throughout that graphs have at least three accurate hardware clocks. nodes.) For a given value of m, we call graphs Since we obtain the same lower bounds for with fewer than 3m+l nodes or less than each problem, one might think that the prob- 2m+ 1 connectivity inadequate graphs. lems are equivalent in some sense. This is not Each of our proofs is an argument by con- the case. We see that the bounds for the dif- tradiction. We assume that a given problem can ferent problems require different assumptions be solved in a system with an inadequate com- about the underlying model. For example, the munication graph, and construct a set of system lower bounds for Byzantine and approximate behaviors, which cannot all satisfy the correct- agreement work with virtually any reasonable ness conditions for the given problem, although computational model, while the lower bound they are required to do so. Versions of many of for weak agreement requires a special assump- the results were already known, with proofs of tion, placing a bound on the rate of propaga- this same general form. Our proofs differ from tion of information through the system. The the earlier proofs in the technique we use to bound for clock synchronization requires a dif- construct the set of behaviors. Our technique is ferent assumption about how devices can mea- simpler, and applies to more general models of sure time. Many of the results are sensitive to distributed computation. small differences in underlying assumptions For Byzantine agreement, both bounds were (about such factors as communication delay or already known [12, 5]. The 3m+ 1 node lower the behaviors of faulty nodes.) This paper helps bound in [12] was proved only for a particular to clarify these issues. synchronous model of computation. Although carefully done, the proof is somewhat compli- 2 A model of distributed systems cated and not as intuitive as one might like. In contrast, our proof is simple and transparent, In order to make the impossibility results clear, and applies to general models of computation. concise and general, we introduce a simple A proof of the 2 m + 1 connectivity lower bound model of distributed systems. was presented informally in [5]; we prove that A communication graph is a direct graph G bound more formally and for more general with node set nodes(G) and edge set edges(G), models. such that the directed edges occur in pairs; For weak Byzantine agreement, the require- edge (u, v) ~ edges (G) if and only if ment of 3m+ 1 nodes was known [9], but was (v, u)~edges (G). (We consider a pair of directed proved using a complicated construction. The edges rather than a single undirected edge in new proof is easy and extends to more general order to model the communication in each di- models (although not as general as those for rection separately). We call the edge (u, v) an Byzantine agreement and approximate agree- outedge of u, and an inedge of v. Given U a ment). The 2m+ 1 connectivity requirement was subset of nodes (G), the subgraph G v induced by previously unknown. The result for the Byzan- U is the graph containing all the nodes in U tine firing squad problem follows from a re- and all the edges between nodes in U. The duction to weak agreement in [4]. We provide inedge border of G U is the set of edges from a direct proof. For approximate agreement, the nodes outside U into U; that is, 3m+1 bound was noted, but not proved, in edges (G) c~ ((nodes (G)\ U) x U). 28 M.J. Fischer et al.: Easy impossibility proofs for distributed consensus problems

A system ~ is a communication graph G (scenarios) are the same. 1 Clearly, some such with an assignment of a device and an input to locality property must hold, or agreement is each node of G. Devices are undefined primitive trivially achievable by having devices read objects. The specific inputs we consider are en- other device's inputs directly. codings of Booleans, real numbers of real-va- lued functions of time (e.g., local clocks). The Fault axiom. Let A be any device. Let E 1 .... , E a be d edge behaviors, such that each particular type of input depends on the agree- E i is the behavior of the i'th outedge, in some ment problem addressed. If a node is assigned system behavior gi, of a node running A. Let u device A in system fr we say that the node runs be any node with d outedges (u, v0, ..., (u,/)e). A. A subsystem oR of ff is any subgraph G v of G with the associated devices and inputs. There is a device F such that in any system in which u runs F, the behavior of each outedge Every system ~ has a system behavior, ~, which is a tuple containing a behavior of every (u,/)i) is E i. node and edge in G. (We also describe E as a In this case, we write FA(E 1 .... , Ea) for F. behavior of the communication graph G. Note This axiom expresses a powerful masquerading that a system has exactly one behavior, while a capability of failed devices. Any behavior exhi- graph may have several, depending on the de- bited by a device over different edges in dif- vices and inputs assigned to the nodes.) The ferent behaviors can be exhibited by a failed restriction of a system behavior g to the be- device in a single system behavior. When this haviors of the nodes and edges of a subgraph axiom is significantly weakened (say, by adding G U of G is the scenario C U of G v in & an unforgeable signature assumption), the fol- For now, we take node and edge behaviors lowing impossibility results do not hold [10, as primitives. In more concrete and familiar 123. models, a node or edge behavior might be a In order to establish the relevance of our finite or infinite sequence of states, or a map- impossibility results to more concrete models of ping from the positive reals to some state set, distributed systems, it is sufficient to interpret denoting state as a function of time. (We use our definitions in the particular model and then the latter interpretation for later results.) Less to prove the Locality and Fault axioms. familiar models might interpret behaviors as Our proofs utilize the graph-theoretic no- mappings from reals to states, or from trans- tion of a covering. For any graph G, let neigh- finite ordinals to states. To obtain our first re- bors={(u, V)[u is a node of G and V is the set sults, the precise interpretation of node and of all nodes /) such that there is an edge from /) edge behaviors is unimportant. We need only to u in G}. A graph S covers G if there is a restrict our model so that the following two mapping ~o from the nodes of S to the nodes of axioms hold. (We assume these two axioms G that preserves "neighbors". That is, if node u throughout the paper. Some of the later results of S has d neighbors l)1 .... , va, and ~0(u)=w for require additional assumptions.) a node w of G, then w has d neighbors x 1 .... , x a and ~o(vi)=x i for 1

