Upload
alize
View
46
Download
0
Embed Size (px)
DESCRIPTION
Distributed Consensus (continued). Byzantine Generals Problem Solution with signed message. A signed message satisfies all the conditions of oral message, plus two extra conditions Signature cannot be forged. Forged message are detected and discarded by loyal generals. - PowerPoint PPT Presentation
Citation preview
Distributed Consensus (continued)
Byzantine Generals ProblemSolution with signed message
A signed message satisfies all the conditions of oral message, plus two extra conditions
• Signature cannot be forged. Forged message are detected and discarded by loyal generals.
• Anyone can verify its authenticity of a signature.
Signed messages improve resilience.
Examplecommander 0 commander 0
lieutenent 1 lieutenant 2 lieutenent 1 lieutenant 2
(a) (b)
1{0} 1{0}
0{0,2}
1{0}
0{0}
0{0,2}
1{0,1}
discard
Using signed messages, byzantine consensus is feasible with 3 generals and 1 traitor. In (b) the the loyal lieutenants compute theconsensus value by applying some choice function on the set of values
Signature list
0
1
7 2
4
v{0} v{0,1}
v{0,1,7}
v{0,1,7,4}
Byzantine consensus:The signed message algorithms SM(m)
Commander i sends out a signed message v{i} to each lieutenant j ≠ i
Lieutenant j, after receiving a message v{S}, appends it to a set V.j, only if (i) it is not forged, and (ii) it has not been received before.
If the length of S is less than m+1, then lieutenant j (i) appends his own signature to S, and (ii) sends out the signed message to every other lieutenant whose signature does not appear in S.
Lieutenant j applies a choice function on V.j to make the final decision.
Theorem of signed messages
If n ≥ m + 2, where m is the maximum number of traitors,
then SM(m) satisfies both IC1 and IC2.
Proof.Case 1. Commander is loyal. The bag of each process willcontain exactly one message, that was sent by the commander.
(Try to visualize this)
Proof of signed message theorem
Case 2. Commander is traitor.
• The signature list has a size (m+1), and there are m traitors, so at least one lieutenant signing the message must be loyal.
• Every loyal lieutenant i will receive every other loyal lieutenant’s message. So, every message accepted by j is also accepted by i and vice versa. So V.i = V.j.
Example
ab c
fa
b
c
0
1
2
3
{a, b,-}
{a, b, c}
With m=2 and a signature list of length 2, the loyal generals maynot receive the same order from the commander who is a traitor.When the length of the signature list grows to 3, the problem is resolved
3 accepts c,but 2 rejects f
Concluding remarks
• The signed message version tolerates a larger number (n-2) of faults.
• Message complexity however is the same in both cases.
Message complexity = (n-1)(n-2) … (n-m+1)
Failure detectors
Failure detector for crash failures
• The design of fault-tolerant algorithms will be simple if processes can detect (crash) failures.
• In synchronous systems with bounded delay channels, crash failures can definitely be detected using timeouts.
Failure detectors for asynchronous systems
In asynchronous distributed systems, the detection of
crash failures is imperfect. There will be false positives
and false negatives. Two properties are relevant:
Completeness. Every crashed process is eventually suspected.
Accuracy. No correct process is ever suspected.
13
Failure Detectors
However:
• Hints may be incorrect
• FD may give different hints to different processes
• FD may change its mind (over & over) about the
operational status of a process
An FD is a distributed oracle that provides hints about the operational status of processes.
14
Typical FD Behavior
downProcess p
up
FD at qtrust
suspect
trust
suspect(permanently)
trust
suspect
Revisit the Consensus problem
input output
1 2 3 4
Agreed value
Example
0
6
1 3
5
247
0 suspects {1,2,3,7} to have failed. Does this satisfy completeness?Does this satisfy accuracy?
Classification of completeness
• Strong completeness. Every crashed process is eventually suspected by every correct process, and remains a suspect thereafter.
• Weak completeness. Every crashed process is eventually suspected by at least one correct process, and remains a suspect thereafter.
Note that we don’t care what mechanism is used for suspecting a process.
Classification of accuracy
• Strong accuracy. No correct process is ever suspected.
• Weak accuracy. There is at least one correct process that is never suspected.
