Distributed Computing (1986) 1:26 39 Easy impossibility proofs for distributed consensus problems Michael J. Fischer 1, Nancy A. Lynch 2, and Michael Merritt 3 Department of Computer Science, Yale University, P.O. Box 2158, New Haven, CT 06520, USA 2 Laboratory for Computer Science, Massachusetts Institute of Technology, 545 Technology Square, Cambridge, M A 02139, USA s AT & T Bell Laboratories, 600 Mountain Ave, Murray Hill, NJ 07974, USA and Laboratory for Computer Science, Massachusetts Institute of Technology, 545 Technology Square, Cambridge, M A 02139, US A Michael J. Fischer is cur- 1972. She has served on the .klculty of Tufts University, the rently Professor of Computer University of Southern California, Florida International Science at Yale University, University, Georgia Tech. New Haven, CT, where he heads the Theory of Compu- Michael Merritt is currently tation Group. He is also Edi- a member of the technical tor_in_Chief of the Journal of stq[] with AT& T Bell the Association .for Comput- Laboratories. During the 1984 ing Machinery. His research 85 academic year, he was interests include theory of a visiting lecturer at M.I.7:, distributed systems, crypto- sponsered by Bell Labs. His graphic protocols, and compu- research interests include dis- tational complexity. tributed computation, cryptog- Dr. Fischer received the raphy and security. Dr. Merritt B. S. degree in mathematics received the B. S. degree in j?om the University of Mi- computer science and philo- chigan, Ann Arbor, in 1963, sophy from Yale in 1978 and and the M. A. and Ph.D. degrees in applied mathematics the M. Sc. and Ph.D. degrees J?om Harvard University, Cambridge, MA, in 1965 and in 1980 and 1983, respectively, 1968, respectively. He has taught previously at Carnegie- both in inJormation and com- Mellon University, the Massachusetts Institute ~?f Tech- puter science j?om Georgia Tech. He is a member of nology, and the University of Washington. SIGACT and of Computer prqfessionals jor Social Re- sponsibility. Nancy Lynch is currently As- sociate Professor of Com- Abstract. Easy proofs are given, of the impossi- puter Science at M.I.T., and bility of solving several consensus problems heads the Theory of Distrib- (Byzantine agreement, weak agreement, Byzan- uted Systems group in tine firing squad, approximate agreement and M.I.T.'s Laboratory .for Com- puter Science. Her interests clock synchronization) in certain communi- are in all aspects of distribut- cation graphs. ed computing theory, includ- It is shown that, in the presence of m faults, ing fi)rmal models, algorithms, no solution to these problems exists for com- analysis, and correctness munication graphs with fewer than 3m+ 1 no- pro@. Dr. Lynch received ~he B.S. degree in mathematics des or less than 2m+l connectivity. While .from Brooklyn College in some of these results had previously been 1968 and the Ph.D. degree proved, the new proofs are much simpler, pro- in mathematics fi'om M.I.Z in vide considerably more insight, apply to more general models of computation, and (particular- ly in the case of clock synchronization) signifi- OJfprint requests to: M.J. Fischer cantly strengthen the results. This paper has appeared in the ACM Conference Pro- ceedings of PODC 1985. 9 1985, Association for Com- Key words: Agreement - Distributed computing puting Machinery, reprinted by permission - Fault tolerance M.J. Fischer et al.: Easy impossibility proofs for distributed consensus problems 27 1 Introduction [7], while the 2m+1 connectivity requirement was previously unknown. in this paper, we present easy proofs for the For clock synchronization, the 3m+ 1 node impossibility of solving several consensus prob- bound was proved in [6], with a complicated lems in particular communication graphs. We proof. The authors of [6] also claimed that they prove results for Byzantine agreement, weak knew how to prove the corresponding 2m+ 1 agreement, the Byzantine firing squad problem, connectivity lower bound, but we presume that approximate agreement and clock synchroni- such a proof would also be complicated. We zation. The bounds are all the same: tolerating prove both the 3m+l node and the 2m+1 m faults requires at least 3m+l nodes, and connectivity bounds, for a much more general requires at least 2m + 1 connectivity in the com- notion of clock synchronization than in [6]. munication graph. (The connectivity of a graph These synchronization bounds assume that is the minimum number of nodes whose re- there is no direct way nodes measure the pas- moval disconnects the graph. Also, we assume sage of time, other than by reading their in- throughout that graphs have at least three accurate