A 1, ...,A, (which we call agreement devices), A C with the following properties. /0 1\ Each agreement device A, takes a Boolean B B input and chooses 1 or 0 as a result. (To model 0\ /1 choosing a result, assume there is a function C A CHOOSE from behaviors of nodes running 0 1 agreement devices to the set {0, 1}.) A node u By this we mean that node u runs device A of G is correct in a behavior g of G if node u with input 0, node v runs B with input 0, and runs A u in g. Any system behavior ~ of G in so on. Let ~ denote the resulting behavior of which at least n-m nodes are correct is a cor- the system; 5 ~ includes a behavior for each of rect system behavior. Correct system behaviors the six nodes and twelve directed edges in S. must satisfy the following conditions. Now consider scenarios ~w, 5Pw~ and 5P~y in 5 P, where each consists of the behaviors of the Agreement. Every correct node chooses the two indicated nodes in S, along with the ac- same value. tivity over the two connecting edges. We argue Validity. If all the correct nodes have the same that each of these scenarios is identical to a input, that input must be the value chosen. scenario in a correct behavior of G. The first scenario 5~w is shown below. Theorem 1. Byzantine agreement is not possible in inadequate graphs. Y A C gl

3.1 Number of nodes /\ 1 B C We begin with the lower bound of 3m+l for A 0 0 the number of nodes required for Byzantine vw agreement. First consider the case where ]G] =n ~vw = 3 and m = 1. Assume that the problem can be solved for the communication graph G consist- This scenario is the behavior in J of nodes ing of three nodes fully connected by communi- v and w, together with that of the communication edges. Let the three nodes of G be a, b cation edges between v and w. Now consider and c, and assume that they run agreement the behavior gl of G in which node b runs B on devices A, B and C, respectively. We represent input 0, node c runs C on input 0, and node a each pair of directed edges by a single un- runs a device that mimics node u in talking to directed edge, and label the nodes with the de- b, and mimics node x in talking to c. Formally, vices they run. if E(,,v ) and E~x,w) are the indicated edge behaviors in 5 P, node a runs device FA(E(,,vI, E(x,w)) (we have written just F in the A figure). This device exists, by the Fault axiom, /\ and in the resulting behavior, edges from node B C a to node b and to node c have behaviors E(u,~) and E(x,w~, respectively. By the Locality axiom, The covering graph S is as follows. the scenario containing b and c's behaviors in gl is identical to 5~,w. Validity requirements insure that node b and node c must choose 0 in / U--2 \ o~1. Since their behavior is identical in 5 P, v and w choose 0 in 5 P. v y \ / Next, consider scenario 5Pvx. W X Y g2 /oA C This graph looks locally like G under the mapping (p defined by q~(u)=q~(x)=a, q~(v) =~0(y)=b and (p(w)=q)(z)=c. Now specify the system by assigning devices y Ywx and inputs for the nodes in S as follows. WX 30 M.J. Fischer et al.: Easy impossibility proofs for distributed consensus problems

This scenario includes the behavior of nodes and v, are now a shorthand representation for w and x in 5C It is also the behavior of nodes a all the edges in S between nodes in set u and and c in a behavior g2 of G which results when nodes in set v. The inputs depicted for the sets they run their devices A and C on inputs 1 and of devices A, B and C are assigned to all the 0, respectively, and node b is faulty, exhibiting devices in the respective sets. The arguments the same behavior to node x that v exhibits to proceed exactly as in the preceding pictures. We w in 5 P, and the same behavior to node a that y consider only one in detail. exhibits to x in Y. The behavior of node c in o~2 is identical to that of node w in Y, so node c chooses 0 in g2, from the argument above. By A C ~i agreement, node a decides 0 in o~2. Thus node x dccidcs 0 in J. ,\ B /F\~ Now consider the third scenario, 5lxy.