Transforming completenessWeak completeness can be transformed into strong completeness
Program strong completeness (program for process i};define D: set of process ids (representing the suspects);initially D is generated by the weakly complete failure detector of i;
{program for process i}do true
send D(i) to every process j ≠ i;receive D(j) from every process j ≠ i;D(i) := D(i) D(j);∪if j D(i) ∈ D(i) := D(i) \ j fi
od
Eventual accuracy
A failure detector is eventually strongly accurate, if there exists a time T after which no correct process is suspected.
(Before that time, a correct process be added to and removed from the list of suspects any number of times)
A failure detector is eventually weakly accurate, if there exists a time T after which at least one process is no more suspected.
Classifying failure detectors
Perfect P. (Strongly) Complete and strongly accurateStrong S. (Strongly) Complete and weakly accurateEventually perfect ◊P.
(Strongly) Complete and eventually strongly accurateEventually strong ◊S
(Strongly) Complete and eventually weakly accurate
Other classes are feasible: W (weak completeness) andweak accuracy) and ◊W
MotivationQuestion 1. Given a failure detector of a certain type,
how can we solve the consensus problem?
Question 2. How can we implement these classes of failure detectors in asynchronous distributed systems?
Question 3. What is the weakest class of failure detectors that can solve the consensus problem?
(Weakest class of failure detectors is closest to reality)
23
Application of Failure Detectors
• Group Membership• Group Communication• Atomic Broadcast • Primary/Backup systems
• Atomic Commitment• Consensus• Leader Election• …..
Applications often need to determine which processes are up (operational) and which are down (crashed). This service is provided by Failure Detector. FDs are at the core of many fault-tolerant algorithms and applications, like
24
p
q
rs
t
q
q
q
q
s
s
SLOW
25
p
q
rs
t
5
7
82
8
Consensus
5
55
5
Crash!
26
Solving Consensus
• In synchronous systems: Possible
• In asynchronous systems: Impossible [FLP83]
even if:• at most one process may crash, and• all links are reliable
A more complete classification of failure detectors
strong completeness
weak completeness
strong accuracy weak accuracy ◊ strong accuracy ◊ weak accuracy
Perfect P Strong S ◊P ◊S
Weak W ◊W
Consensus using P{program for process p, t = max number of faulty processes}
initially Vp := ( , , , …, ); {array of size n}⊥ ⊥ ⊥ ⊥
Vp[p] = input of p; Dp := Vp; rp :=1
{Vp[q] = ⊥ means, process p thinks q is a suspect. Initially everyone is a suspect}
{Phase 1} for round rp= 1 to t +1
send (rp, Dp, p) to all;
wait to receive (rp, Dq, q) from all q, {or else q becomes a suspect};
for k = 1 to n Vp[k] = (r⊥ ∧ ∃ p, Dq, q): Dq[k] ≠ ⊥ Vp[k] := Dq[k] end for
end for
{at the end of Phase 1, Vp for each correct process is identical}
{Phase 2} Final decision value is the input from the first element Vp[j]: Vp[j] ≠ ⊥
Understanding consensus using P
Why continue (t+1) rounds?
It is possible that a process p sends out the first message to q
and then crashes. If there are n processes and t of them
crashed, then after at most (t +1) asynchronous rounds, Vp for
each correct process p becomes identical, and contains all
inputs from processes that may have transmitted at least once.
Understanding consensus using P
1 2 t
Sends (1, D1) and then crashes
Sends (2, D2) and then crashes
Sends (t, Dt) and then crashes
Completely connected topology
Well, I received D from 1, butdid everyone receive it? To ensure multiple rounds of broadcasts arenecessary …
Well, I received D from 1, butdid everyone receive it? To ensure multiple rounds of broadcasts arenecessary …
Consensus using other type of failure detectors
Algorithms for reaching consensus with several other forms of failure detectors exist. In general, the weaker is the failure detector, the closer it is to reality (a truly asynchronous system), but the harder is the algorithm for implementing consensus.
