Lower Bounds for Distributed Coin-Flipping and Randomized

Lower Bounds for Distributed CoinFlipping and Randomized Consensus

James Aspnes

forms the basis of the consensus lower b ound but is in Abstract

teresting in its own right

We examine a class of col lective coinipping games

Consensus is a fundamental problem in distributed

that arises from randomized distributed algorithms with

computing in which a group of pro cesses must agree on

halting failures In these games a sequence of local coin

a bit despite the interference of an adversary An addi

ips is generated which must b e combined to form a

tional condition forbids trivial solutions that always pro

single global coin ip An adversary monitors the game

duce the same answer In an asynchronous setting it

and may attempt to bias its outcome by hiding the re

has long b een known that if an adversary can halt a sin

sult of up to t lo cal coin ips We show that to guaran

gle pro cess then no deterministic consensus algorithm

tee at most constant bias t lo cal coins are needed

is p ossible without the use of p owerful synchronizatio n

even if a the lo cal coins can have arbitrary distribu

primitives CIL DDS FLP Her LAA

tions and ranges b the adversary is required to de

In contrast randomized algorithms can solve con

cide immediately whether to hide or reveal each lo cal

sensus in a sharedmemory system for n pro cesses even

coin and c the game can detect which lo cal coins have

if the adversary can halt up to n pro cesses Such

b een hidden If the adversary is p ermitted to control

algorithms are called waitfree Her b ecause any pro

the outcome of the coin except for cases whose prob

cess can nish the algorithm without waiting for slower 2 2

ability is p olynomial in t t log t lo cal coins are

or p ossibly dead pro cesses These algorithms work

needed Combining this fact with an extended version

even under the assumption that failures and the tim

of the wellknown FischerLynchPaterson imp ossibili ty

ing of all events in the system are under the control of

pro of of deterministic consensus we show that given

an adaptive adversary one that can observe and react

an adaptive adversary any tresilient asynchronous con

to all asp ects of the systems execution including the 2 2

sensus proto col requires t log t lo cal coin ips in

internal states of the pro cesses

any mo del that can b e simulated deterministical ly using

atomic registers This gives the rst nontrivial lower

The rst known algorithm that solves shared

b ound on the total work required by waitfree consensus

memory consensus against an adaptive adversary is

and is tight to within logarithmic factors

the exp onentialti me algorithm of Abrahamson Abr

since its app earance numerous p olynomial time algo

rithms have app eared AH ADS SSW Asp

Intro duction

DHPW BR BR AW Most of these algo

rithms are built around shared coin protocols in which

the pro cesses individual l y generate many random lo

Our results divide naturally into two parts a lower

cal coin ips which are combined by ma jority voting

b ound for asynchronous randomized consensus in a wide

The adversary may bias the outcome of the voting by

variety of mo dels and a still more general lower b ound

selectively killing pro cesses that have chosen to vote the

for a large class of collective coinippin g games that

wrong way b efore they can reveal their most recent

Yale University Department of Computer Science

votes to the other pro cesses To prevent the adversary

Prosp ect StreetPO Box New Haven CT

from getting more than a constant bias it is necessary

Supp orted by NSF grants CCR and CCR E

to collect enough votes that the hidden votes shift the

mail aspnescs y ale e du

outcome by no more than a constant numb er of stan

dard deviations With up to n failures as in the

waitfree case this requires a total of n lo cal coin

ips and at least n work in order to communicate

these coinips

Some of the algorithms deviate slightly from the simple

Improvements in other asp ects of consensus algo Related Work

rithms have steadily brought their costs down from the

4 2

O n total work of AH to the O n log n total work

Many varieties of collective coinippin g games have

of BR But while these algorithms have steadily ap

b een studied starting with the work of BenOr and

proached the n barrier none have broken it How

Linial BOL Many such games assume that the lo

ever no pro of was known that consensus could not b e

cations of faulty coins are xed in advance under these

solved in less than n time the barrier was solely a

assumptions very ecient games exist AN CL

result of the apparent absence of alternatives to using

BOL Sak Another assumption that greatly lim

shared coins based on ma jority voting Indeed it was

its the p ower of the adversary is to require that b oth

asked in Asp if it was necessarily the case that a ev

the lo cations and values of faulty coins are xed in ad

ery consensus proto col contained an emb edded shared

vance this is the bit extraction problem CFG Fri

coin proto col and b no shared coin proto col could

Vaz in which it is p ossible to derive completely un

achieve b etter p erformance than ma jority voting

biased random bits

If none of these limiting assumptions are made the

Our Results

adversary gains considerabl y more p ower An excellent

survey of results for a wide variety of mo dels involving

In this pap er we answer b oth of these questions though

fair or nearly fair twovalued lo cal coins can b e found

the answers are not as simple as might have b een hop ed in BOLS Our work diers from these in that we

We show that a every tresilient asynchronous consen

allow arbitrary distribution s on the lo cal coins With a

sus proto col in the sharedmemory mo del with at least restriction to fair coins Harp ers isop erimetric inequal

constant probability either executes a shared coin pro

ity for the hyp ercub e Har implies that the ma jority

to col with bias at most one minus a p olynomial in t or function gives the least p ower to an oline adversary

carries out an exp ected t lo cal coinips avoiding

that can see all coins b efore deciding which to change

it and b any such shared coin proto col requires an and Lichtenstein Linial and Saks LLS have shown

2 2

exp ected t log t lo cal coin ips It follows that

that ma jority is also optimal against an online adver

tresilient asynchronous consensus requires an exp ected sary similar to the one we consider here Without such a

2 2

t log t lo cal coin ips Since proto cols based on

restriction the b est previously known b ound is a b ound

n on the inuence of an adversary that can ma jority voting require only O t lo cal coin ips this of

lower b ound is very close to b eing tight

hide one coin this is an easy corollary of a theorem

ab out gaps in martingale sequences due to Cleve and

Since we are counting coinips rather than op era

Impagliazzo CI

tions the lower b ound is not aected by deterministic

simulations So for example it continues to hold in

A very nice lower b ound on the space used by wait

messagepassing mo dels with up to t pro cess failures

free sharedmemory consensus is due to Fich Herlihy

since a message channel can b e simulated by an un

and Shavit FHS They show that any such consensus

b oundedly large register or in a sharedmemory mo del

proto col must use n distinct registers to guaran

with counters or cheap atomic snapshots Furthermore

tee agreement Unfortunately their techniques do not

since our lower b ound assumes that lo cal coin ips can

app ear to generalize to showing lower b ounds on work

have arbitrary ranges and distribution s we may assume

without loss of generality that any two successive coin

ips by the same pro cess are separated by at least one

CoinFlipping Games

deterministic op eration in any of these mo dels so the

lower b ound on lo cal coinips in fact implies a lower

A collective coinippin g game BOL is an algorithm

b ound on total work

for combining many local coins into a single global coin

The lower b ound on coinippi ng games is still more

whose bias should b e small even though some of the

general and holds in any mo del in which the adversary

lo cal coins may b e obscured by a malicious adversary

may intercept up to t lo cal coinips b efore they are re

Though the particular coinippi ng games we consider

vealed no matter what deterministic synchronization

here are motivated by their application to proving lower

primitives or shared ob jects are available Furthermore

b ounds on distributed algorithms with failures they ab

it is tight in the sense that it shows that no constantbias

stract away almost all of the details of the original dis

shared coin can use less than t lo cal coins a b ound

tributed systems and are thus likely to b e useful in other

achieved ignoring constants by ma jority voting

contexts

ma jorityvoting approach describ ed here In the algorithm of

We assume that the lo cal coins are indep endent ran

Aspnes Asp some votes are generated deterministically In

dom variables whose ranges and distributions are arbi

the algorithm of Saks Shavit and Woll SSW several coin

trary The values of these variables are revealed one at

ipping proto cols optimized for dierent execution patterns are

run in parallel In the algorithm of Aspnes and Waarts AW a time to an adversary who must immediately cho ose

pro cesses that have already cast many votes generate votes with

whether to reveal or obscure each value If the adver

increasing weights in order to nish the proto col quickly How

sary cho oses to obscure the value of a particular lo cal

ever none of these proto cols costs less than simple ma jority vot

coin the eect is to replace it with a default value

ing in terms of the exp ected total numb er of lo cal coin ips

Rep eating this pro cess yields a sequence of values some

p erformed in the worst case

of which are the original values of the random variable last coin We will write G A for the random variable

and some of which are A function is applied to this describing the outcome of G when run under the con

sequence to yield an outcome which may b e arbitrary trol of an adversary strategy A If a game G has real

but which we will usually require to b e The adver valued outcomes then for each numb er of faults k there

sarys p ower is limited by an upp er b ound on how many exist adversary strategies to maximize or minimize the

coins it may obscure exp ected outcome Dene M G to b e the maximum ex

p ected outcome and m G to b e the minimum exp ected

Note that in this description we assume that the

outcome These values can b e computed recursively as

adversary cannot predict future lo cal coins it can only

follows

base its decision to reveal or obscure a particular coin on

its value and the values of earlier coins In addition the

If G has length M G m G G

k k

adversarys interventions are visible The coinippi ng

game may observe and react to the fact that the adver

If G has p ositive length then

sary has chosen to obscure particular lo cal coins even

though it has no access to the true values of those coins

M G max M G M G

k k k 1 ?

m G min m G m G

k k k 1 ?

Formally a coinippin g game is sp ecied by a tree

The leaves of the tree sp ecify the outcomes of the game

Internal no des corresp ond to lo cal coinips Coin

Most of the time we will assume that the only p ossi

ipping games are dened recursively as follows Fix

ble outcomes of a game are In this case the quanti

a set of p ossible outcomes A coinippin g game G with

ties M and m give a measure of how much inuence an

k k

maximum length zero consists of a single outcome we

adversary with the ability to hide k lo cal coinips can

will call such a game a constant game and abuse nota

get over the outcome It is necessary to consider b oth

tion by writing its outcome simply as G A coinippi ng

at once as we will see later it is always p ossible to

game G with maximum length n is either a constant

nd a game with maximum length n whose minimum

game or consists of

exp ected outcome m can b e any value in the range

We will b e interested in the b est such game

ie the one that attains a particular value of m while

A random variable representing the rst lo cal coin

minimizing M or symmetrically the game that max

ip in G

imizes m for a particular xed M In general it will

k k

A function mapping the range of this random vari

turn out to b e quite dicult to nd this game exactly

able to the set of coinipping games with maxi

although much can b e shown ab out its structure and

mum length less than n the subgames of G For

so it will b e necessary to settle for a lower b ound on

each value in this range the resulting subgame

M G as a function of n k and m G

k k

is denoted G

A default subgame G with maximum length less

The Structure of Optimal Games

than n corresp onding to the eect of an adversary

choice to hide the rst lo cal coinip in G

Fix a maximum length n and numb er of failures k Let

us dene the range of a game G to b e the interval

The ab ove denition represents a coinipping game

m G M G Then G strictly dominates G just in

k k

as a tree if we think of G as the ro ot of the tree its chil

case the range of G is a prop er subset of the range

dren are the subgames G for each value of and the

of G in other words if G gives the adversary no more

default subgame G The actual game tree corresp ond

control than G do es A game G is optimal if it either

0 0

ing to playing the game against an adversary is a bit

dominates all other games G with m G m G or if it

k k

0 0

more complicated and involves two plies for each level

dominates all other games G with M G M G For

k k

of G We may think of the states of this game as pairs

k n this denition will turn out to b e equivalent to

G k sp ecifying the current subgame G and the limit

saying that no game strictly dominates G

k on how many lo cal coins the adversary may hide ie

With each k and game G we can asso ciate a p oint in

the numb er of faults To execute the rst lo cal coin

a twodimensional space given by the co ordinates m G

ip in G two steps o ccur First the outcome of the

and M G From this geometric p ersp ective the problem

coinip is determined Second the adversary cho oses

we are interested in is nding for each value of n and

b etween revealing leading to the state G k or

k the curve corresp onding to the set of optimal games

hiding leading to the state G k

with maximum length n and up to k failures

In order to prevent the adversary from b eing able to

For some values of n and k this task is an easy one If

predict the future or the game from b eing able to deduce

k then the n curve is just the diagonal running

information ab out obscured coins we demand that all

from to since m G M G for all G

0 0

random variables on any path through the game tree b e

If the other extreme holds and k n then for any

indep endent

G either m G or M G dep ending on the

k k

An adversary strategy sp ecies for each partial se default outcome of G if all lo cal coins are hidden It

quence of lo cal coinips whether to hide or reveal the is not dicult to see that if M G then m G can

n n

b e any value b etween and For example G could is obtained by allowing more than two outcomes to a

set its outcome to b e the value of the rst lo cal coin coin However the theorem do es not imply that we

or if that coinip is hidden if the adversary wishes can require that all lo cal coins are fair indeed for most

to achieve an outcome lower than it must let the rst optimal games they will not b e

lo cal coin go through Similar if m G then M G

n n

In addition we have shown the following ab out the

can b e any value b etween and Thus the optimal

shap e of the curves corresp onding to optimal games

n n curve consists of the line segment from

to and the line segment from to

Theorem Fix n and k with k n For each x in

Equations and have a nice geometrical in

let f x be the smal lest value of M G for al l

terpretation that in principle allows one to determine

G such that m G x Then f is nondecreasing and

the n k curves of optimal games of maximum length

concave

n with k failures This pro cess is depicted in Figures

and Fix a game G Each subgame G corresp onds to

a p oint m G M G which must lie somewhere on

Unfortunately with the exception of some extreme

k k

or ab ove the curve of optimal n k games The

cases like k n the n k curves do not app ear to

contribution of G to the p osition of G is given by

have nice algebraic descriptions So while in principle

min m G m G max M G M G which

equations and and the minimumofhyp otenu ses

k k 1 ? k k 1 ?

is a p oint in the intersection of the region ab ove the

construction constrain the curves completely to obtain

n k curve and the rectangle of p oints dominated

any useful b ounds from them we will b e forced to resort

by G Since the value of G is the average of these con

to approximation

tributions it must corresp ond to some p oint in the con

vex closure of this intersection Provided the n k

Lower Bounds on CoinFlipping Games

curve is concave which is easily proved by induction on

n k as shown b elow then all p oints in the convex

closure are dominated by some p oint on its lower right

The essential idea of our lower b ound for coinippin g

edge the line segment b etween the optimal n k game

games is to cho ose a family of functions to act as lower

G with M G M G and the optimal n k game

0 k 0 k 1 ? b ounds for the optimal curves as dened ab ove and

G with m G m G

show by rep eating the inscrib edrighttriang le argument

1 k 1 k 1 ?

with these functions that they do in fact provide lower

Geometrically this edge is the hyp otenuse of a right

b ounds on the optimal curves given appropriate param

triangle inscrib ed b etween the n k and n k

eters The particular family of functions that we use

curves such that its sides are parallel to the axes and

consists of all hyp erb olas that are symmetric ab out the

its right corner is on the n k curve To take

diagonal from to and that pass through

into account all p ossible choices of G it is necessary to

? 2

the corner p oints and These hyp erb o

consider all such triangles By taking the minimum of

las are conveniently given by

the hyp otenuses of these triangles as shown in Figure

1 1

we obtain the n k curve of all optimal games of

tanh y tanh x c

maximum length n sub ject to up to k failures Note

that if the n k curve is nondecreasing and concave

for various values of c The linear n curve corre

true for n k true as the induction hyp othesis

sp onds exactly to c the n n curve is the limit as

for larger n we may extend each hyp otenuse to its

c go es to innity Our goal is to compute values of c as

containing line without aecting the minimum and so

a function of n and k such that for all lengthn games

the n k curve as the minimum of concave functions is

1 1

also nondecreasing and concave

tanh M G tanh m G cn k

k k

Let us summarize From the discussion of the con

straints on G given G we have

? Given cn k and cn k rep eating

the inscrib edrighttriang le construction for the result

ing hyp erb olas is a not very dicult exercise in analytic

Theorem For each coinipping game G with max

geometry Unfortunately nding the particular p oint

imum length n and up to k failures there is a G such

0 0 0

on the hyp otenuse of the particular triangle that mini

that G dominates G G dominates G and G has

0 0 0

mizes cn k is a bit more involved details of b oth steps

two nondefault subgames G and G with M G

0 1 0

0 0 0

are given in the full pap er The ultimate result of these

M G and m G m G

k 1 k k 1

? ?

eorts is

We conjecture that a slightly tighter lower b ound could b e

One consequence of this theorem is that we can re

1 1

proven using the curves given by y x c where

place any optimal G with an equivalent G in which

is the normal distribution function An analog of Theorem

the rst lo cal coin has exactly two outcomes and the

using instead of tanh would improve the consensus lower

adversary never prefers hiding a lo cal coin to revealing

b ound in Theorem by a logarithmic factor

one Since the theorem also applies recursively to all

subgames of G we may assume that these conditions

in fact hold throughout G Thus no additional p ower

max

exp ected

Default

outcome

subgame

min

exp ected

outcome

Figure Graphical depiction of constraints on minimum and maximum exp ected outcomes of a game G given n

and k Each p oint in the gure corresp onds to a pair of minimum and maximum exp ected outcomes The diagonal

represents the k case where these values are the same The outer edges of the gure represent the k n case The

two inner curves represent all optimal games with n voters and either k or k failures The default subgame G

lies somewhere on or ab ove the n k curve All other subgames G lie on or ab ove the n k curve If G

is xed the value of G lies somewhere in the convex closure of the intersection of the region ab ove the n k curve

and the rectangle dominated by G All p oints in this convex closure shown shaded in the picture are dominated

by some p oint on the hyp otenuse of the right triangle inscrib ed b etween the n k and n k curves

max

exp ected

outcome

min

exp ected

outcome

Figure Eect of considering all choices of G Each p oint on the n k curve corresp onds to some p ossible

default subgame G The hyp otenuse of the right triangle with corners on this p oint and the n k curve gives

a set of games which dominate all other games with this xed G The set of optimal games with n voters and k

failures is thus the minimum of the hyp otenuses of all such right triangles

Theorem Let G be a game of length n with outcome In contrast it is not dicult to see that taking a

set f g Then for any k either M G ma jority of t fair coins gives a constant bias even if

m G or a lo cal coins are required to b e fair random bits b

the adversary can replace up to t values with new values

1 1

of its own cho osing c the adversary may observe the

p tanh M G tanh m G

k k

values of all the lo cal coins b efore deciding which ones

to alter and d changes made by the adversary are

invisible to the algorithm So the t lower b ound for

With a little bit of algebra we can turn this into

constant bias is tight for a wide range of assumptions

a lower b ound on the length of a general coinippi ng

ab out the p owers of the algorithm and the adversary

game given lower b ounds on the probabili tie s of any two

distinct outcomes

Connection to Randomized Distributed Algo

rithms with Failures

Corollary Let G be a coinipping game let x be

one of its outcomes and let A range over k bul let ad

The imp ortance of coinippin g games as dened ab ove

versaries If for some min PrG A x

comes from the fact that they can often b e found em

and min Pr G A x then the maximum length

b edded inside randomized distributed algorithms Let

of G is at least

us discuss briey how this emb edding works

Consider a randomized distributed algorithm in a

2 1

mo del in which a all random events are internal to

individua l pro cesses and b all other nondeterminism

is under the control of an adaptive adversary Supp ose

Using a truncation argument we can show that a

further that the adversary has the p ower to kill up to k

similar result holds even if we are considering the ex

of the pro cesses Then given any randomized algorithm

pected length of G rather than its maximum length

in which some event X that do es not dep end on the

The theorem b elow covers b oth the worstcase exp ected

states of faulty pro cesses o ccurs with minimum proba

length when the adversary is trying to maximize the

bility m and maximum probabili ty M we can extract

running time of the proto col and the b estcase exp ected

a coinippin g game from it as follows Arbitrarily x

length when the adversary is trying to minimize the

all the nondeterministi c choices of the adversary except

running time of the proto col The worstcase b ound

for the decision whether or not to kill each pro cess im

will b e used later to get a lower b ound on consensus

mediately following each internal random event Since

The pro of of the theorem is given in the full pap er

this step reduces the options of the adversary it can

only increase m and decrease M Each step of the

coinippin g game corresp onds to an execution of the

Theorem Fix k and let A range over k bul let adver

distributed algorithm up to some such random event

saries Let G be a coinipping game with an outcome x

which we interpret as the lo cal coin The adversarys

such that min Pr G A x and min PrG A

A A

choice to hide or reveal this lo cal coin corresp onds to

x Then the worstcase expected length of G is at

its p ower to kill the pro cess that executes the random

least

event thus preventing any other pro cess from learning

its value or to let it run which may or may not eventu

ally reveal the value The outcome of the coinippin g

game is determined by whether or not X o ccurs in the

and the bestcase expected length is at least

original system

Lower Bound for Randomized Consensus

2 1

Consensus is a problem in which a group of n pro cesses

must agree on a bit We will consider consensus in mo d

For constant bias Corollary and Theorem imply

els in which at most t pro cesses may fail by halting

that we need t lo cal coin ips in b oth the worst and

average cases This is true even though the adversarys

The theorem do es not apply if the adversary cannot observe

p ower is limited by the fact that a the lo cal coin ips

lo cal coinips and so it cannot b e used with an oblivious as

opp osed to the usual adaptive adversary However the b ound

may have arbitrary ranges and distributio ns b the

on b estcase exp ected length do es imply that it is imp ossible

adversary can hide coins but cannot control them c

to construct a hybrid constantbias coinipping proto col that

the adversary must decide which coins to hide or reveal

adapts to the strength of the adversary nishing quickly against

immediately in an online fashion and d the algorithm

an oblivious adversary but using additional work to prevent an

adaptive adversary from seizing control This is not the case for

may observe and react to the choices of which coins to

consensus for example Chandras consensus algorithm Cha

hide These assumptions were chosen to minimize the

for a weak adversary switches over to an algorithm that is robust

p ower of the adversary while still capturing the essence

against an adaptive adversary if it do es not nish in its usual

of its p owers in a distributed system with failures time

Pro cesses that do not halt ie correct pro cesses must For each adversary strategy and nite execution

execute innitely many op erations A more detailed there is a xed probability that the proto col will decide

description of the mo del is given in the full pap er conditioned on the event that its execution starts with

We may sp eak without confusion of the proto col de

It is assumed that each pro cess starts with some in

ciding as opp osed to individual pro cesses deciding

put bit and eventually decides on an output bit and

b ecause of the agreement condition For any set of ad

then stops executing the algorithm Formally consen

versaries there is a range of probabiliti es running from

sus is dened by three conditions

the minimum to the maximum probabili ty of deciding

These ranges are used to dene a probabili stic ver

Agreement All correct pro cesses decide the

sion of the bivalence and univalence conditions used in

same value with probabili ty

the wellknown FischerLynchPaterson FLP imp os

sibility pro of for deterministic consensus FLP We

Nontriviality For each value v there exists

will dene an execution as bivalent if the adversary can

a set of inputs and an adversary that causes all

force either outcome with high probabili ty A v valent

correct pro cesses to decide v with probabili ty

execution will b e one after which only the outcome v can

Termination All correct pro cesses decide with

b e forced with high probability Finally a nul lvalent

probabili ty

execution will b e one in which neither outcome can b e

forced with high probability The notions of bivalence

and v valence dened formally in the full pap er match

Nontriviality is a rather weak condition and for

the corresp onding notions for deterministic algorithms

application s of consensus proto cols a stronger condition

used in the FLP pro of nullvalenc e is new as it cannot

is often more useful

o ccur with a deterministic algorithm in which the prob

ability of deciding each value v must always b e exactly

Validity If all pro cesses have input v all correct

pro cesses decide v with probability

In outline the pro of that consensus is exp ensive for

randomized algorithms retains much of the structure of

As nontriviality is implied by validity if we show

the FLP pro of First it is shown that with at least con

a lower b ound on the total work of any proto col that

stant probabili ty any proto col can b e maneuvered from

satises agreement nontriviali ty and termination we

its initial state into either a bivalent or a nullvalent ex

will have shown a fortiori a lower b ound on any proto

ecution Once the proto col is in a bivalent execution

col that satises agreement validity and termination

we show that there is a fair failurefree extension that

Thus we will concentrate on consensus as dened by the

leads either to a lo cal coinip or a nullvalent execution

rst three conditions

The result of ipping a lo cal coin after a bivalent exe

cution is of course random but we can show that with

Since the agreement and termination conditions are

high probability it leaves us with an execution which

violated only with probability zero we can exclude all

is either bivalent or nullvalent or from which we are

schedules in which they are violated without aecting

likely to return to a bivalent or a nullvalent execution

the exp ected length of the proto col or the indep endence

after additional coinips If we do reach a nullvalent

and unpredictabil ity of lo cal coinips Thus without

execution the coinippi ng b ound applies

loss of generality we may assume that not only do agree

ment and termination apply to the proto col as a whole

Unlike a deterministic proto col it is p ossible for a

but they also apply even if one conditions on starting

randomized proto col to escap e through a lo cal coin

with some particular nite execution

ip into an execution in which it can nish the proto col

quickly But we will b e able to show that the probabili ty

of escaping in this way is small so that on average many

Overview of the Pro of

lo cal coinips will o ccur b efore it happ ens

Details of the lower b ound pro of are given in the full

In a randomized setting we are concerned with the cost

pap er The result is

of carrying out a consensus proto col in terms of the

exp ected total work when running against a worstcase

Theorem Against a worstcase adaptive adversary

adversary We show how the coinippi ng lower b ound

any tresilient consensus protocol for the asynchronous

can b e used to show a lower b ound on the worstcase

sharedmemory model performs an expected

exp ected cost of tresilient randomized consensus in the

standard asynchronous sharedmemory mo del As in

the coinipping b ound we will measure the cost of a

log t

consensus proto col by the total numb er of lo cal coin

ips executed by the pro cesses This measure is not

local coinips

aected by deterministic simulations so any results we

obtain for the sharedmemory mo del will also apply to

The b ound counts the numb er of lo cal coinips any mo del that can b e simulated using shared memory

Because we allow coinips to have arbitrary values such as a tresilient messagepassing mo del

not just or lo cal coinips p erformed by the on Theory of Computing pages

same pro cess without any intervening op erations can Montreal Queb ec Canada may

b e combined into a single coinip without increasing

AB Yonatan Aumann and Michael Bender E

the adversarys inuence Thus the lower b ound on lo

cient asynchronous consensus with a value

cal coinips immediately gives a lower b ound on to

oblivious adversary scheduler In Proceed

tal work Furthermore b ecause the coinip b ound is

ings of the rd International Conference

not aected by changing the mo del to one that can b e

on Automata Languages and Program

deterministical ly simulated by shared memory we get

ming July

the same lower b ound on total work in any mo del that

can b e so simulated no matter how p owerful its primi

Abr K Abrahamson On achieving consensus

tives are So for example waitfree consensus requires

using a shared memory In Proceedings of

2 2

n log n work even in a mo del that supplies coun

the Seventh ACM SIGACTSIGOPS Sym

ters or O cost atomic snapshots

posium on Principles of Distributed Com

puting August

Discussion

ADS Hagit Attiya Danny Dolev and Nir Shavit

Bounded p olynomial randomized consen

sus In Proceedings of the Eighth ACM Sym

For those of us who like working with an adaptive ad

posium on Principles of Distributed Com

versary randomization has given only a temp orary re

puting pages August

prieve from the consequences of Fischer Lynch and

Patersons imp ossibil ity pro of for deterministic consen

AH James Aspnes and Maurice Herlihy Fast

sus with faulty pro cesses Theorem means that even

randomized consensus using shared mem

though we can solve consensus using randomization we

ory Journal of Algorithms

cannot hop e to solve it quickly without a small upp er

Septemb er

b ound on the numb er of failures builtin synchroniza

tion primitives or restrictions on the p ower of the ad

AN Noga Alon and Moni Naor Coinippin g

versary

games immune against linearsized coali

tions In Proceedings of the st Annual

Fortunately there are a numb er of natural restric

Symposium on Foundations of Computer

tions on the adversary that allow fast consensus proto

Science pages IEEE

cols without eliminatin g the faults that we might rea

sonably exp ect to observe in real systems One plau

Asp James Aspnes Time and spaceecient

sible approach is to limit the knowledge the adversary

randomized consensus Journal of Algo

has of register contents to prevent it from discriminat

rithms May

ing against coinips it dislikes Various versions of this

can b e found in the the consensus work of Chor Israeli

AW James Aspnes and Orli Waarts Random

and Li CIL and Abrahamson Abr and in the

ized consensus in O n log n op erations p er

O n log n total work proto col of Aumann and Bender

pro cessor SIAM Journal on Computing

AB and the O log n workp erpro cess proto col of

Octob er

Chandra Cha Restrictions on the amount of asyn

BOL Michael BenOr and Nathan Linial Col

chrony can also have a large eect AAT SSW

lective coin ipping robust voting schemes

and minimization of banzhaf values In

Proceedings of the th Annual Symposium

Acknowledgments

on Foundations of Computer Science pages

IEEE

The author is indebted to Russell Impagliazzo for many

fruitful discussions of coinipping problems Steven

BOLS M BenOr N Linial and M Saks Collec

Rudich for a suggestion that eventually b ecame the

tive coin ipping and other mo dels of im

truncation argument used to prove Theorem Mike

p erfect randomness In Combinatorics vol

Saks for encouragement and p ointers to related work

ume of Col loquia Mathematic Societatis

and Faith Fich WaiKau Lo Eric Rupp ert and Eric

Janos Bolyai pages Eger Hun

Schenk for many useful comments on an earlier version

gary

of this work

BR Gabi Bracha and Ophir Rachman Approx

imated counters and randomized consensus

References Technical Rep ort Technion

BR Gabi Bracha and Ophir Rachman Ran

AAT Ra jeev Alur Hagit Attiya and Gadi

domized consensus in exp ected O n log n

Taub enfeld Timeadaptive algorithms

op erations In Proceedings of the Fifth

for synchronization In Proceedings of

Workshop on Distributed Algorithms

the TwentySixth Annual ACM Symposium

CFG Benny Chor Jo el Friedman Oded Goldre Her Maurice Herlihy Waitfree synchronization

ich Johan Hastad Steven Rudich and Ro ACM Transactions on Programming Lan

man Smolensky The bit extraction prob guages and Systems Jan

lem or tresilient functions In Proceedings uary

of the th Annual Symposium on Founda

LAA Michael C Loui and Hosame H Abu

tions of Computer Science pages

Amara Memory requirements for agree

IEEE

ment among unreliabl e asynchronous pro

Cha Tushar Deepak Chandra Polylog random cesses In Franco P Preparata editor Ad

ized waitfree consensus In Proceedings of vances in Computing Research volume

the Fifteenth Annual ACM Symposium on JAI Press

Principles of Distributed Computing pages

LLS D Lichtenstein N Linial and M Saks

May

Some extremal problems arising from dis

CI Richard Cleve and Russell Impagliazzo crete control pro cesses Combinatorica

Martingales with Bo olean nal value must

make jumps of O n with constant

Sak Michael Saks A robust noncryptographic

probabili ty Unpublished manuscript

proto col for collective coin ipping SIAM

Journal on Discrete Mathematics

CIL B Chor A Israeli and M Li On pro cessor

co ordination using asynchronous hardware

In Proceedings of the Sixth ACM Sympo

SSW Michael Saks Nir Shavit and Heather

sium on Principles of Distributed Comput

Woll Optimal time randomized consensus

ing pages

making resilient algorithms fast in prac

tice In Proceedings of the Second Annual

CL Jason Co op er and Nathan Linial Fast

ACMSIAM Symposium on Discrete Algo

p erfectinformation leaderelection proto col

rithms pages

with linear immunity In Proceedings of the

TwentyFifth Annual ACM Symposium on

Vaz Umesh Vazirani Towards a strong commu

the Theory of Computing pages

nication complexity theory or generating

ACM

quasirandom sequences from two commu

nicating slightlyrand om sources In Pro

DDS D Dolev C Dwork and L Sto ckmeyer

ceedings of the TwentyNinth Annual ACM

On the minimal synchronism needed for dis

Symposium on the Theory of Computing

tributed consensus Journal of the ACM

pages ACM

January

DHPW Cynthia Dwork Maurice Herlihy Serge

Plotkin and Orli Waarts Timelapse snap

shots In Proceedings of Israel Symposium

on the Theory of Computing and Systems

FHS Faith Fich Maurice Herlihy and Nir

Shavit On the complexity of randomized

synchronization In Proceedings of the th

Annual ACM Symposium on Principles of

Distributed Computing August

FLP M Fischer NA Lynch and MS Pater

son Imp ossibili ty of distributed commit

with one faulty pro cess Journal of the

ACM April

Fri Jo el Friedman On the bit extraction prob

lem In Proceedings of the rd Annual

Symposium on Foundations of Computer

Science pages IEEE

Har L H Harp er Optimal numb erings and

isop erimetric problems on graphs Journal

of Combinatorial Theory