1 ~' g3 le ~vw /0A C vw 13 This scenario is now the behavior of the sets of ~ nodes in v and w in the behavior 5C It is the C same as the behavior of the sets b and c in a 0 behavior o~1 of G in which all nodes in both sets % run their devices with input 0 and the nodes in xy set a exhibit the same behavior to members of b that the corresponding nodes in set u exhibit to This scenario is the behavior of nodes x and the members of v in ~, and the same behavior y in ~. It is also the behavior of nodes a and b to nodes in c that the corresponding nodes in y in a correct behavior d~3 of G which results exhibit to the members of x in 5P. Since sets b when they both run their devices on input 1, and c together contain at least n-m correct and node c is faulty, exhibiting the same be- nodes, gl is a correct behavior of G. Thus, all havior to node a that w exhibits to x in 5 P, and the nodes in b and c must decide 0, by the the same behavior to node b that z exhibits to y validity condition, and c contains at least one in ~. Validity requirements insure that nodes a node, by construction. and b must choose 1. Thus nodes x and y choose 1. But we have already established that 3.2 Connectivity node x must choose 0, a contradiction. Now consider the general case of IG] Now we carry out the 2m+l connectivity =n_<3m. Partition the nodes of G into three lower bound proof. Let c(G)= connectivity of G. sets, a, b and c, so that a, b and c have at least We assume we can achieve Byzantine agree- 1 and at most m nodes. This means that any ment in a graph G with c(G)<2m, and derive a two sets together contain at least n-m nodes. contradiction. The nodes in each set are running agreement For now, we consider the case m = 1 and the devices, and we denote by A the set of devices communication graph G of four nodes a, b, c running at the nodes in a, and similarly for B and d, running devices A, B, C and D, as in- and C. Now construct the covering graph S in dicated below. the obvious way. Briefly, take two copies of G, A and label the sets a, b and c in each copy by u, /\ v and w, respectively, in one copy, and x, y and B--D z in the other. Now replace the edges between \/ C nodes in u and w and between nodes in x and z by corresponding edges between u and z and The connectivity of G is two; the two nodes b between x and w. Assign devices to nodes of S and d disconnect G into two pieces, the nodes a according to their corresponding node in G. We and c. represent the covering graph S and assigned We consider the following system, with the devices exactly as above, so that the edges de- eight-node graph S and devices and inputs as picted between two sets of nodes in S, say sets u indicated. M.J. Fischer et al.: Easy impossibility proofs for distributed consensus problems 31

