Embed Size (px)
Citation preview
The Byzantine Generals ProblemLeslie Lamport , Robert Shostak , Marshall Pease
ACM Transactions on Programming Languages and Systems (TOPLAS), v.4 n.3, p.382-401, July 1982
Citation Count: 734
The aim : to make a reliable computer system
reliable* : able to be trusted to do or provide what is needed : able to be relied on : able to be believed : likely to be true or correct
* http://www.merriam-webster.com/dictionary/reliable
1. INTRODUCTION
A reliable computer system- must handle malfunctioning
components that give conflicting information to different parts of the system i.e.
- must be able to cope (manage in spite of difficulty) with the failures of one or more of its components (conflicting feedback information; no feedback at all)
The problem is expressed abstractly as the Byzantine Generals Problem.
•several divisions of the Byzantine army are camped outside an enemy city.
•each division commanded by its own general. • the generals can communicate with one another only by messenger.
• after observing the enemy, they must decide upon a common plan of action.
The Byzantine Generals Problem (BGP)
THE PROBLEM: some of the generals may be traitors, trying to prevent the loyal generals from reaching agreement.
The necessary conditions of BGP:A. All loyal generals decide upon the same plan of action. The loyal generals will all do what the algorithm says they should, but the traitors may do anything they wish.
The loyal generals should not only reach agreement, but should agree upon a reasonable plan. We therefore also want to insure that
B. A small number of traitors cannot cause the loyal generals to adopt a “bad plan”.
A. All loyal generals decide upon the same plan of action.
(A) by having all generals use the same method for combining the informationB. A small number of traitors cannot cause the loyal generals to adopt a “bad plan”
(B) by using a robust method (based upon a majority vote*) * A small number of traitors can affect the decision only if the loyal generals were almost equally divided between the two possibilities, in which case neither decision could be called bad.
How the conditions A and B can be achieved?
1. Every loyal general must obtain the same information v(1), v(2), .. , v(n).The generals may have different values of v(i) from the traitor i, as he may send different values to different generals.
1'. Any two loyal generals use the same value of v(i).
2. If the ith general is loyal, then the value that he sends must be used by every loyal general as the value of v(i).
The conditions for A to be satisfied:
Byzantine Generals Problem
A commanding general must send an order to his (n - 1) lieutenant generals s.t. the Interactive Consistency conditions (IC) hold:
IC1. All loyal lieutenants obey the same order.
IC2. If the commanding general is loyal, then every loyal lieutenant obeys the order he sends.
2. IMPOSSIBILITY RESULTS
IMPOSSIBILITY RESULTS
If the generals can send only oral messages*, then
NO SOLUTION will work UNLESS > 2/3 of the generals are LOYAL.
3 generals, 1 traitor = 2/3 => NO SOLUTION! (see the example)
* An oral message is one whose contents are completely under the control of the sender, so a traitorous sender can transmit any possible message. Such a message corresponds to the type of message that computers normally send to one another.
* Lieutenant 2 is a traitor
v1 ATTACK v2 RETREAT
What to do???(?) Is it obvious for L1 that L2 is the traitor?
IC2: I must obey the order of the commander (ATTACK) IC1: I need obey the same order as L2 has (RETREAT)
* Commander is a traitor
v1 ATTACK v2 RETREAT
What to do???
The same for L1!!! While L2 now is Loyal. So 2 of them are loyal, 1 traitor -> NO DECISION!!!!
(?) Is it obvious for L1 that L2 is a traitor? NO!!!
We don’t know for sure who is the traitor!
v1 RETREAT v2 ATTACK
What to do???
IMPOSSIBILITY RESULTS(another notation of >2/3)
NO SOLUTION with fewer than 3m+1 generals can cope with m traitors*.
* The proof by contradiction - see the paper pp.385-386
Reaching approximate agreement is just as hard as reaching exact agreement
Assumptions: the generals must agree only upon an approximate time of attack. The commander orders the time of the attack, and we require the following two conditions to hold:
IC1'. All loyal lieutenants attack within 10 minutes of one another.
IC2'. If the commanding general is loyal, then every loyal lieutenant attacks within 10 minutes of the time given in the commander's order.
(We assume that the orders are given and processed the day before the attack and that the time at which an order is received is irrelevant - only the attack time given in the order matters)
This problem is unsolvable unless > 2/3 of the generals are loyal.
