+ All Categories
Home > Documents > Lecture 12c - Impossibilityswift/classes/cs739-fa19...CS5412 Spring 2012 (Cloud Computing: Birman)...

Lecture 12c - Impossibilityswift/classes/cs739-fa19...CS5412 Spring 2012 (Cloud Computing: Birman)...

Date post: 25-May-2021
Category:
Upload: others
View: 1 times
Download: 0 times
Share this document with a friend
22
Consensus Impossibility Credit: Ken Birman, Cornell University
Transcript
Page 1: Lecture 12c - Impossibilityswift/classes/cs739-fa19...CS5412 Spring 2012 (Cloud Computing: Birman) 21 •A very clever adversarial attack •They assume they have perfect control over

Consensus Impossibility

Credit: Ken Birman, Cornell University

Page 2: Lecture 12c - Impossibilityswift/classes/cs739-fa19...CS5412 Spring 2012 (Cloud Computing: Birman) 21 •A very clever adversarial attack •They assume they have perfect control over

o Two armies have surrounded a cityo Their generals must decide together whether to attack or

retreato Communication through messengers, must pass through the

city and might be interceptedo Both must take the same decision

The two generals paradox2

Page 3: Lecture 12c - Impossibilityswift/classes/cs739-fa19...CS5412 Spring 2012 (Cloud Computing: Birman) 21 •A very clever adversarial attack •They assume they have perfect control over

Easy enough… or not?3

We attack tomorrow at dawn.

Did they get my message? I can’t attack just yet.

Agreed, we attack tomorrow at dawn.

Did they get the confirmation? If not, they won’t attack…

Confirmation has been received.

Did they get my confirmation? If not, they won’t attack…

Page 4: Lecture 12c - Impossibilityswift/classes/cs739-fa19...CS5412 Spring 2012 (Cloud Computing: Birman) 21 •A very clever adversarial attack •They assume they have perfect control over

Probably not…4

I confirm receiving the confirmation.

Did they get my last message? If not, they won’t attack…

I confirm receiving the confirmation.

Did they get my last message? If not, they won’t attack…

Page 5: Lecture 12c - Impossibilityswift/classes/cs739-fa19...CS5412 Spring 2012 (Cloud Computing: Birman) 21 •A very clever adversarial attack •They assume they have perfect control over

o No protocol exists that guarantees both generals are 100% certain of the decision of the other§ Proofs exist

o After 500 confirmations, both would be pretty sure the other will attack

o But “pretty sure” is not guaranteed 100% certainty

The two generals paradox (2)5

Page 6: Lecture 12c - Impossibilityswift/classes/cs739-fa19...CS5412 Spring 2012 (Cloud Computing: Birman) 21 •A very clever adversarial attack •They assume they have perfect control over

Simplified impossibility proof:

§ Let’s assume a protocol that exchanges N messages exists, which guarantees certainty

§ The Nth message could be lost… meaning, the first N-1messages must be sufficient to guarantee certainty

§ Therefore, there exists such a protocol which exchanges N-1messages

§ Absurd conclusion: there exists such a protocol that exchanges 0 messages

The two generals paradox (3)6

Page 7: Lecture 12c - Impossibilityswift/classes/cs739-fa19...CS5412 Spring 2012 (Cloud Computing: Birman) 21 •A very clever adversarial attack •They assume they have perfect control over

o Through an unreliable network, two nodes cannot 100% agree even on a single bit

o Perfect state consistency is not achievable over unreliable networks – but in practice, that’s not required

o Protocols exist that mitigate message delivery uncertainty, typically using retries, ACKs, and timeouts§ TCP …

The odd conclusion7

Page 8: Lecture 12c - Impossibilityswift/classes/cs739-fa19...CS5412 Spring 2012 (Cloud Computing: Birman) 21 •A very clever adversarial attack •They assume they have perfect control over

Fischer, Lynch and Patterson

CS5412 Spring 2012 (Cloud Computing: Birman) 8

• A surprising result• Impossibility of Asynchronous Distributed Consensus

with a Single Faulty Process

• They prove that no asynchronous algorithm for agreeing on a one-bit value can guarantee that it will terminate in the presence of crash faults• And this is true even if no crash actually occurs!• Proof constructs infinite non-terminating runs

Page 9: Lecture 12c - Impossibilityswift/classes/cs739-fa19...CS5412 Spring 2012 (Cloud Computing: Birman) 21 •A very clever adversarial attack •They assume they have perfect control over

Core of FLP result

CS5412 Spring 2012 (Cloud Computing: Birman) 9

• They start by looking at an asynchronous system of N processes with inputs that are all the same• All 0’s must decide 0, all 1’s decides 1

• They are assume we are given a correct consensus protocol that will “vote” (somehow) to pick one of the inputs, e.g. perhaps the majority value• Now they focus on an initial set of inputs with an

uncertain (“bivalent”) outcome (nearly a tie)• For example: N=5 and with a majority of 0’s the protocol

picks 0, but with a tie, it picks 1. Thus if one of process with a 0 happens to fail, the outcome is different than if all vote

Page 10: Lecture 12c - Impossibilityswift/classes/cs739-fa19...CS5412 Spring 2012 (Cloud Computing: Birman) 21 •A very clever adversarial attack •They assume they have perfect control over

Core of FLP result

CS5412 Spring 2012 (Cloud Computing: Birman) 10

• Now they will show that from this bivalent state we can force the system to do some work and yet still end up in an equivalent bivalent state

• Then they repeat this procedure

• Effect is to force the system into an infinite loop!• And it works no matter what correct consensus protocol

you started with. This makes the result very general

Page 11: Lecture 12c - Impossibilityswift/classes/cs739-fa19...CS5412 Spring 2012 (Cloud Computing: Birman) 21 •A very clever adversarial attack •They assume they have perfect control over

Bivalent state

System starts in S*

Events can take it to state S1

Events can take it to state S0

S* denotes bivalent stateS0 denotes a decision 0 stateS1 denotes a decision 1 state

Sooner or later all executions decide 0

Sooner or later all executions decide 1

CS5412 Spring 2012 (Cloud Computing: Birman)11

Page 12: Lecture 12c - Impossibilityswift/classes/cs739-fa19...CS5412 Spring 2012 (Cloud Computing: Birman) 21 •A very clever adversarial attack •They assume they have perfect control over

Bivalent state

System starts in S*

Events can take it to state S1

Events can take it to state S0

e

e is a critical event that takes us from a bivalent to a

univalent state: eventually we’ll “decide” 0

CS5412 Spring 2012 (Cloud Computing: Birman) 12

Page 13: Lecture 12c - Impossibilityswift/classes/cs739-fa19...CS5412 Spring 2012 (Cloud Computing: Birman) 21 •A very clever adversarial attack •They assume they have perfect control over

Bivalent state

System starts in S*

Events can take it to state S1

Events can take it to state S0

They delay e and show that there is a situation in which the system will return to a

bivalent state

S’*

CS5412 Spring 2012 (Cloud Computing: Birman) 13

Page 14: Lecture 12c - Impossibilityswift/classes/cs739-fa19...CS5412 Spring 2012 (Cloud Computing: Birman) 21 •A very clever adversarial attack •They assume they have perfect control over

Bivalent state

System starts in S*

Events can take it to state S1

Events can take it to state S0

S’*

In this new state they show that we can deliver e and

that now, the new state will still be bivalent!

S’’*

e

CS5412 Spring 2012 (Cloud Computing: Birman) 14

Page 15: Lecture 12c - Impossibilityswift/classes/cs739-fa19...CS5412 Spring 2012 (Cloud Computing: Birman) 21 •A very clever adversarial attack •They assume they have perfect control over

Bivalent state

System starts in S*

Events can take it to state S1

Events can take it to state S0

S’*

Notice that we made the system do some work and yet

it ended up back in an “uncertain” state. We can do

this again and again

S’’*

e

CS5412 Spring 2012 (Cloud Computing: Birman) 15

Page 16: Lecture 12c - Impossibilityswift/classes/cs739-fa19...CS5412 Spring 2012 (Cloud Computing: Birman) 21 •A very clever adversarial attack •They assume they have perfect control over

Core of FLP result in words• In an initially bivalent state, they look at some

execution that would lead to a decision state, say “0”• At some step this run switches from bivalent to univalent,

when some process receives some message m• They now explore executions in which m is delayed

CS5412 Spring 2012 (Cloud Computing: Birman) 16

Page 17: Lecture 12c - Impossibilityswift/classes/cs739-fa19...CS5412 Spring 2012 (Cloud Computing: Birman) 21 •A very clever adversarial attack •They assume they have perfect control over

Core of FLP result

• So:• Initially in a bivalent state• Delivery of m would make us univalent but we delay m• They show that if the protocol is fault-tolerant there must be a run

that leads to the other univalent state• And they show that you can deliver m in this run without a decision

being made

• This proves the result: they show that a bivalent system can be forced to do some work and yet remain in a bivalent state.• If this is true once, it is true as often as we like• In effect: we can delay decisions indefinitely

CS5412 Spring 2012 (Cloud Computing: Birman) 17

Page 18: Lecture 12c - Impossibilityswift/classes/cs739-fa19...CS5412 Spring 2012 (Cloud Computing: Birman) 21 •A very clever adversarial attack •They assume they have perfect control over

But how did they “really” do it?

• Our picture just gives the basic idea• Their proof actually proves that there is a way to

force the execution to follow this tortured path• But the result is very theoretical…

CS5412 Spring 2012 (Cloud Computing: Birman) 18

Page 19: Lecture 12c - Impossibilityswift/classes/cs739-fa19...CS5412 Spring 2012 (Cloud Computing: Birman) 21 •A very clever adversarial attack •They assume they have perfect control over

Intuition behind this result?• Think of a real system trying to agree on something in

which process p plays a key role• But the system is fault-tolerant: if p crashes it adapts

and moves on• Their proof “tricks” the system into thinking p failed• Then they allow p to resume execution, but make the

system believe that perhaps q has failed• The original protocol can only tolerate1 failure, not 2, so it

needs to somehow let p rejoin in order to achieve progress• This takes time… and no real progress occurs

CS5412 Spring 2012 (Cloud Computing: Birman) 19

Page 20: Lecture 12c - Impossibilityswift/classes/cs739-fa19...CS5412 Spring 2012 (Cloud Computing: Birman) 21 •A very clever adversarial attack •They assume they have perfect control over

But what did “impossibility” mean?

• In formal proofs, an algorithm is totally correct if• It computes the right thing• And it always terminates

• When we say something is possible, we mean “there is a totally correct algorithm” solving the problem• FLP proves that any fault-tolerant algorithm solving

consensus has runs that never terminate• These runs are extremely unlikely (“probability zero”)• Yet they imply that we can’t find a totally correct solution• And so “consensus is impossible” ( “not always possible”)

CS5412 Spring 2012 (Cloud Computing: Birman) 20

Page 21: Lecture 12c - Impossibilityswift/classes/cs739-fa19...CS5412 Spring 2012 (Cloud Computing: Birman) 21 •A very clever adversarial attack •They assume they have perfect control over

How did they pull this off?

CS5412 Spring 2012 (Cloud Computing: Birman) 21

• A very clever adversarial attack• They assume they have perfect control over which

messages the system delivers, and when• They can pick the exact state in which a message arrives

in the protocol

• They use this ultra-precise control to force the protocol to loop in the manner we’ve described

• In practice, no adversary ever has this much control

Page 22: Lecture 12c - Impossibilityswift/classes/cs739-fa19...CS5412 Spring 2012 (Cloud Computing: Birman) 21 •A very clever adversarial attack •They assume they have perfect control over

In the real world?

CS5412 Spring 2012 (Cloud Computing: Birman) 22

• The FLP scenario “could happen”• After all, it is a valid scenario. • ... And any valid scenario can happen

• But step by step they take actions that are incredibly unlikely. For many to happen in a row is just impossible in practice• A “probability zero” sequence of events• Yet in a temporal logic sense, FLP shows that if we can

prove correctness for a consensus protocol, we’ll be unable to prove it live in a realistic network setting, like a cloud system


Recommended