/?\ Y g3 D--B /I IN A A o\ /1 B--D A/1 F 0 ~ o\__ /o D~ The resulting behavior of the system is 5 P. We 0 consider three scenarios in ~: ~, Y2 and J3. The first scenario, ~, is shown below. This scenario is again the same as a scenario in a behavior g3 of G in which nodes a, b and c are correct, but have input 1. Node d is gl faulty, exhibiting the same behavior to node a /?\ that one node running D in the covering graph exhibits, and the same behavior to nodes b and c as the other D in the covering exhibits. Then nodes a, b and c choose 1 in o~3, and so must the nodes running A, B and C in 503, con- tradicting the argument above that the node running A chooses 0. The general case for arbitrary c(G)<2m is This is also a scenario in a correct behavior an easy generalization of the case for m = 1. The gl of G. In ~1, nodes a, b and c are correct. same pictures are used. Just choose b and d to Node d is faulty, exhibiting the same behavior be sets consisting of at most m nodes each, such to node a as one node running D in the cover- that removing the nodes in b and d from G ing graph, and the same behavior to b and c as disconnects two nodes u and v of G. Let G' be the other node running D exhibits in the cover- the graph obtained by removing b and d from ing graph. Then nodes a, b and c must choose 0 G, let the set a contain those nodes connected in ~1, and so must the nodes running A, B and to u, and the set c contain the remaining nodes C in 5P~. of G' (c contains at least one node, v). Construct Now consider the second scenario, 5P2. S as before, by taking two copies of G and rearranging edges between the 'a' sets and their neighbors. The nodes and edges in our figures Y g2 are now a shorthand for the actual nodes and edges of G and S. --B This completes the proof of Theorem 1. [] F o\ ~ The succeeding impossibility results for other consensus problems follow the same general form as the two arguments above. We assume a problem can be solved by specific devices in an inadequate graph, G, install the de- This scenario in 5 ~ is also a scenario in a vices in a graph S that covers G, and provide correct behavior g2 of G in which nodes c, d appropriate inputs. Using the Locality and and a are correct. This time, node b is faulty, Fault axioms, we argue the existence of a se- exhibiting the same behavior to nodes c and d quence of correct behaviors of G that have as one node running B in the covering, and the node and edge behaviors identical to some of same behavior to node a as the other node those in the behavior of S. (This sequence was running B. So nodes a, c and d must agree in (ga, ~ g3), in the argument above.) By the o~2, and so do the corresponding nodes in 5P2. agreement condition, correct nodes in each of Since the node running C chooses 0 from the the behaviors of G have to agree. Because each argument above, the nodes running D and A in successive pair of system behaviors has a cor- 5P2 choose 0, too. rect node behavior in common, all of the cor- Finally, consider the last scenario 5P3 . rect nodes in all the behaviors in the sequence 32 M.J. Fischer et al.: Easy impossibility proofs for distributed consensus problems have to agree. But by the validity condition, The weaker validity condition has an in- correct nodes in the first behavior in the se- teresting impact on the agreement problem. If quence must choose different values than those any correct node observes disagreement or in the last behavior, a contradiction. faulty behavior, then all are free to choose a de- As we indicated in the introduction, a less fault value, so long as they still agree. general version of Theorem 1 was previously Lamport notes that there are devices for known, and the structure of our proofs is very reaching a form of approximate weak con- similar to that of earlier proofs [12, 5]. Our sensus, which work when IG[ < 3 m. Running these proof differs in the construction of the system for an infinite time produces exact consensus behaviors gl, g2 and g3. Earlier results con- (at the limit) [9]. In such infinite behaviors, if struct these behaviors inductively, in less gener- any correct node observes disagreement or al models of distributed systems. The detailed faulty behavior, it has plenty of time to notify assumptions of the models are necessary to car- the others before they choose a value. Thus, ry out the tedious and involved constructions. strengthening the choice condition, to prohibit Rather than construct the behaviors ex- such infinite solutions, is necessary to obtain plicitly, we build them from pieces (node and the lower bound. edge behaviors) extracted from actual runs of We must also bound communication delays the devices in a covering graph. The Locality away from zero, or a similar type of infinite and Fault axioms imply that scenarios in the behavior is possible. In fact, if we assume there covering graph are also found in correct be- is no lower bound on transmission delay, and haviors of the original inadequate graph. that devices can control the delay and have The model used to obtain these results is an synchronized clocks, we have found an algo- extremely general one, but it does assume that rithm for reaching weak consensus. This algo- systems behave deterministically. (For every set rithm requires at most two broadcasts per node, of inputs, a system has a single behavior.) By all with non-zero transmission delay, and works considering a system and inputs as determining with any number of faults. Again, this is be- a set of behaviors, nondeterminism may be in- cause any correct node which observes dis- troduced in a straightforward manner. One agreement or faulty behavior has plenty of time changes the Locality axiom to express the fol- to notify the others before they choose a val- lowing; if there exist behaviors of two systems ue. 2 In more realistic models it is impossible to in which the inedge borders of two isomorphic reach weak consensus in inadequate graphs. To subsystems are identical, there exist such be- show this, the minimal semantics introduced in haviors in which the behaviors of the subsys- the previous sections must be extended to ex- tems are also identical. Using this axiom, the clude these infinitary solutions. We do this as same proofs suffice to show that nondeterminis- follows. Previously, behaviors of nodes and tic algorithms cannot guarantee Byzantine edges were elements of some arbitrary set. Hen- agreement. ceforth, we consider them to be mappings from [0, oo), (our definition of time), to arbitrary state sets. Thus, if E is a behavior of node u, 4 Weak agreement then u is in state E(t) at time t. We add the following condition to the weak Now we give our impossibility results for the agreement problem. weak agreement problem. As in the Byzantine Choice. A correct node must choose 0 or 1 agreement case, nodes have Boolean inputs, and after a finite amount of time. must choose a Boolean output. The agreement condition is the same as for Byzantine agree- This means there is a function CHOOSE ment - all correct nodes must choose the same from behaviors of nodes running weak agree- output. The validity condition is weaker, how- ment devices to {0, 1}, with the following prop- ever. erty: Every such behavior E has a finite prefix

Agreement. Every correct node chooses the 2 Nodes start at time 0, and decide at time 1. They same value. broadcast their value at time 0, specifying it to arrive at time 1/2. If a node first detects disagreement or failure Validity. If all nodes are correct and have the (at time 1-t), it broadcasts a "failure detected, choose same input, that input must be the value cho- default value" message, specifying it to arrive at time sen. 1 - t/2. The obvious decision is made by everyone at time 1 M.J. Fischer et al.: Easy impossibility proofs for distributed consensus problems 33

E t (E restricted to the interval [0, t]) such that all behaviors E' extending E t have CHOOSE(E) ...... =CHOOSE(U). This choice condition prohibits Lamport's infinite solution. To prohibit the second so- As before, each scenario is identical to a lution, we bound the rate at which information scenario in a behavior in G of the appropriate can traverse the network. To do so, we add the two weak consensus devices. Since each pair of following stronger locality axiom to our model. successive scenarios overlaps in one node behavior (here, that of the node running B), all Bounded-delay locality axiom. There exists a the nodes in both scenarios must choose the positive constant c5 such that the following is same value in G and in S. By induction, every true. Let N and N' be systems with behaviors o~ node in S must choose the same value. Without and C', respectively, and isomorphic subsystems loss of generality, assume they choose 1. ~# and ~#', (with vertex sets U and U'). If the Consider the k scenarios indicated below. corresponding behaviors of the inedge borders of U and U' in o~ and E' are identical through C--B--A ..... B--A--C--B ..... C--B--A] time t, then scenarios o% and gv' are identical [I 1 1 I l I ! I I through time t + c5. Thus, news of events k edges away from /o/o y o/o/ o some subgraph G' takes time at least kc5 to 1:4 k// arrive at G'. In a model with explicit messages, this axiom could be proven from an assumption that the transmission delay is at least 5, and the Let g be the behavior of G in which a, b edge behaviors in our model would correspond and c are correct and each has input 0, and to state descriptions of the transmitting end of denote the resulting behaviors of a, b and c by each communications link. E,, E v and Ec, respectively. Lemma 3. The behavior in scenario 5~i of a node Theorem 2. Weak agreement is not possible in running device A (or B or C) is identical to E, inadequate graphs Jor models satisfying the (or E b or Ec) through time i6. Bounded-delay locality axiom. Proof. The proof is an easy induction using the Again, we first sketch the 3m+1 node Bounded-delay locality axion. [] bound. In this case, the previously published proof [9] was very difficult. As before, we re- By Lemma 3, the nodes running devices C strict our attention to the case ]GI = n = 3, m = l. and A in scenario ~ have behaviors identical (The case for general m follows immediately, to Ec and E, through time k& Since nodes c just as above.) and a in G have chosen output 0 by this time, Assume there are weak agreement devices so have the corresponding nodes in 5~k, a con- A, B and C, for the triangle graph G containing tradiction. nodes a, b and c. Consider the two behaviors of The general case of [Gl-<_3m and the con- G in which all nodes are correct, and all have nectivity bound follow as for Byzantine input 0 or all have input 1. Let t' be an upper agreement. [] bound on the time it takes all nodes to choose There are strong similarities between this 0 or 1 in both behaviors. Choose k > t'/& to be a argument and a proof by Angluin, concerning multiple of 3. leader elections in rings and arbitrarily long The covering graph S consists of 4k nodes, lines of processors [1-]. Both results depend cru- arranged in a ring and assigned devices and cially on the existence of a lower bound on the inputs as follows: rate of information flow. Under this assumption, devices in different communication net- [!~A--1Bcl --AI ..... B--A--C--BIll1 ..... C--B--~]ll works can be shown to see the same local be- --B--C .... B--C--A--B havior for some fixed time. 0 0 0 0 0 0 0 0 0 0 5 Byzantine firing squad Consider the resulting behavior 5 P, and each pair of successive two-node scenarios, such as The Byzantine firing squad problem addresses a the two below. form of synchronization in the presence of Byz- 34 M.J. Fischer et al.: Easy impossibility proofs for distributed consensus problems antine failures. The problem is to synchronize a The covering graph S consists of 4k nodes, response to an input stimulus. The response is arranged in a ring and assigned devices and to enter a designated FIRE state. The problem inputs as follows: was studied originally in [3-]. In [4], a reduction of weak agreement to the Byzantine firing --B--A ..... B--A--C--B ..... C--B--A ~ I I I I I 1 I l squad problem demonstrates that the latter is --B--C--. -B--C--A--B-" -A--B--C ] impossible to solve in inadequate graphs. We 0 0 0 0 0 0 0 0 0 0 provide a direct proof that a simple variant of Similarly to the proof for weak agreement, the original problem is impossible to solve in the middle two devices receiving the stimulus inadequate graphs. (In the original version, the enter the FIRE state at time t, as their behavior stimulus can arrive at any time. We require it through time t is the same as that of the correct to arrive at time 0, or not at all. Our validity nodes in G which have received the stimulus condition is slightly different.) The proof is very and fire at time t. Because of the communi- similar to that for weak agreement. cation delay, there is not enough time for One or more devices may receive a stimulus "news" from the distant nodes to reach these at time 0. We model the stimulus as an input of 1, and absence of the stimulus as an input of 0. devices. By repeated use of the agreement property, all the devices in S must fire at time t. But Correct executions must satisfy the following conditions. through time t, the middle two devices not receiving the stimulus behave exactly as correct Agreement. If a correct node enters the FIRE nodes in G which do not receive the stimulus state at time t, every correct node enters the (the input 0 case). Thus they do not fire at time FIRE state at time t. t, a contradiction. [] Validity. If all nodes are correct and the stimulus occurs at any node, they enter the FIRE 6 Approximate agreement state after some finite delay. If the stimulus does not occur and all nodes are correct, no Next, we turn to two versions of the approxi- node ever enters the FIRE state. mate agreement problem [-7, 11]. We call them simple approximate agreement and (e, c5, 7)- As in the case of weak agreement, solutions agreement. In these problems, nodes have real to the Byzantine firing squad problem exist in values as inputs and choose real numbers as a models in which there is no minimum com- result. The goal is to have the results close to munication delay. Thus the following result re- each other and to the inputs. In order to obtain quires the Bounded-delay locality axiom, in ad- the strongest possible impossibility result, we dition to the Fault axiom. formulate very weak versions of the problems. Theorem 4. The Byzantine Jiring squad problem For the following two theorems we use only cannot be solved in inadequate graphs Jot models the Locality and Fault axioms. We do not need satisfying the Bounded-delay locality axiom. the Bounded-delay locality axiom used for the weak agreement and firing squad results. We sketch the 3m+l node bound. As before, we examine the case IGl=n=3, m= 1. 6.1 Simple approximate agreement Assume there are Byzantine firing squad devices A, B and C for the triangle graph G First, we turn to the simple approximate agree- containing nodes a, b and c. Consider the two ment problem [7]. The version we examine is behaviors of G in which all nodes are correct, based on that in [7]. Each correct node has a and all have input 0 or all have input 1. Let t real value from the interval [0, 1] as input, runs be the time at which the correct devices enter its device and chooses a real value. Correct the FIRE state in the case that the stimulus behaviors (those in which at least n-m nodes occurred (the input 1 case). Since the correct are correct) must satisfy the following con- nodes never enter the FIRE state in the absence ditions. of the stimulus, they certainly do not enter the Agreement. The maximum difference be- FIRE state at time t. Choose k>t/6 to be a tween values chosen by correct nodes must be multiple of 3. (Recall that c5 is the minimum strictly smaller than the maximum difference transmission delay defined in the Bounded-de- between the inputs, or be equal to the latter lay locality axiom). difference if it is zero. M.J. Fischer et al.: Easy impossibility proofs for distributed consensus problems 35