**skip**
The example
Suppose the commander orders an attack at 1:00 and orders a retreat at 2:00.
Each lieutenant follows the algorithm:
(1) After receiving the attack time from the commander, a lieutenant does one of the following:
(a) If the time is 1:10 or earlier, then attack.
(b) If the time is 1:50 or later, then retreat.
(c) Otherwise, continue to step (2).
2) Ask the other lieutenant what decision he reached in step (1).
(a) If the other lieutenant reached a decision, then make the same decision he did.
(b) Otherwise, retreat.
**skip**
3. A SOLUTION WITH ORAL MESSAGES
The assumptions of the oral messages system: A1. Every message that is sent is delivered correctly - The traitor cannot interfere with the messages they do send.
A2. The receiver of a message knows who sent it - The traitor cannot confuse their intercourse by introducing spurious messages with the names of other generals
A3. The absence of a message can be detected- This will foil a traitor who tries to prevent a decision by simply not sending messages.
The additional assumption for the 3rd and 4th sections:
(A*). each general is able to send messages directly to every other general.
There is no such requirement for the 5th section.
Prevention of the crash: If there is no messages from the commander-traitor: let RETREAT be the default order for the loyal lieutenants.
What information to take? Choose: 1. The majority(v1, v2,.., vn) value among the vi if it exists, otherwise the value RETREAT; 2. The median of the vi, assuming that they come from an ordered set.
ORAL MESSAGE ALGORITHMS
Algorithm OM(0), i.e. no traitors:
(1) The commander sends his value to every lieutenant.
(2) Each lieutenant uses the value he receives from the commander, or uses the value RETREAT if he receives no value.
ORAL MESSAGE ALGORITHMSAlgorithm OM(m), m > 0 - there are the traitors.(1) The commander sends his value to every lieutenant. (2) For each i, let vi be the value Lieutenant i receives from the commander, or else be RETREAT if he receives no value. Lieutenant i acts as the commander in Algorithm OM(m-1) to send the value vi to each of the n - 2 other lieutenants. (3) For each i, and each j != i, let vj be the value Lieutenant i received from Lieutenant j in step (2) (using Algorithm OM(m - 1)), or else RETREAT if he received no such value. Lieutenant i uses the value majority(v1, v2,.., vn-1)
n = 4 m = 1 (L3)
OM(1) 1.The commander sends v to all 2.send (L1 -> L2; v) using OM(0); send (L3 -> L1; x) using
OM(0); L2 has not send anything yet. 3.L2 has: v1 = v2 = v and v3 = x, so he obtains the correct
value v = majority(v, v, x).
* Lieutenant 3 is a traitor
* Commander is a traitor
OM(1) 1.The commander sends false x, y, z 2.Everyone sends their vi from the commander to all 3.L1-L2 all has the same info: v1 = x; v2 = y; v3 = z, so they
all obtain the same value majority(x, y, z) -> the commander is the traitor -> RETREAT.
The correctness of OM(m)
LEMMA 1. For any m and k, Algorithm OM (m) satisfies IC2 if there are more than 2k + m generals and at most k traitors.
THEOREM 1. For any m, Algorithm OM (m) satisfies conditions IC1 and IC2 if there are more than 3m generals and at most m traitors.
4. A SOLUTION WITH SIGNED MESSAGES
The traitor’s ability to lie makes the BGP difficult. What if we can restrict this traitor’s ability?
The solution: sending of the unforgeable signed messages (we add A4)
Additional assumption A4: (a) A loyal general's signature cannot be forged, and any alteration of the contents of his signed messages can be detected. (b) Anyone can verify the authenticity of a general's signature.
* We don’t care about a traitorous general's signature
With signed messages, our constraints about the possible number of traitors no longer holds.
In fact, a three-general solution does exist. We now give an algorithm that copes with m traitors for any number of generals. (The problem is vacuous if there are fewer than m + 2 generals.)
Our algorithm assumes a function choice which is applied to a set of orders to obtain a single one.
The only requirements we make for this function are
1. If the set V consists of the single element v, then choice(V) = v.
2. choice(0) = RETREAT, where 0 is the empty set.
One possible definition is to let choice(V) be the median element of V, assuming that there is an ordering of the elements.