hardware clocks. nodes.) For a given value of m, we call graphs Since we obtain the same lower bounds for with fewer than 3m+l nodes or less than each problem, one might think that the prob- 2m+ 1 connectivity inadequate graphs. lems are equivalent in some sense. This is not Each of our proofs is an argument by con- the case. We see that the bounds for the dif- tradiction. We assume that a given problem can ferent problems require different assumptions be solved in a system with an inadequate com- about the underlying model. For example, the munication graph, and construct a set of system lower bounds for Byzantine and approximate behaviors, which cannot all satisfy the correct- agreement work with virtually any reasonable ness conditions for the given problem, although computational model, while the lower bound they are required to do so. Versions of many of for weak agreement requires a special assump- the results were already known, with proofs of tion, placing a bound on the rate of propaga- this same general form. Our proofs differ from tion of information through the system. The the earlier proofs in the technique we use to bound for clock synchronization requires a dif- construct the set of behaviors. Our technique is ferent assumption about how devices can mea- simpler, and applies to more general models of sure time. Many of the results are sensitive to distributed computation. small differences in underlying assumptions For Byzantine agreement, both bounds were (about such factors as communication delay or already known [12, 5]. The 3m+ 1 node lower the behaviors of faulty nodes.) This paper helps bound in [12] was proved only for a particular to clarify these issues. synchronous model of computation. Although carefully done, the proof is somewhat compli- 2 A model of distributed systems cated and not as intuitive as one might like. In contrast, our proof is simple and transparent, In order to make the impossibility results clear, and applies to general models of computation. concise and general, we introduce a simple A proof of the 2 m + 1 connectivity lower bound model of distributed systems. was presented informally in [5]; we prove that A communication graph is a direct graph G bound more formally and for more general with node set nodes(G) and edge set edges(G), models. such that the directed edges occur in pairs; For weak Byzantine agreement, the require- edge (u, v) ~ edges (G) if and only if ment of 3m+ 1 nodes was known [9], but was (v, u)~edges (G). (We consider a pair of directed proved using a complicated construction. The edges rather than a single undirected edge in new proof is easy and extends to more general order to model the communication in each di- models (although not as general as those for rection separately). We call the edge (u, v) an Byzantine agreement and approximate agree- outedge of u, and an inedge of v. Given U a ment). The 2m+ 1 connectivity requirement was subset of nodes (G), the subgraph G v induced by previously unknown. The result for the Byzan- U is the graph containing all the nodes in U tine firing squad problem follows from a re- and all the edges between nodes in U. The duction to weak agreement in [4]. We provide inedge border of G U is the set of edges from a direct proof. For approximate agreement, the nodes outside U into U; that is, 3m+1 bound was noted, but not proved, in edges (G) c~ ((nodes (G)\ U) x U). 28 M.J. Fischer et al.: Easy impossibility proofs for distributed consensus problems A system ~ is a communication graph G (scenarios) are the same. 1 Clearly, some such with an assignment of a device and an input to locality property must hold, or agreement is each node of G. Devices are undefined primitive trivially achievable by having devices read objects. The specific inputs we consider are en- other device's inputs directly. codings of Booleans, real numbers of real-va- lued functions of time (e.g., local clocks). The Fault axiom. Let A be any device. Let E 1 .... , E a be d edge behaviors, such that each particular type of input depends on the agree- E i is the behavior of the i'th outedge, in some ment problem addressed. If a node is assigned system behavior gi, of a node running A. Let u device A in system fr we say that the node runs be any node with d outedges (u, v0, ..., (u,/)e). A. A subsystem oR of ff is any subgraph G v of G with the associated devices and inputs. There is a device F such that in any system in which u runs F, the behavior of each outedge Every system ~ has a system behavior, ~, which is a tuple containing a behavior of every (u,/)i) is E i. node and edge in G. (We also describe E as a In this case, we write FA(E 1 ...