Validity. Each correct node chooses a value Note that if a> c5, (e, 3, 7)-agreement can be within the range of the inputs of the nodes. achieved trivially by choosing the input value as output. Theorem 5. Simple approximate agreement is not possible in inadequate graphs. Theorem 6. /f ~ < 3, (~, c5, ?)-agreement is not possible in inadequate graphs. The proof is almost exactly that for Byzan- tine agreement. Here, we consider devices which Proof. Let ~:, c5 and 7 be positive real numbers take as inputs numbers from the interval [0, 1], with ~<6. We prove only the 3m+l bound on and choose a value from [0, 1] to output. (Out- the number of nodes. Assume that devices A, B puts are modeled by a function CHOOSE from and C exist which solve the (e, 6, 7)-approximate behaviors of nodes running the devices to the agreement problem in the complete graph G on interval [0, 1].) As before, assume simple ap- three nodes, for particular values of e, c5 and 7, proximate agreement can be reached in the tri- where e < 6. angle graph G. Consider the following three Choose k sufficiently large that 8 > 27/(k- 1) scenarios from the indicated behavior in the +e, and k + 2 is divisible by three. The covering covering graph S. graph S contains k + 2 nodes arranged in a ring, with devices and inputs assigned to create the

A C following system.

input 0 6 k~ (k+l)8

Let 5~, for O t'. this assumption, it is clear that speeding up or slowing down the hardware clocks uniformly in Validity. For any correct node i in do, with different behaviors cannot be observable to the hardware clock Di and resulting behavior Eg, nodes, so the only impact on the behaviors l(f (t)) < Ci(Ei(t)) < u(g(t)). should be that they speed up or slow down in TheoremS. Nontrivial synchronization is not the same way as the hardware clocks. possible in inadequate graphs .for models satisfy- To formalize this assumption, we need to ing the Scaling axiom. talk about scaling clocks and behaviors. Let h be any invertible function of time. If E is a We show that for every integer k>2, there behavior (of a edge or node), then Eh, the be- is a behavior d~ of G in which node i is correct, havior E scaled by h, is such that Eh(t) has hardware clock Di= f (that is, Di(t)=f(t)), =E(h(t)), for all times t. Similarly, Dh is the and in which Ci(Ei(t'))>l(f(t'))+k~. For k big hardware clock D scaled by h: Dh(t)=D(h(t)). If enough, this violates the upper envelope con- do is a system behavior or scenario, do h is the dition, Ci(Ei(t')) < u(g(t')). M.J. Fischer et al.: Easy impossibility proofs for distributed consensus problems 37

Define h=f ~g. (That is, h(t)=f-~(g(t)).) Lemma 9. Scenario ~i hi, for O<_it for all t, nario containing the behaviors of two correct nodes since f(t) < g(t). in a correct behavior of G. We begin with the three node, one fault Lemma 10. For all i, Ohi(t'), case. The argument is very similar to the proof of Theorem 6. IG+,(E,+,(t))- C,(E,(t))I Assume the existence of devices A, B and C, <= l(g(h-'(t))) -l(f(h '(t))) -c~. time t' and positive constant ~ such that logical clocks of correct nodes obey the agreement and Proof. Fix t>h i(t'). Then h-i(t)>t'. By validity conditions: Lemma9, i and i+l are correct in ~h ~, so by the agreement assumption I C,(Ei(t)) - C~(Ej(t))I < l(g(t)) -l(f(t)) - c~, for all times t > t', and I Ci+,(G+~ hi(h-i(t)))- Ci(Eihi(h-'(t)))l <= l(g(h-i(t))) - l(f (h-i(t))) - ~. l(f(t))< C(Ei(t))~u(g(t)) , for all times t. The result is immediate. [] Choose an integer k>2, such that k+2 is a multiple of three, and such that Let time t"=hk(t'). Note that t">hi(t'), for i u(g(t')). Lemma 11. For all i, 1 <_ i <_ k + 1, The covering graph S contains k+2 nodes arranged in a ring, with devices and clock inputs C i(E i(t'')) >/(g h - i(t")) + (i - 1) ~. assigned to create the following system. Proof. The proof is by induction on i. By Lem- ma 9, scenario ~o is a scenario in G of correct l(f(t)). Setting t = t", and substituting g h -1 for f, we have the basis step: behavior E 0 E 1 ... E k Ek+ 1 C~ (E, (t")) > l(gh- l(t")). Now make the inductive assumption Let 5P be the behavior of this system. An C,(Ei(t"))>l(gh-i(t"))+(i-1)o~, for lhi(t'), from Lemma 10, we know devices in 5 ~ than they would be in a correct behavior in G. But consider 5'~, the two- IG+ ,(G+ ,it")) - Ci(Ei(t"))l node scenario containing the behaviors of __

.... A--B .... node i i+I G + 1 (G + 1 (t")) hardware clocks gh-i gh-(i+1) > Ci(Ei(t")) -l(gh-i(t")) + l(fh-i(t")) + c~. resulting behavior El [i§ Substituting for Ci(Ei(t")) using the inductive assumption gives us Now consider ~h i, the scenario ~ scaled by h i. Ci+ l(Ei+ l (t")) > l(gh-i(t")) -l(gh-'(t"))+ l(fh-i(t"))+ ic~ .... A--B .... node i i+l = l(fh-i(t")) + ic~. hardware clocks g f Noting that f = gh-1, we have the result, resulting behavior Eihi Ei+lhi Ci+l(Ei+l(t"))>l(gh-(i+l)(t"))+icc [] In this scenario, the hardware clocks have Proof of Theorem 8. Lemma 11 implies values within the constraints for correct behaviors of G. Thus we have the following. G +, (G + 1 (t")) > l(g h-(k + 1)(r + k ,. 38 M.J. Fischer et al.: Easy impossibility proofs for distributed consensus problems

Since t"=hk(t'), we have Corollary l3. If f(t)=t, g(t)=rt, and l(t)=at + b, no devices can synchronize a constant closer Ck+ l (Ek+ l (t")) than art-at in inadequate graphs. = Ck+l(Ek+l (hk(t,))) Corollary 14. If f(t)=t, g(t)=t+c and l(t)=at = Ck + 1 (Ek + 1 hk (t')) ~ l (g h - (k + 1 ) h k (t')) + k + b, no devices can synchronize a constant closer than ac in inadequate graphs. Corollary l5. If f(t)=t, g(t)=rt and l(t) But the upper envelope constraint for the =log2(t), no devices can synchronize a constant scaled scenario ~h k (in which k+ 1 is correct closer than loga(r ) in inadequate graphs. and has hardware clock f(t)) implies that In general, the best possible synchronization Ck+ 1(Ek+ 1 hk(t')) < u(g(t')). Thus, l(f(t')) in inadequate graphs can be achieved without + k c~ < u(g(t')). This violates the assumed bound any communication at all. The best nodes can on k, l(f(t'))+ke>u(g(t')). do is run their logical clocks as slowly as they Once again, the general case of 161 < 3m is a are permitted, C(E(t)) = l(D(t)). simple extension of this argument. The connectivity bound also follows easily, as with the earlier results. [] 8 Conclusion

7.1 Linear envelope synchronization Most of the results we have presented were and other corollaries previously known. Our proofs are simpler than earlier proofs, and hold in more general models, Linear envelope synchronization, as defined in but this is not their main contribution. While [-6], examines the synchronization problem simplicity and generality are important goals, in when the clocks and envelope functions are lin- this instance they are the welcome byproduct of ear functions (g(t)=rt, f(t)=t, l(t)=at+b and our attempt to identify the fundamental issues u(t) = c t + d). It requires correct logical clocks to and assumptions behind a collection of similar remain within a constant of each other, so results. that the agreement conditions is I Ci(Ei(t)) One important contribution is to elucidate -C.(Ej(t))l<_c~, for all times t, instead of our the relationship between the unrestricted, or weai~er cond-ition I Ci!Ei(t)) - Ci(Ej(t))l t. Our validity condition is graphs. As is clear from our proofs, this fault slightly weaker, as well. Thus, the proof of [6] assumption permits faulty nodes to mimic exe- shows that logical clocks cannot be synchro- cutions of disparate network topologies. If the nized to within a constant; we show that the network is inadequate, a covering graph can be synchronization of logical clocks cannot be constructed so that correct devices cannot dis- improved by a constant over the synchroni- tinguish the execution in the original graph zation (art-at) that can be achieved trivially. from one in the covering graph. Thus the following corollary follows im- A second contribution is related to the gen- mediately from Theorem 8. (Each of the four erality of our results. Nowhere do we restrict corollaries below holds for models satisfying the state sets or transitions to be finite, or even to Scaling axiom.) reflect the outcome of effective computations. The inability to solve consensus problems in Corollary 12. Linear envelope synchronization is inadequate graphs has nothing to do with com- not possible in inadequate graphs. putation per se, but rather with distribution. It is the distinction between local and global state, We also get the following results im- and the uncertainty introduced by the presence mediately from Theorem 8, by choosing specific of Byzantine faults, which result in this limi- values for the clock and lower envelope func- tation. tions. Note that the particular choice of the Finally, we have identified a small, natural upper envelope function does not affect the set of assumptions upon which the impossibility minimal synchronization possible in inadequate results depend. For example, in the case of graphs, although the existence of some upper weak agreement and the firing squad problem, envelope function is necessary to obtain our the correctness conditions are sensitive to the impossibility proofs. actions of faulty nodes. Instantaneous notifi- M.J. Fischer et al.: Easy impossibility proofs for distributed consensus problems 39 cation of the detection of fault events would 6. Dolev D, Halpern J, Strong H (1984) On the possi- allow one to solve these problems. An assump- bility and impossibility of achieving clock synchroni- tion that there are minimum delays in discover- zation. Proceedings of the 16th STOC, April 30-May 2, 1984, Washington, DC, pp 504 510 ing and relaying information about faults is suf- 7. Dolev D, Lynch NA, Pinter S, Stark E, Weihl W ficient to make these problems unsolvable. (1983) Reaching approximate agreement in the presence of faults, Proceedings of the 3rd Annual 1EEE Symposium on Distributed Software and Databases 8. ltai A, Rodeh M (1981) The lord of the ring or pro- 9 References babilistic methods for breaking symmetry in distri- butive networks. RJ-3110. IBM Research Report April 1. Angluin D (1980) Local and global properties in net- 9. Lamport L (1983) The weak byzantine generals prob- works of processors. Proceedings of the 12th STOC, lem. JACM 30:668-676 April 30-May 2, 1980, Los Angeles, CA, pp 82 93 10. Lamport L, Shostak R, Pease M (1982) The byzantine 2. Burns J (1980) A formal model for message passing generals problem. ACM Trans Program Lang Syst 4:3 systems, TR-91, Indiana University, Sept 382-401 3. Burns J, Lynch N (1984) The byzantine firing squad 11. Mahaney S, Schneider F (1985) Inexact agreement: problem, (submitted for publication) accuracy, precision, and graceful degradation, Proceed- 4. Coan B, Dolev D, Dwork C, Stockmeyer L (1985) The ings of the 4th Annual ACM Symposium on Principles distributed firing squad problem, Proceedings of the of Distributed Computing. August 5 7, 1985, Minacki, 17th STOC, May 6-8, 1985, Providence, RI Ontario 5. Dolev D (1982) The byzantine generals strike again. J 12. Pease M, Shostak R, Lamport L (1980) Reaching Algorithms 3 : 14-30 agreement in the presence of faults. JACM 27:228 234