SIGNED MESSAGE ALGORITHM SM(m)Initially Vi = 0. (1) The commander signs and sends his value to every lieutenant. (2) For each i: (A) If Lieutenant i receives a message of the form v:0 from the commander and he has not yet received any order, then (i) he lets Vi equal {v}; (ii) he sends the message v:0:i to every other lieutenant.
SIGNED MESSAGE ALGORITHM SM(m)(B) If Lieutenant i receives a message of the form v:0:j1:j2:..:jk and v is not in the set Vi, then (i) he adds v to Vi; (ii) if k < m, then he sends the message v:0:j1:j2:..:jk:i to every lieutenant other than j1:j2:..:jk.
(3) For each i: When Lieutenant i will receive no more messages [one message of the form v:0:j1:j2:..:jk or time-out], he obeys the order choice(Vi).
Each lieutenant i maintains a set Vi, containing the set of properly signed orders he has received so far. If the commander is loyal, then this set Vi should never contain more than a single element. * Do not confuse Vi, the set of orders he has received, with the set of messages that he has received. There may be many different messages with the same order.
general 0 - the commander
Note thatIn step (2), Lieutenant i ignores any message - containing an order v that is already in the set Vi. - that do not have the proper form of a value followed by a string of signatures.
The correctness of SM(m)
THEOREM 2. For any m, Algorithm SM(m) solves the BGP if there are at most m traitors.
5. MISSING COMMUNICATION
PATHS
No more that additional assumption:
each general is able to send messages directly to every other general.
We suppose that physical barriers place some restrictions on who can send messages to whom.
We consider the generals to form the nodes of a simple*,finite undirected graph G, where an arc between two nodes indicates that those two generals can send messages.
Thus we need an extension to OM(m) and SM(m)!
* A simple graph is one in which there is at most one arc joining any two nodes, and every arc connects two distinct nodes.
Two generals are said to be neighbors if they are joined by an arc.
Definition 1.
(a) A set of nodes (i1, ..., ip} is said to be a regular set of neighbors of a node i if:
(i) each ij is a neighbor of i, and
(ii) for any general k different from i, there exist paths yj,k from ij to k not passing through i such that any two different paths yj,k have no node in common other than k.
(b) The graph G is said to be p-regular if every node has a regular set of neighbors consisting of p distinct nodes.
an example of a simple
3-regular graph.an example of a graph
that is not 3-regular (because the central node
has no regular set of neighbors
containing three nodes)
The extension of OM(m) in the presence of m traitors if the graph G of generals is 3m-regular. (Note that a 3m-regular graph must contain at least 3m + 1 nodes.) For all positive integers m and p, we define the algorithm OM(m, p) as follows when the graph G of generals is p-regular. (OM(m,p) is not defined if G is not p-regular.) The definition uses induction on m.
ORAL MESSAGE ALGORITHM EXTENSION OM(m,p):(0) Choose a regular set N of neighbors of the commander consisting of p lieutenants. (1) The commander sends his value to every lieutenant in N. (2) For each i in N, let vi be the value Lieutenant i receives from the commander, or else RETREAT if he receives no value. Lieutenant i sends vi to every other lieutenant k as follows: (A) If m = 1, then by sending the value along the path yi,k whose existence is guaranteed by part (a)(ii) of Definition 1.
ORAL MESSAGE ALGORITHM EXTENSION OM(m,p):
(B) If m > 1, then by acting as the commander in the algorithm OM(m-1, p-1), with the graph of generals obtained by removing the original commander from G.
3) For each k, and each i in N with i != k, let vi be the value Lieutenant k received from Lieutenant i in step (2), or RETREAT if he received no value. Lieutenant k uses the value majority(vi1,..,vip,), where N = {i1,..,ip}.
The correctness of OM(m,p)
LEMMA 2. For any m > 0 and any p >= 2k + m, Algorithm OM (m, p) satisfies IC2 if there are at most k traitors.
THEOREM 3. For any m > 0 and any p >= 3m, Algorithm OM(m, p) solves the BGP if there are at most m traitors.
The correctness of extended SM(m)
THEOREM 4. For any m and d, if there are at most m traitors and the subgraph of loyal generals has diameter d, then modified Algorithm SM(m + d - 1) solves the BGP.
COROLLARY. If the graph of loyal generals is connected, then modified SM(n - 2) solves the BGP for n generals.
