Lower Bounds for Distributed Coin-Flipping and Randomized
Total Page:16
File Type:pdf, Size:1020Kb
Lower Bounds for Distributed CoinFlipping and Randomized Consensus James Aspnes forms the basis of the consensus lower b ound but is in Abstract teresting in its own right We examine a class of col lective coinipping games Consensus is a fundamental problem in distributed that arises from randomized distributed algorithms with computing in which a group of pro cesses must agree on halting failures In these games a sequence of local coin a bit despite the interference of an adversary An addi ips is generated which must b e combined to form a tional condition forbids trivial solutions that always pro single global coin ip An adversary monitors the game duce the same answer In an asynchronous setting it and may attempt to bias its outcome by hiding the re has long b een known that if an adversary can halt a sin sult of up to t lo cal coin ips We show that to guaran gle pro cess then no deterministic consensus algorithm 2 tee at most constant bias t lo cal coins are needed is p ossible without the use of p owerful synchronizatio n even if a the lo cal coins can have arbitrary distribu primitives CIL DDS FLP Her LAA tions and ranges b the adversary is required to de In contrast randomized algorithms can solve con cide immediately whether to hide or reveal each lo cal sensus in a sharedmemory system for n pro cesses even coin and c the game can detect which lo cal coins have if the adversary can halt up to n pro cesses Such b een hidden If the adversary is p ermitted to control algorithms are called waitfree Her b ecause any pro the outcome of the coin except for cases whose prob cess can nish the algorithm without waiting for slower 2 2 ability is p olynomial in t t log t lo cal coins are or p ossibly dead pro cesses These algorithms work needed Combining this fact with an extended version even under the assumption that failures and the tim of the wellknown FischerLynchPaterson imp ossibili ty ing of all events in the system are under the control of pro of of deterministic consensus we show that given an adaptive adversary one that can observe and react an adaptive adversary any tresilient asynchronous con to all asp ects of the systems execution including the 2 2 sensus proto col requires t log t lo cal coin ips in internal states of the pro cesses any mo del that can b e simulated deterministical ly using atomic registers This gives the rst nontrivial lower The rst known algorithm that solves shared b ound on the total work required by waitfree consensus memory consensus against an adaptive adversary is and is tight to within logarithmic factors the exp onentialti me algorithm of Abrahamson Abr since its app earance numerous p olynomial time algo rithms have app eared AH ADS SSW Asp Intro duction DHPW BR BR AW Most of these algo rithms are built around shared coin protocols in which the pro cesses individual l y generate many random lo Our results divide naturally into two parts a lower cal coin ips which are combined by ma jority voting b ound for asynchronous randomized consensus in a wide The adversary may bias the outcome of the voting by variety of mo dels and a still more general lower b ound selectively killing pro cesses that have chosen to vote the for a large class of collective coinippin g games that wrong way b efore they can reveal their most recent Yale University Department of Computer Science votes to the other pro cesses To prevent the adversary Prosp ect StreetPO Box New Haven CT from getting more than a constant bias it is necessary Supp orted by NSF grants CCR and CCR E to collect enough votes that the hidden votes shift the mail aspnescs y ale e du outcome by no more than a constant numb er of stan dard deviations With up to n failures as in the 2 waitfree case this requires a total of n lo cal coin 2 ips and at least n work in order to communicate 1 these coinips 1 Some of the algorithms deviate slightly from the simple Improvements in other asp ects of consensus algo Related Work rithms have steadily brought their costs down from the 4 2 O n total work of AH to the O n log n total work Many varieties of collective coinippin g games have of BR But while these algorithms have steadily ap b een studied starting with the work of BenOr and 2 proached the n barrier none have broken it How Linial BOL Many such games assume that the lo ever no pro of was known that consensus could not b e cations of faulty coins are xed in advance under these 2 solved in less than n time the barrier was solely a assumptions very ecient games exist AN CL result of the apparent absence of alternatives to using BOL Sak Another assumption that greatly lim shared coins based on ma jority voting Indeed it was its the p ower of the adversary is to require that b oth asked in Asp if it was necessarily the case that a ev the lo cations and values of faulty coins are xed in ad + ery consensus proto col contained an emb edded shared vance this is the bit extraction problem CFG Fri coin proto col and b no shared coin proto col could Vaz in which it is p ossible to derive completely un achieve b etter p erformance than ma jority voting biased random bits If none of these limiting assumptions are made the Our Results adversary gains considerabl y more p ower An excellent survey of results for a wide variety of mo dels involving In this pap er we answer b oth of these questions though fair or nearly fair twovalued lo cal coins can b e found the answers are not as simple as might have b een hop ed in BOLS Our work diers from these in that we We show that a every tresilient asynchronous consen allow arbitrary distribution s on the lo cal coins With a sus proto col in the sharedmemory mo del with at least restriction to fair coins Harp ers isop erimetric inequal constant probability either executes a shared coin pro ity for the hyp ercub e Har implies that the ma jority to col with bias at most one minus a p olynomial in t or function gives the least p ower to an oline adversary 2 carries out an exp ected t lo cal coinips avoiding that can see all coins b efore deciding which to change it and b any such shared coin proto col requires an and Lichtenstein Linial and Saks LLS have shown 2 2 exp ected t log t lo cal coin ips It follows that that ma jority is also optimal against an online adver tresilient asynchronous consensus requires an exp ected sary similar to the one we consider here Without such a 2 2 t log t lo cal coin ips Since proto cols based on restriction the b est previously known b ound is a b ound p 2 n on the inuence of an adversary that can ma jority voting require only O t lo cal coin ips this of lower b ound is very close to b eing tight hide one coin this is an easy corollary of a theorem ab out gaps in martingale sequences due to Cleve and Since we are counting coinips rather than op era Impagliazzo CI tions the lower b ound is not aected by deterministic simulations So for example it continues to hold in A very nice lower b ound on the space used by wait messagepassing mo dels with up to t pro cess failures free sharedmemory consensus is due to Fich Herlihy since a message channel can b e simulated by an un and Shavit FHS They show that any such consensus p b oundedly large register or in a sharedmemory mo del proto col must use n distinct registers to guaran with counters or cheap atomic snapshots Furthermore tee agreement Unfortunately their techniques do not since our lower b ound assumes that lo cal coin ips can app ear to generalize to showing lower b ounds on work have arbitrary ranges and distribution s we may assume without loss of generality that any two successive coin ips by the same pro cess are separated by at least one CoinFlipping Games deterministic op eration in any of these mo dels so the lower b ound on lo cal coinips in fact implies a lower A collective coinippin g game BOL is an algorithm b ound on total work for combining many local coins into a single global coin The lower b ound on coinippi ng games is still more whose bias should b e small even though some of the general and holds in any mo del in which the adversary lo cal coins may b e obscured by a malicious adversary may intercept up to t lo cal coinips b efore they are re Though the particular coinippi ng games we consider vealed no matter what deterministic synchronization here are motivated by their application to proving lower primitives or shared ob jects are available Furthermore b ounds on distributed algorithms with failures they ab it is tight in the sense that it shows that no constantbias stract away almost all of the details of the original dis 2 shared coin can use less than t lo cal coins a b ound tributed systems and are thus likely to b e useful in other achieved ignoring constants by ma jority voting contexts ma jorityvoting approach describ ed here In the algorithm of We assume that the lo cal coins are indep endent ran Aspnes Asp some votes are generated deterministically In dom variables whose ranges and distributions are arbi the algorithm of Saks Shavit and Woll SSW several coin trary The values of these variables are revealed one at ipping proto cols optimized for dierent execution patterns are run in parallel In the algorithm of Aspnes and Waarts AW a time to an adversary who must immediately cho ose pro cesses that have already cast many votes generate votes with whether to reveal or obscure each value If the adver increasing weights in order to nish the proto col quickly How sary cho oses to obscure the value of a particular lo cal ever none of these proto cols costs