Consensus using S
Vp := ( , , , …, ⊥ ⊥ ⊥ ⊥); Vp[p] := input of p; Dp := Vp
(Phase 1) Same as phase 1 of consensus with P – it runs for (t+1) asynchronous rounds
(Phase 2) send (Vp, p) to all;
receive (Dq, q) from all q;
for k = 1 to n V∃ q[k]: Vp[p] ≠ V⊥ ∧ q[k] = ⊥ Vp[k] := Dp[k] := ⊥ end for
(Phase 3) Decide on the first element Vp [j]: Vp [j] ≠ ⊥
Consensus using S: example
Assume that there are six processes: 0,1,2,3,4,5. Of
these 4, 5 crashed. And 3 is the process that will never
be suspected. Assuming that k is the input from
process k, at the end of phase 1, the following is
possible:
V0 = (0, , 2, ⊥ 3, ,⊥ ⊥)
V1 = ( , 1, , ⊥ ⊥ 3, ,⊥ ⊥)
V2 = (0, 1, 2, 3, ,⊥ ⊥)
V3 = ( , 1, , ⊥ ⊥ 3, ,⊥ ⊥)
At the end of phase 3, the processes agree upon the
input from process 3
0 1
2 3
(0, , 2, ⊥ 3, ,⊥ ⊥) ( , 1, , ⊥ ⊥ 3, ,⊥ ⊥)
5 4
(0, 1, 2, 3, ,⊥ ⊥) ( , 1, , ⊥ ⊥ 3, ,⊥ ⊥)
Conclusion
◊W
Asynchronous system
W
◊S
◊P
S
P Consensus Problem
Cannot solveconsensus
Cannot solveconsensusCan solveconsensus
Paxos
• A solution to the asynchronous consensus problem due to Lamport.
• Runs on a completely connected network of n processes• Tolerates up to m failures, where n >2m+1. Processes can
crash and messages may be lost, but Byzantine failures are ruled out
• Although the requirements for consensus are agreement, validity, and termination, Paxos primarily guarantees agreement and validity.(If it guaranteed all three properties, then that would violate FLP)
PropertiesSafety PropertiesValidity. Only a proposed value can be chosen as the final decision.Agreement. Two different processes cannot make different
decisions.
Liveness PropertiesTermination. Some proposed value is eventually chosen.
(Is it really satisfied without some form of randomization?)Notification. If a value has been chosen, a node can eventually learn
the value.
Three roles of processes
• Each process may play three different roles: proposer, acceptor and learner
acceptor decision
proposer
Too simplistic. What if the acceptor crashes?
proposer
proposer
Paxos algorithm
Phase 1 (prepare):Step 1.1. Each proposer sends a proposal (v, n) to each acceptorStep 1.2. If n is the largest sequence number of a proposal
received by an acceptor, then it sends an ack (n,-,-) to its proposer, which is a promise that it will ignore all proposals numbered lowered than n. In case an acceptor has already accepted a proposal with a sequence number n’< n and a proposed value v, it responds with an ack (n, v, n’). (it implies that the proposer has no point in trying to push the same value with a larger sequence no) [It can however send a new request with the value v]
Paxos algorithm
Phase 2 (accept):Step 2.1. If a proposer receives an ack (n,-,-) from a majority of
acceptors, then it sends accept (n,v) to all acceptors, asking them to accept this value. (Note. If however, an acceptor returned an ack (n,v,n’) to the proposer in phase 1 (which means that it already accepted proposal with value v ) then the proposer must include the value v with the highest sequence number in its request to the acceptors.)
Step 2.2. An acceptor accepts a proposal (n,v) unless it has already promised to consider proposals with a sequence number greater than n.
The final decision
When a majority of the acceptors accepts a proposed value, it becomes the final decision value.
The acceptors multicast the accepted value to the learners. It enables them to determine if a proposal has been accepted by a majority of acceptors.
The learners convey it to the client processes.
Observations
Observation 1. An acceptor accepts a proposal with a sequence number n if it has not sent a promise to any proposal with a sequence number n’> n .
Observation 2. If a proposer sends an accept (v,n) message in phase 2, then either no acceptor in a majority has accepted a proposal with a sequence number n’< n , or v is the value in the highest numbered proposal among all accepted proposals with sequence numbers n’< n accepted by at least once acceptor in a majority of them.
What about Liveness?
(Phase 1) Proposer 1 sends out prepare (v, n1);(Phase 1) Proposer 2 sends out prepare (v,n2), where n2 > n1 ;
(Phase 2) Proposer 1’s accept (n1) is declined, since the acceptor has already promised to proposer 2 that it will not accept any proposal numbered lower than n2. So proposer 1 restarts phase 1 with a higher number n3 > n2;(Phase 2) Proposer 2’s accept request is now declined on a similar ground;
The race can go on forever! To avoid this, either elect a single proposer (how?) or use randomization.
Consider the following scenario: