Upload File

byzentine clocks

7
Byzantine Clock Synchronization Leslie Lamport 1 P. M. Melliar-Smith 2 Computer Science Laboratory SRI International Abstract An informal description is given of three fault-tolerant clock-synchronization algorithms. These algorithms work in the presence of arbitrary kinds of failure, including "two- faced" clocks. Two of the algorithms are derived from Byzantine Generals solutions. 1. Introduction Many multiprocess systems, especially process-control systems, require processes to maintain clocks that are syn- chronized with one another [4], [6], [11]. Physical clocks do not keep perfect time, but can drift with respect to one another, so the clocks must periodically be resynchronized. For such a process to be fault-tolerant, the clock synchro- nization algorithm must work despite faulty behavior by some processes and clocks. The purpose of this paper is to provide an infor- mal, intuitive description of three fault-tolerant clock- synchronization algorithms. We refer the reader to [7] for the details, including a precise statement of the problem, a rigorous description of the algorithms, and a proof of their correctness. It is easy to construct fault-tolerant clock-synchroniza- tion algorithms if one restricts the type of faults that are perm itted. However, it is difficult to find algorithms that lWork supported in part by the National Science Foundation under grant number MCS-8104459. 2Work supported in part by the National Aeronautics and Space Ad- ministration under grant number NASA 99-34234. Permission to copy without fee all or part of this material is granted provided that the copies are not made or distributed for direct commercial advantage, the ACM copyright notice and the title of the publication and its date appear, and notice is given that copying is by permission of the Association for Comput;ng Machinery. To copy otherwise, or to republish, requires a fee and/or specific permission. © 1984 ACM0-89791-143-1 84 008/0068 $00.75 can handle arbitrary faults--in particular, faults that result in "two-faced" clocks. Consider a three-process system in which: • Process l's clock reads 1:00 • Process 3's clock is faulty in such a way that when read by Process 1 it gives the value 0:00 and when read by Process 2 it gives the value 3:00. Processes 1 and 2 are in symm etric positions; each sees one clock that reads an hour earlier than its own clock, and one clock that reads an hour later. The obvious synchronization algorithms, which are symm etric, will not cause Processes 1 and 2 to reset their clocks in a way that would bring their values closer together. The study of this problem was initiated by the realization, during the design of the SIFT reliable aircraft control computer [11], that such malicious faults can occur in practice. The algorithms described in this paper assume that each process can read every other process's clock. They work in the presence of any kind of fault, including such malicious two-faced clocks. We let a process's clock be part of the process, so a clock failure is just one kind of process failure. We consider only process failures, ignoring com munication line failures. At worst, the failure of a com- munication line joining two processes can be analyzed as if it were a failure of either of the processes. Com munication - line failure is briefly discussed in [7]. Our first algorithm is called an interactive convergence algorithm, since it causes correctly working clocks to con- verge, but the closeness with which they can be synchro- nized depends upon how far apart they are allowed to drift before being resynchronized. In a network of at least 3m+ 1 processes, it will handle up to m faults. The remaining two algorithms are called interactive consistency algorithms, so named because the nonfaulty processes obtain mutually consistent views of all the clocks. In these algorithms, the degree of synchronization--the maximum difference between any two nonfaulty processes' clocks-- depends only upon the accuracy with which pro- 6 8

Upload: rashmi-ranjan

Post on 07-Apr-2018

231 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Byzentine Clocks

8/6/2019 Byzentine Clocks

http://slidepdf.com/reader/full/byzentine-clocks 1/7

Byzantine C lock Synchronization

L e s l i e L a m p o r t 1

P . M . M e l l i a r -S m i t h 2

C o m p u t e r S c i e n c e L a b o r a t o r y

S R I I n t e r n a t i o n a l

A b s t r a c t

A n i n f o r m a l d e s c r i p t i o n i s g i v e n o f t h r e e f a u l t - t o l e r a n t

c l o c k - s y n c h r o n iz a t io n a l g o r i t h m s . T h e s e a l g o r i t h m s w o r k

i n th e p r e s e n c e o f a r b i t r a r y k i n d s o f f a i lu r e , i n c l u d i n g " t w o -

f a c e d " c lo c k s . T w o o f t h e a l g o r i t h m s a r e d e r i v e d f r o m

B y z a n t i n e G e n e r a l s s o l u t i o n s .

1 . I n t r o d u c t i o n

M a n y m u l t i p r o c e s s s y s t e m s , e s p e c ia l l y p r o c e s s - c o n t r o l

s y s t e m s , r e q u i r e p r o c e s s e s to m a i n t a i n c l o c k s t h a t a r e sy n -

c h r o n i z e d w i t h o n e a n o t h e r [ 4 ] , [ 6 ] , [ 11 ]. P h y s i c a l c l o c k s

d o n o t k e e p p e r f e c t t i m e , b u t c a n d r i f t w i t h r e s p e c t t o o n e

a n o t h e r , s o t h e c l o c k s m u s t p e r i o d i c a l l y b e r e s y n c h r o n i z e d .

F o r s u ch a p r o c e s s t o b e f a u l t - t o l e r a n t , t h e c l o c k s y n c h r o -

n i z a ti o n a l g o r i t h m m u s t w o r k d e s p i te f a u l t y b e h a v i o r b y

s o m e p r o c e s s e s a n d c l o c k s .

T h e p u r p o s e o f t h i s p a p e r i s t o p r o v i d e a n i n f o r -

m a l , i n t u i t i v e d e s c r i p t i o n o f t h r e e f a u l t - t o l e r a n t c l o c k -

s y n c h r o n i z a t i o n a l g o r i t h m s . W e r e f e r t h e r e a d e r t o [7 ] f o rt h e d e t a i ls , i n c l u d i n g a p r e c is e s t a t e m e n t o f t h e p r o b l e m , a

r i g o r o u s d e s c r i p t i o n o f t h e a l g o r i t h m s , a n d a p r o o f o f t h e i r

c o r r e c t n e s s .

I t is e a s y t o c o n s t r u c t f a u l t - t o l e r a n t c l o c k - s y n c h r o n i z a -

t i o n a l g o r i t h m s i f o n e r e s t r i c t s t h e t y p e o f fa u l t s t h a t a r e

p e r m i t t e d . H o w e v e r , it is d i f f ic u l t t o f in d a l g o r i t h m s t h a t

lWork supported in part by the National Science Foundation under

grant number MCS-8104459.

2W ork supported in part by the National Aeronautics and Space Ad-

ministration under grant number NA SA 99-34234.

Permission to copy without fee all or part of this material is grantedprovided that the copies are not made or distributed for directcommercial advantage, the ACM copyright notice and the t i t le of thepublication and its date appear, and notice is given that copying is bypermission of the Association for Comput;ng Machinery. To copyotherwise, or to republish, requires a fee and/or specific permission.

© 1 98 4 A C M 0 - 8 9 7 9 1 - 1 4 3 - 1 8 4 0 0 8 / 0 0 6 8 $ 0 0 .7 5

c a n h a n d l e a r b i t r a r y f a u l t s - - i n p a r t i c u l a r , f a u l t s t h a t r e s u l t

i n " t w o - f a c e d " c l o ck s . C o n s i d e r a th r e e - p r o c e s s s y s t e m i n

w h i c h :

• P r o c e s s l ' s c lo c k r e a d s 1 : 00

• P r o c e s s 2 ' s c l o c k r e a d s 2 : 0 0

• P r o c e s s 3 ' s c l o c k i s f a u l t y i n s u c h a w a y t h a t w h e n

r e a d b y P r o c e s s 1 i t g iv e s t h e v a l u e 0 : 0 0 a n d w h e n

r e a d b y P r o c e s s 2 it g i v e s t h e v a l u e 3 :0 0 .

P r o c e s s e s 1 a n d 2 a r e i n s y m m e t r i c p o s i t i o n s ; e a c h s e e s o n e

c l o c k t h a t r e a d s a n h o u r e a r l i e r t h a n i t s o w n c l o c k , an d o n e

c l oc k t h a t r e a d s a n h o u r l a t er . T h e o b v i o u s s y n c h r o n i z at i o n

a l g o r i t h m s , w h i c h a r e s y m m e t r i c , w i l l n o t c a u s e P r o c e s s e s

1 a n d 2 to r e s e t t h e i r c l o c k s i n a w a y t h a t w o u l d b r i n g

t h e i r v a lu e s c lo s e r t o g e t h e r . T h e s t u d y o f t h i s p r o b l e m w a s

i n i t i a t e d b y t h e r e a l i z a t i o n , d u r i n g t h e d e s i g n o f t h e S I F T

r e l i a b l e a i r c r a f t c o n t r o l c o m p u t e r [ 11 ], t h a t s u c h m a l i c i o u s

f a u l t s c a n o c c u r i n p r a c t i c e .

T h e a l g o r i t h m s d e s c r i b e d i n t h i s p a p e r a s s u m e t h a t

e a c h p r o c e s s c a n r e a d e v e r y o t h e r p r o c e s s ' s cl o c k . T h e y

w o r k i n t h e p r e s e n c e o f a n y k i n d o f f a u l t , i n c l u d i n g s u c h

m a l i c i o u s t w o - f a c e d c lo c k s . W e l e t a p r o c e s s ' s c lo c k b ep a r t o f t h e p r o c e s s , s o a c l o c k f a i lu r e i s j u s t o n e k i n d o f

p r o c e s s f a i lu r e . W e c o n s i d e r o n l y p r o c e s s f a i l u r e s , i g n o r i n g

c o m m u n i c a t i o n l i n e f a i lu r e s . A t w o r s t , t h e f a i l u r e o f a c o m -

m u n i c a t i o n l i n e j o i n i n g t w o p r o c e s s e s c a n b e a n a l y z e d a s if

i t w e r e a f a il u r e o f e i t h e r o f t h e p r o c e s s e s . C o m m u n i c a t i o n -

l i n e f a i l u r e i s b r i e f l y d i s c u s s e d i n [ 7 ] .

O u r f i r s t a l g o r i t h m i s c a l l e d a n in terac t ive convergence

a l g o r i t h m , s i n c e i t c a u s e s c o r r e c t l y w o r k i n g c l o c k s t o c o n -

v e r g e , b u t t h e c l o s e n e s s w i t h w h i c h t h e y c a n b e s y n c h r o -

n i z e d d e p e n d s u p o n h o w f a r a p a r t t h e y a r e a l lo w e d t o d r if t

b e f o r e b e in g r e s y n c h r o n iz e d . I n a n e t w o r k o f a t l e as t 3 m + 1

p r o c e s s e s , i t w i ll h a n d l e u p t o m f a u l t s .

T h e r e m a i n i n g t w o a l g o r i t h m s a r e c a l l e d in terac t ive

c o n s i s t e n c y a l g o r i th m s , s o n a m e d b e c a u s e t h e n o n f a u l ty

p r o c e s s e s o b t a i n m u t u a l l y c o n s i s t e n t v i e w s o f a l l t h e c l o ck s .

I n t h e se a l g o r i th m s , t h e d e g r e e o f s y n c h r o n i z a t i o n - - t h e

m a x i m u m d i f fe r e n c e b e t w e e n a n y t w o n o n f a u l t y p r o c e s se s '

c l o c k s - - d e p e n d s o n l y u p o n t h e a c c u r a c y w i t h w h i c h p r o-

6 8

Page 2: Byzentine Clocks

8/6/2019 Byzentine Clocks

http://slidepdf.com/reader/full/byzentine-clocks 2/7

cesses can read each other's clocks and how far clocks can

drift during the actual s ynchroniz ation procedure.

The i nteractive consistency algorithms are derived from

two basic "Byzantine Generals" solutions presented in [5].

The first one requires at least 3m + 1 processes to handle

up to m faults. The second algorithm assumes a special

method of reading clocks, requiring the use of unforgeable

digital signatures, to handle up to m faults with as few as2m + 1 processes. A recent algor ithm of Halpe rn, Simons

and Strong [3], using a similar method of reading clocks,

will be better than our second Byzantine Generals solution

in almost all practical situations. However, we feel that our

algorithm is still worth describin g because it makes some-

what different assumptions about how clocks are read and

because its derivation from the Byzantine Generals algo-

rithm is interesting.

Lundelius and Lynch [8] have recently described an

interactive convergence algorithm. It requires a special

method of reading clocks, so it is difficult to compare with

our first two algorithms . However, i n some situation s, it can

synchronize the clocks with greater accuracy than our al-

gorithms. We discuss the various algorithms' clock-reading

methods in Section 4, and, in the conclusion, we compare

their efficiency and accuracy.

Dolev, Ha lpern , and Stron g [2] have recently proved

that, like the original Byzantine generals problem, 3m + 1

processes are required to allow clock synchroni zatio n in the

presence of m faults if digital signatures are not used. Our

first two algorithms are thus use the minimum number of

processes.

2 . A l g o r i t h m C O N

Algorithm CON, our interactive convergence algorithm,

is the simplest of the three algorithms. It assumes that the

clocks are initially synchronized, and that they are resyn-

chronized often enough so two nonfaulty processes' clocks

never differ by more t han 6. The value of 6 is chosen in ad-

vance, as explai ned later. We ignore for now the questio n

of how processes read each other's clocks.

Algorithm CON is essentially the following.

Eac h proc e s s r e ads the v a lue o f e v e ry proc e s s ' s

c loc k and se t s i t s own c loc k to the av e rage o f

the se v a lue s - - e x c e pt tha t i f i t r e ads a c loc k v a lue

d i f fe r i n g f r o m i t s o w n b y m o r e t h a n 6 , t h e n i t

r e p lac e s tha t v a lue by i t s own c loc k ' s v a l , t e whe n

f o r m i n g t h e a v e r a g e .

To see why this works, let us consi der by how much two

nonfaulty processes' clocks can differ after they are resyn-

chronized. For simplicity, we ignore the error in readin g

another process's clock and assume that all processes ex-

ecute the algorithm instan taneo usly at exactly the same

time.

Let p and q be nonfaulty processes, let r be any pro-

cess, and let cp , an d % , be the values used by p and q,

respectively, as process r's clock value when forming the

average. If r is nonfaulty, then cp , an d cq , will be equal. If

r is faulty, then % , and %, will differ by at most 36, since

cp, lies within 6 of p's clock value, Cqr lies within 6 of q's

clock value, and the clock values of p and q lie within 6 ofone another.

Let n be the total numb er of processes and m the num-

ber of faulty ones, and assume tha t n > 3rn. Processes p

and q set their clocks to the average of the n values cp, and

cq,, respectively, for i -- 1 ,. .. , n. We have car = Cq, for the

n - m nonfaulty processes r, and [% , - ear ] <_ 36 for the

m faulty processes r. It follows from this that the averages

computed by p and q will differ by at most ( 3 r e ~ n ) 6 . Th e

assumption n > 3m implies ( 3 r e ~ n ) 6 < 6 , so the algorithm

succeeds in bring ing the clocks closer together. Therefore,

we can keep the nonfaulty processes' clocks synchronized

to within 6 of one other by resynch ronizing often enough

so that clocks which are initially within ( 3 r e ~ n ) 5 seconds

of each other never drift further that 5 seconds apart.

It appea rs that by repeated resynchronizations, each

one bringi ng the clocks closer by a factor of 3 r e ~ n , this al-

gorithm can achieve any desired degree of synchronization.

However, we have ignored two factors:

I. The time taken to execute the algorithm.

2. The error in reading another process's clock.

The fact that a process does not read all other clocks

at exactly the same time means that it must average not

clock values, but differences between its clock value and the

others. When process p reads process q's clock, it records

the difference Aqa betwee n q's clock and its own. More

precisely, Aqa = Cq - % , where Cq is the value p reads on q's

clock and % is the value it reads at the same time on its

own clock. Let ting Apa = 0 and de fining

Aqa if[Aqa 1< 6Aqa -=

0 otherwise ,

process p resets its clock by adding the average of the n

values Aqa to its own clock value.

The error in reading clocks must also be taken into

account in computing Aqa. Let e be the maximum error inreading the clock difference Aqa. If 6 is the maximum true

difference between the two clocks, t hen the difference read

by process p could be as grea t as 6 + c. There fore, we nmst

replace 6 by 6 + e in the above definition of Aqp.

A careful analysis, given in [7], shows that the al gorith m

works if 6 is at least about (6m + 2)e + (3m + 1 ) p R , where

p is the maximum error in the rates at which the clocks

69

Page 3: Byzentine Clocks

8/6/2019 Byzentine Clocks

http://slidepdf.com/reader/full/byzentine-clocks 3/7

r u n a n d R i s t h e l e n g t h o f t i m e b e t w e e n r e s y n c h r o n i z a -

t io n s . T h e v a l u e o f 6 i s t h e m a x i m u m d i f f e r e n c e b e t w e e n

t w o n o n f a u l t y c l o c k s , s o t h i s v a l u e r e p r e s e n t s t h e d e g r e e o f

c l o c k s y n c h r o n i z a t i o n m a i n t a i n e d b y th i s a lg o r i t h m , l T h e

v a l u e ( 6 m + 2 ) c + ( 3 m + 1)pR i s t h e s m a l l e s t v a l u e w e c a n

s a f e ly c h o o s e f o r 6 ; a n y l a r g e r v a l u e w i l l a l s o w o r k , y i e l d i n g

a l a r g e r cl o c k s y n c h r o n i z a t i o n e r r o r .

3 . T h e I n t e r a c t i v e C o n s i s t e n c y A l -

g o r i t h m s

I n t h e A l g o r i t h m C O N , a p r o c e s s s e t s i ts c lo c k t o th e

a v e r a g e o f a ll c lo c k v a l u e s . S i n c e a s i n g l e b a d v a l u e c a n s k e w

a n a v e r a g e , b a d c l o c k v a l u e s m u s t b e th r o w n a w a y . A n o t h e r

a p p r o a c h i s t o t a k e a m e d i a n i n s t e a d o f a n a v e r a g e , s i n c e a

m e d i a n p r o v i d e s a g o o d v a l u e s o l o n g a s a m i n o r i t y o f v a l u e s

a r e b a d . H o w e v e r , b e c a u s e o f t h e p o s s i b i l i t y o f t w o - f a c e d

c l o c k s , t h e p r o c e s s e s c a n n o t s i m p l y r e a d e a c h o t h e r ' s c l o c k s

a n d t a k e a m e d i a n ; t h e y m u s t u s e a m o r e s o p h i s t i c a t e d

m e t h o d o f o b t a i n in g t h e v a l u e s o f o t h e r p r o c e s s e s ' cl o ck s .W e n o w i n v e s t ig a t e w h a t p r o p e r t i e s s uc h a m e t h o d m u s t

h a v e .

T h e m e d i a n c o m p u t e d b y t w o d if f e re n t p r o c e ss e s w il l

b e a p p r o x i m a t e l y t h e s a m e i f t h e s e t s o f c l o c k v a l u e s t h e y

o b t a i n a r e a p p r o x i m a t e l y t h e s a m e . T h e r e f o r e , w e w a n t t h e

f o l l o w i n g c o n d i t i o n t o h o l d f o r e v e r y p r o c e s s r .

CC1. A n y t w o n o n f a u l t y p r o c e s se s o b t a i n a p p r o x i m a t e l y

t h e s a m e v a l u e f o r r ' s c l o c k - - e v e n i f r i s f a u l ty .

W h i l e C C 1 g u a r a n t e e s t h a t a l l p r o c e s s e s w i ll c o m p u t e

a p p r o x i m a t e l y t h e s a m e c l o ck v a lu e s , i t d o e s n ' t e n s u r e t h a t

t h e v a l u e s t h e y c o m p u t e w i l l b e m e a n i n g f u l . F o r e x a m p l e ,

CCI i s s a t is f i e d i f e v e r y p r o c e s s a l w a y s o b t a i n s t h e v a l u el : 0 0 fo r a n y p r o c e s s ' s cl o c k . T h i s s y n c h r o n i z e s t h e c l o c k s

b y ef f e c t i v e ly s t o p p i n g t h e m a ll . T o m a k e s u r e t h a t t h e p r o -

c e s s e s ' c l o c k s k e e p r u n n i n g a t a r e a s o n a b l e r a t e , w e m a k e

t i le f o l l o w i n g a d d i t i o n a l r e q u i r e m e n t f o r a n y p r o c e s s r :

C C 2 . I f r is n o n f a u l t y , t h e n e v e r y n o n f a u l t y p r o c e s s o b t a i n s

a p p r o x i m a t e l y t h e c o r r e c t v a l u e o f r ' s c lo c k .

I f a m a j o r i t y o f p r o c e s s e s a r e n o n f a u l t y , t h e n t h i s e n s u r e s

t h a t t h e m e d i a n c l o c k v a lu e c o m p u t e d b y a n y p r o c es s is

a p p r o x i m a t e l y e q u a l t o t h e v a l u e o f a g o o d c l o ck . 2

C o n d i t i o n s CCI a n d C C 2 a r e v e r y s i m i l a r to t h e c o n -

d i t i o n s t h a t d e s c r i b e t h e B y z a n t i n e G e n e r a l s p r o b l e m [ 5 ] .

I n t h i s p r o b l e m , s o m e p r o c e s s r m u s t s e n d a v a l u e t o a llp r o c e s s c s i n s u c h a w a y t h a t t h e f o l l o w i n g t w o c o n d i t i o n s

are sati~sfi~'d; .INo te that [7] shows only tha t at least this degree of synchronization

can be obtained; we do not know if the worst-case behavior is really

this bad. The same remark applies to the other error bounds quoted

below.

:Mo re precisely, it is either approximately equal to a good clock's value

or else l ies between the values of two goo d clocks.

I C 1 . A l l n o n f a u l t y p r o c e s s e s o b t a i n t h e s a m e v a l u e.

I C 2 . I f p r o c e s s r is n o n f a u l t y , t h e n a l l n o n f a u l t y p r o c e s s e s

o b t a i n t h e v a l u e t h a t i t s e n d s .

O u r t w o i n t e r a c t i v e c o n s i s t e n c y a l g o r i t h m s a r e m o d i f i -

c a t i o n s o f tw o B y z a n t i n e G e n e r a l s s o l u t i o n s f r o m [5 ] t o

a c h i ev e c o n d i t io n s C C 1 a n d C C 2 .

3 . 1 . A l g o r i t h m C O M ( m )

O u r f ir s t i n t e r a c t i v e c o n s i s t e n c y a l g o r i t h m , d e n o t e d

C O M ( m ) , w o r k s in t h e p r e se n c e o f u p t o m f a u l t y p r o -

c e s s e s w h e n t h e t o t a l n u m b e r n o f p r o c e s s e s is g r e a t e r t h a n

3 m . I t is b a s e d u p o n A l g o r i t h m O M ( m ) o f [5 ].

W e f i rs t c o n s i d e r t h e c a s e n - - 4 , m - - l , a n d d e s c r i b e a

s p e c i a l c a s e o f A l g o r i t h m O M ( 1 ) i n w h i c h t h e v a l u e b e i n g

s e n t is a n u m b e r . I n t h i s a l g o r i t h m , p r o c e s s r s e n d s i ts

v a l u e t o e v e r y o t h e r p r o c e s s , w h i c h i n t u r n r e l a y s t h e v a l u e

t o th e t w o r e m a i n i n g p r o c e s s e s . P r o c e s s r u s e s i t s o w n

v a l u e . E v e r y o t h e r p r o c e s s i h a s r e c e i v e d t h r e e " c o p i e s "

o f t h i s v a l u e : o n e d i r e c t l y f r o m p r o c e s s r a n d t h e o t h e r

t w o f r o m t h e o t h e r t w o p r o c e s se s , s T h e v a l u e o b t a in e d b y

p r o c e s s i i s d e f i n e d t o b e t h e m e d i a n o f t h e s e t h r e e c o p i e s.

T o s h o w t h a t t h i s w o r k s , w e c o n s i d e r s e p a r a t e l y t h e t w o

c a s e s: p r o c e s s r f a u l t y a n d n o n f a u l t y . F i r s t , s u p p o s e r is

n o n f a u l t y . I n t h i s c a s e , a t l e a s t t w o o f t h e c o p i e s r e c e i v e d

b y a n y o t h e r n o n f a u l t y p r o c e s s p m u s t e q u a l t h e v a l u e se n t

b y r : t h e o n e r e c e i v e d d i r e c t l y f r o m r a n d t h e o n e r e l a y e d

b y a n o t h e r n o n f a u l t y p r o c e s s . ( S i n c e t h e r e i s a t m o s t o n e

f a u l t y p r o c e s s , a t l e a s t o n e o f t h e t w o p r o c e s s e s t h a t r e l a y

t h e v a l u e to p m u s t b e n o n f a u l t y . ) T h e m e d i a n o f a s e t o f

t h r e e n u m b e r s , t w o o f w h i c h e q u a l v , is v , s o c o n d i t i o n I C 1

i s s a t is f i ed . W h e n p r o c e s s r i s n o n f a u l t y , I C 1 i m p l i e s I C 2 ,

w h i c h f i n i s h e s t h e p r o o f f o r t h i s e a s e .

N e x t , s u p p o s e t h a t p r o c e s s r i s f a u l ty . C o n d i t i o n I C 1 i s

t h e n v a c u o u s , s o w e n e e d o n l y v e r i f y I C 2 . S i n c e t h e r e i s a t

m o s t o n e f a u l t y p r o c e ss , t h e t h r e e p r o c e s s e s o t h e r t h a n r

m u s t b e n o n f a u l t y . E a c h o n e t h e r e f o r e c o r r e c t l y t r a n s m i t s

t h e v a l u e i t r e c e iv e s f ro m r t o t h e o t h e r p r o c e s s e s . A l l o f t h e

o t h e r p r o c e s s e s t h u s r e c e i v e t h e s a m e s e t o f co p i e s , so t h e y

c h o o s e t h e s a m e m e d i a n , s h o w i n g t h a t t h a t I C 2 i s s a t is f ie d .

T o m o d i f y A l g o r i t h m O M ( 1 ) f o r c l o ck s y n c h r o n i za t i o n ,

l e t u s s u p p o s e t h a t i n s t e a d o f s e n d i n g a n u m b e r , a p r o c e s s

c a n s e n d c o p y o f a cl o c k . ( W e c a n i m a g i n e c l o c k s b e i n g s e n t

f r o m p r o c e s s t o p r o c e s s , c o n t i n u i n g t o t i c k w h i l e in t r a n s i t .)

W e a s s u m e t h a t s e n d i n g a c l o ck f r o m o n e n o n f a u l t y p r o c e ss

t o a n o t h e r c a n p e r t u r b i t s v a l u e b y a t m o s t s o m e s m a l l

a m o u n t E, b u t l e a v e s i t o t h e r w i s e u n a f f e c t e d . H o w e v e r , a

f a u l t y p r o c e s s c a n a r b i t r a r i l y c h a n g e a c l o c k ' s v a l u e b e f o r e

s e n d i n g i t .

Sin case a process fails to receive a message, presumably because the

sender is faulty, it can pretend to have received any arbitra ry message

from tha t process. See [5] for more details.

7 0

Page 4: Byzentine Clocks

8/6/2019 Byzentine Clocks

http://slidepdf.com/reader/full/byzentine-clocks 4/7

In Algorithm COM(1), we apply Algorithm OM(1) four

times, once for each process r. However, instea d of send ing

values, the processes send clocks. Exact ly the same argu-

ment used above to prove ICl and IC2 proves C C I an d

CC2, where "approximately" means to within O(~).

The more general Byzantine Generals solution OM(m),

which handles m faul ty processes, n > 3m, involves more

rounds of message passing and additional median taking.This algorithm can be found in [5]. Algorithm COM(rn)

is obtained from OM(m) in the same way we obtained

COM(1) f rom OM(1): by sendin g clocks instea d of mes-

sages.

This completes our description of Algorithm COM(m),

except for one question: how do processes send clocks to

one another? The answer is that the processes don't send

clocks, they send clock differences. As before, when pro-

cess p reads process q's clock, it records the difference Aqp

between its clock value an d q's. Process p sends a "copy"

of q's clock to another process r by sending the value Aqp,

which means "q's clock differs from mine by Aqp".

Now, suppose r receives a copy of q's clock from p in

the form of a message (from p) saying "q's clock differs

from mine by x' . How does r relay a copy of this clock to

another process? Process r reasons as follows:

• p tells me that q's clock differs from his by x.

• I know that p's clock differs from mine by Ap,.

• Therefore, p has told me that q's clock differs from

mine by x + Ap,

In other words, when r relays a clock difference sent to him

by p, he just adds Ap, to that difference.

This completes the description of Algorithm COM(m).

A careful analysis, described in [7], reveals that this algo-

rithm keeps the clocks of different processes synchronized

to within approximately (6m + 4)e + p R , where, as before,

is the maximu m error in reading a clock, p is the ma ximum

error in the ru nnin g rate of a clock, an d R is the length

of time between resynchronizations. The first term of the

error is caused by clock-reading errors that accumulate as

messages are passed ar ound; the second term is the amoun t

that the clocks drift apart between resynchronizations.

3 . 2 . A l g o r i t h m C S M

With no assumptions about the behavior of failed pro-

cesses, it can be shown that the Byzantine Generals prob-lem is solvable only if n > 3m [9]. However, we can do

better than this by allowing the use of digital signatures.

More precisely, we assume th at a process can generate a

message which can be copied but cannot be undetectably

altered. Thus, if r gene rate s a signed message, and copies

of that message are relayed from process to process, the ul-

timate recipient can tell if the copy he receives is identical

to the original signed message generated by r. With digital

signatures, we are assuming that a faulty process cannot

affix the signature of another process to any message not

actua lly signed by that process. See [5] for a brief discussion

of how digital signatures can be generated in practice.

Algorithm SM(m) of [5] solves the Byzantine Genera ls

problem in the presence of up to m faults for any value of

n. ~ We first consider the case n -- 3, m = 1. In Algo-rithm SM(1), process r sends a signed message containing

its value to the other two processes, each of which relays a

copy of this signed message to the other. Each process p

other t han r winds up with a pile contain ing up to two prop-

erly signed messages: one received directly from process r

and anoth er relayed by the third process. Process p may

receive fewer than two messages because a faulty process

could fail to send a message. The value process p obtains

is defined to be the largest of the values contained in this

pile of properly signed messages. (If no message is received,

then some arbit rary fixed value is chosen.)

For notational convenience, we pretend that r sends

a signed message to itself, which it does not relay. It iseasy to see that the piles of messages received by the three

processes satisfy the following two properties.

SM1. For any two non fau lty processes p and q: every value

in p's pile is also in q's.

SM2. If process r is nonfaulty, then every nonfaulty pro-

cess's pile has at least one properly signed message,

and every properly signed message has the same

value.

Note that SMI holds for p or q equal to r because of our

assumption t hat r sends a properly signed message to itself.

Condition IC1 follows immediately from property SM1,

and condition IC2 follows immediately from property SM2,proving that SM(1) is a Byz antine Generals solution.

In the general Algorithm SM(m), messages are copied

and relayed up to m times, with each relaying process

addi ng its signa ture . When a process p receives a mes-

sage with fewer than m signatures, p signs the message,

copies it, and relays it to every process that has not al-

ready signed the message. The reader can either verify for

himself or find the proof in [5] that the stacks of messages

received by the processes satisfy conditions SMI and SM2.

(Again, we assume that r sends a signed message to itself,

so SM1 is satisfied when p or q equals r.) Hence, defining

the value obtained by a process to be the largest value in its

pile gives an algorithm that solves the Byzantine Generals

problem.

To turn the Byzantine Generals solution SM(m) into

the clock-synchroniz ation Algorithm CSM(m), we again

send clocks instead of messages. Moreover, we allow pro-

cesses to sign the clocks tha t they send. As before, we

4The problem is vacuous f there are more than n - 2 faults.

71

Page 5: Byzentine Clocks

8/6/2019 Byzentine Clocks

http://slidepdf.com/reader/full/byzentine-clocks 5/7

assume that a clock's value is perturbed by at most some

small amount c when sent by a nonfaulty process. How-

ever, instead of allowing a faulty process to set a clock to

any value when relaying it, we assume that the process can

tur n the clock back but not ahead. More precisely, we as-

sume that, when relaying a clock, a faulty process can set

it back arbitrarily far, but can set it ahead by at most E.

We now use the same relaying procedure as in Algo-

rithm SM(m) to send copies of r's clock to all processes.For simplicity, we assume that all clocks run at exactly the

same rate, except for the perturbations they receive when

being relayed, s Each process keeps a copy of every prop-

erly signed clock, so after all the relaying has ended, it has

a pile of copies of r' s clock. (We assum e that r keeps a

signed copy of its own clock.) Since a nonf ault y process

pertu rbs a clock's value by at most E when relaying it, the

same reasoning used to prove SM1 an d SM2 shows that the

following properties are true of these piles of copies of r's

clock.

CSM1. For any two nonfaulty processes p and q : if p has

a properly signed clock with value c, then q has aproperly signed clock whose value is within me of

C.

CSM2. If process r is nonfaulty and its clock has the value

c, then every other process has at least one properly

signed clock whose value is within ~ of c, and every

properly signed clock that it has reads no later th an

c+m~.

The value that a process obtains for r's clock is defined to be

the fastest clock in its pile. Conditions conditions CC1 and

CC2 then follow immed iate ly from CSM1 and CSM2, where

"approximately" means to within O(m~). Hence, this pro-

vides a fault-tole rant clock-synchroniz ation algorithm.

To finish the description of Algorithm CSM(rn), we

must describe how clocks can be signed an d relayed in such

a way that the y are distu rbed by at most ~ when relayed

by a nonfaulty clock and can be set forward at most e by a

faulty one. As in Algorithm SM(m), we require a method

for gene rating unforgeable signed messages.

We first assume that processes and transmission lines

are infi nitely fast, so a message can b e relayed from pro-

cess to process in zero time. We use this ass umpt ion to

construct a method of relaying clocks for which e equals

zero. The message that r sends, and that all the processes

relay, is r's clock value cr. The message c, acts like a clockwhose value is now c,. A nonfau lty process relays this value

in zero time, so the clock is sent with no per turba tion. A

S R e m o v i n g t h i s a s s u m p t i o n a d d s a t e r m o f o r d e r pS t o th e m a x i m u m

d i f f e r e n c e b e t w e e n t h e c l o c k s , w h e r e S i s t h e t i m e t a k e n t o e x e c u t e t h e

a l g o r i t h m a n d p t h e m a x i m u m e r r o r i n th e c l o c k r a t e s . I n m o s t c a s e s

t h i s t e r m i s m u c h s m a l l e r t h a n t h e d i f f e r e n c e d u e t o t h e p e r t u r b a t i o n

faulty process cannot change the value of the clock, since

the value is contained in a signed message; all it can do is

delay sending the value. Th is is equivalent to stopping the

clock while holding it, which is tantamount to turning the

clock back. Hence, the assumpt ion about sending clocks is

satisfied, with zero perturbation.

In practice, processes and transmission lines are not

infinitely fast. Instead, we assume that a message received

by a nonfaulty process will be copied, signed, sent, andreceived at its des tina tion i n time "74-E, for some const ant '7.

By counting the signatures affixed to a message, a process

knows how many times the message has been relayed, so it

can correct the clock value in the message by adding the

appropri ate mu ltipl e of "7. T he ne t effect is to introduce

an error of at most ~ each time the message is relayed.

The detailed an alysis of [7] shows that this algo rithm can

main tain clocks synchronized to within abo ut (m+6)E+pR,

where once again p is the maximum error in the clock rate

and R is the interval between resynchronizations.

4 . R e a d i n g C l oc k s

To synchro nize their clocks, processes have to read each

other' s clock values. Errors in re ading those values limit the

closeness with which clocks can b e synchronized. We let E

denote the worst-case error in rea ding a clock value. The

degree of closeness with which an algorithm can synchro-

nize clocks depends upon e, and it is tempting to use tfiis

dependence ~ as a measure for comparing different clock-

synchronization algorithms--the algorithm that can syn-

chronize to within the smallest factor of e being the best.

Such comparisons can be misleading. Different algo-

rithms require different methods of reading clocks, and

these different methods can yield very different values for

E. Algorithms CON and COM can use any method of

clock reading, so they can always be implemented with

the sma llest possible value of ~. However, this is not tru e

of Algorithm CSM or the algorithms of Lundelius [8] and

Halpern [3].

In practice, the value of ~ is determined primarily by

the syste m level at which clock readin g takes place. The

value of E can be quite small if clock readin g is performed by

the oper ating system. For example, c is a few microseconds

in SIFT [ll] . However, if clock readin g is done by a high-

level program in a multi progr ammin g environme nt, E can

be tenths of a second or more.

In Algorithm CSM and the a lgorithms of Lundelius and

Halpern, one process rea ds a noth er's clock by" deter mining

the arriva l time (o n its own clock) of a message. Thus, E is

the maximum uncertainty in the elapsed time between the

generation and receipt of the message. The algorithms dif-

fer in how the messages are generated. In the Lu ndelius al-

72

Page 6: Byzentine Clocks

8/6/2019 Byzentine Clocks

http://slidepdf.com/reader/full/byzentine-clocks 6/7

, g o r i t h m [ 8 ], t h e y a r e s i m p l y s e n t b y a p r o c e s s w h e n i t s o w n

c l o c k r e a c h e s a c e r t a i n v a l u e . H o w e v e r , i n A l g o r i t h m C S M

a n d t h e H a l p e r n a l g o r i th m , s o m e o f th e m e s s a g e s a r e g e n-

e r a t e d i n r e s p o n s e t o t h e a r r i v a l o f o t h e r m e s s a g e s , a n d t h e

g e n e r a t i o n o f t h e s e m e s s a g e s r e q u i r e s a n o n t r i v i a l c o m p u -

t a t io n . T h u s , o f t h e s e t h r e e a l g o r i t h m s , L u n d e l i u s ' s i s m o r e

l ik e l y t o b e i m p l e m e n t a b l e a t a l o w e r s y s t e m l e v e l .

C o m p a r i s o n o f t h e s e t h r ee a l g o r i t h m s w i t h A l g o r i t h m s

C O N a n d C O M i s d i f f ic u l t, s i n c e t h e l a t t e r t w o a l g o r i t h m sm a k e n o a s s u m p t i o n s a b o u t h o w c l o c k s a r e r e a d . H o w e v e r ,

t h e f o l l o w i n g t h e o r e t i c a l o b s e r v a t i o n s s e e m t o b e r e l e v a n t .

I t i s l i k e l y t h a t , a t s o m e l e v e l , f o r p r o c e s s p t o r e a d t h e

c l o c k o f a n o t h e r p r o c e s s q , p m u s t m e a s u r e t h e a r r i v a l t i m e

o f a m e s s a g e s en t b y q . T h i s " m e s s a g e " m i g h t b e a s i n -

g l e v o l t a g e c h a n g e t r a v e l i n g a l o n g a w i r e . S i n c e p a n d q

a r e a s y n c h r o n o u s , q ' s m e s s a g e m u s t b e s t o r e d i n a b u f f er ,

w h i c h p r e a d s to d e t e r m i n e i f t h e m e s s a g e h a s a r r i v e d . T h e

f r e q u e n c y w i t h w h i c h p c h e c k s t h e b u f f e r i n t r o d u c e s a f u n -

d a m e n t a l s o u r c e o f e r r o r - - w h e n w h e n p s e es a m e ss a g e , it

k n o w s o n l y t h a t t h e m e s s a g e a r r i v e d s o m e t i m e s i n c e i t l a s t

r e a d t h e b u f f e r. T h u s , t h e t i m e b e t w e e n s u c c e s s i v e r e a d s o f

t h e b u f f e r p r o v i d e s a lo w e r b o u n d o n ~ .

T h e b e s t t h a t a p r o c e s s c a n d o t o r e d u c e t h e t i m e b e -

t w e e n s u c c e s s i v e r e a d s i s t o d o n o t h i n g b u t r e p e a t e d l y r e a d

t h e b u f f er . T h e r e f o r e , E c a n n o t b e s m a l l e r t h a n t h e t i m e

n e e d e d t o r e a d a m e s s a g e b u f f e r. M o r e o v e r , t h e fo l l o w i n g

c l o c k - r e a d i n g p r o c e d u r e s e e m s t o in d i c a t e t h a t t h i s b o u n d

i s t h e o r e t i c a l l y a c h i e v a b l e . T o r e a d p r o c e s s q ' s c lo c k , p r o -

c e s s p s e n d s q a requestm e s s a g e , t h e n c o n t i n u a l l y e x a m i n e s

t h e b u f f e r l o o k i n g f o r q 's r e p ly . P r o c e s s q e v e n t u a l l y r e p l i es

t o t h i s m e s s a g e b y s e n d i n g p a m e s s a g e w i t h i t s c u r r e n t

c l o c k v a l u e . I n p r i n c i p l e, i t s h o u l d b e p o s s i b l e to d e t e r m i n e

t h e t i m e i t ta k e s q g e n e r a t e t h e m e s s a g e , a s w e l l a s t h e

t r a v e l t i m e o f t h e m e s s a g e , w i t h a r b i t r a r y a c c u r a c y . T h e n ,

i s e q u a l t o t h e e r r o r i n p 's d e t e r m i n a t i o n o f w h e n t h e m e s -

s a g e a r r i v e d , w h i c h i s t h e t i m e i t t a k e s t o r e a d t h e b u f f e r.

( A c t u a l l y , p m u s t w a i t o n l y a f ix e d l e n g t h o f t im e f o r q ' s r e -

p l y, s in c e q m i g h t b e f a u l t y , s o th e r e m u s t a l s o b e a t i m e o u t

t e g t i n q ' s " w a i t i n g l o o p " . )

A l g o r i t h m C S M a n d t h e L u n d e l i u s a n d H a l p e r n a l g o -

r i t h m s r e q u i r e a p r o c e s s p t o m e a s u r e t h e a r r i v a l t i m e o f

m e ~ s a g e s s e n t c o n c u r r e n t l y b y d i f f er e n t p r o c e s s e s. F a u l t -

t o l e r a n c e r e q u i r e s t h a t p m a i n t a i n a s e p a r a t e b u f f e r fo r

m e s s a g e s f r o m d i f f e r e n t p r o c e s s e s , s i n c e a f a u l t y p r o c e s s

c o u l d " j a m " c o m m u n i c a t i o n t o a s h a r e d b u f f e r b y c o n t i n -

u a l ly s e n d i n g m e s s a g e s . I f a p r o c e s s is i m p l e m e n t e d b y a

s i n g l e p r o c e s s o r , t h e n i t m u s t c y c l i c a l l y s c a n a l l i t s in p u tb u [ h , r s. T h u s , ( i s a t l e a s t n ti m e s t h e t i m e n e e d e d t o r e a d

a ~ in g l e b u f f er , w h e r e n i s t h e n u m b e r o f p ro c e s s e s . T h u s ,

t h e l i m i t i n g v a l u e o f ~ f o r t h e s e a l g o r i t h m s i s n t i m e s a s

g r e at a s t h e l im i t in g v a l u e f o r A l g o r i th m s C O N a n d C O M ,

w h i c h c a n u s e a n? ' m e t h o d o f c lo c k r e a d i n g .

B y r ( , g u l a ti n g w h e n p r o c e s s e s s e n d t h e i r m e s s a g e s , A I -

g o r i t h m C S M c a n b e m o d i f i e d s o e v e r y p r o c e s s w a i ts f o r

o n l y a s i n g l e m e s s a g e a t a t i m e . F o r e x a m p l e , f i x ed t im e

s l o t s c a n b e a l l o c a t e d t o ea c h c o m m u n i c a t i o n l i n k , w i t h

e a c h m e s s a g e s e n t a t t h e b e g i n n i n g o f t h e f ir s t a v a il a b l e

t i m e s l o t a f te r i ts g e n e r a t i o n . T h e t i m e b e t w e e n s u c c e s s i v e

s l o t s j u s t h a s t o b e g r e a t e r t h a n t h e m a x i m u m d i f f e re n c e b e -

t w e e n p r o c e s s e s ' c lo c k s . T h i s a d d s a k n o w n d e l a y t o e v e r y

m e s s a g e , w h i c h d o e s n o t s i g n i f i c a n t l y a f f e c t t h e a c c u r a c y

o f t h e a l g o r i t h m . I t s h o u l d b e p o s s i b l e t o m o d i f y t h e L u n -

d e l i u s a l g o r i t h m i n a s i m i l a r w a y . H o w e v e r , t h i s t r ic k d o e s

n o t s e e m t o w o r k f o r t h e H a l p e r n a l g o r i t h m , s i n c e t h e a l g o -

r i t h m r e l ie s o n t h e a b i l i t y t o r e c e iv e m e s s a g e s c o n c u r r e n t l y

f r o m d i f f e r e n t p r o c e s s e s .

5 . C o n c l u s i o n

W e h a v e p r e s e n t e d t h r e e c l o c k - s y n c h r o n i z a t i o n a l g o -

r i t h m s a n d n o t e d t h a t t h e y k e e p th e c l o c k s s y n c h r o n i z e d

t o w i t h i n t h e f o l l o w i n g to l e r a n c e s , w h e r e m i s t h e d e g r e e o f

f a u l t t o l e r a n c e , E i s t h e m a x i m u m e r r o r i n r e a d i n g a c lo c k ,

p i s t h e m a x i m u m e r r o r i n t h e c l o c k r a t e , a n d R i s t h e t i m e

b e t w e e n s u c c e s s i v e r e s y n c h r o n i z a t i o n s .

A l g o r i t h m C O N : ( 6 m + 2 )~ + ( 3 m + 1)pR

A l g o r i t h m C O M : ( 6 m + 4 ) c + pRA l g o r i t h m C S M : ( m + 6 ) e + pR

( N o t e t h a t t h e e x p r e s si o n f o r A l g o r i t h m C O N is m o r e c o m -

p l i c a t e d b e c a u s e i t i s a n i n t e F a c t i v e c o n v e r g e n c e a l g o r i th m . )

A l g o r i t h m C O N i s t h e s i m p l e s t , r e q u i r i n g o n l y t h a t

e a c h p r o c e s s r e a d e v e r y o t h e r p r o c e s s ' s c l o ck . I t a p p e a r s

t o b e s li g h t l y b e t t e r t h a n A l g o r i t h m C O M i f o n e i s i n t e r-

e s t e d i n m a i n t a i n i n g t h e c l o s e s t p o s s i b l e s y n c h r o n i z a t i o n ,

w i t h o u t r e g a r d t o h o w f r e q u e n t l y r e s y n c h r o n i z a t i o n i s p e r -

f o r m e d . H o w e v e r , A l g o r i t h m C O N r e q u i r e s m u c h m o r e fr e -

q u e n t r e s y n c h r o n i z a t io n t h a n t h e o t h e r t w o , b y an a s y m p -

t o t i c f a c t o r o f 3 m + 1 , t o m a i n t a i n t h e s a m e d e g r e e o f

s y n c h r o n i z a t i o n . e

T h e c o r r e s p o n d i n g s y n c h r o n i z a t io n e r r o r fo r th e H a l -

p e r n a l g o r i t h m [ 3] i s 2 E + pR. W h i l e L u n d e l i u s a n d L y n c h

d o n o t g i v e t h e s y n c h r o n i z a t i o n e r r o r f o r t h e i r a l g o r i t h m i n

a c o m p a r a b l e f o r m , i t a p p e a r s t o h a v e t h e v a l u e 4 c + 4pR.

( A s in A l g o r i t h m C O N , t h e e x t r a f a c t o r a p p e a r s i n f r o nt o f

t h e pR t e r m b e c a u s e t h i s i s a n i n t e r a c t i v e c o n v e r g e n c e a lg o -

r i t h m . ) H o w e v e r , a s w e h a v e i n d i c a t e d , t h e v a l u e s o f c a r e

n o t t h e s a m e f o r t h e d i f f e r e n t a l g o r i t h m s . A l g o r i t h m s C O N

a n d C O M h a v e t h e s m a l l e s t v a l u e o f E , s i n c e t h e y c a n u s e

a n y m e t h o d o f c l o c k re a d i n g . T h e v a l u e s o f e f o r t h e o t h e rt h r e e a l g o r i th m s c o u l d b e l a r g e r i n s o m e c ir c u m s t a n c e s .

6While the above numbers are simply the best bounds on the synchro-

nization errors that we have been able to find and do not necessarily

reflect the actua l worst-cause performance of the algorithms, we believe

that i t is in the nature of an interactive conv ergence algorithm to re-

quire more frequent resynchronization than an interactive consistency

algorithm.

7 3

Page 7: Byzentine Clocks

8/6/2019 Byzentine Clocks

http://slidepdf.com/reader/full/byzentine-clocks 7/7

O u r t w o i n t e r a c t i v e c o n s i s t e n c y a l g o r i t h m s a r e b a s e d

u p o n p a r t i c u l a r B y z a n t i n e G e n e r a l s s o lu t i o n s. D o l e v [1 ] h a s

g e n e r a l i ze d A l g o r i t h m O M o f [5 ] t o t h e c a s e i n w h i c h p r o -

c e s s es c a n n o t s e n d m e s s a g e s d i r e c t l y t o a l l o t h e r p r o c e s se s .

H i s a lg o r i t h m i s s im i l a r e n o u g h t o A l g o r i t h m O M t h a t i t

c a n b e t r a n s f o r m e d i n t o a c l o c k - s y n c h r o n i z a t io n a l g o r i t h m

b y th e s a m e m e t h o d w e u s e d t o t r a n s f o r m A l g o r i t h m O Mi n t o A l g o r i t h m C O M , t h e r e b y y i e l d i n g a g e n e r a l i z a t i o n o f

A l g o r i t h m C O M t o t h e c a s e w h e n a p r o c e s s c a n n o t r e a d

e v e r y o t h e r p r o c e s s ' s c lo c k . T h e i n t u i t i v e re a s o n i n g u s e d

a b o v e w o r k s t h e s a m e w a y . H o w e v e r, w e h a v e n o t a n a l y z e d

t h e r e s u l t i n g a l g o r i t h m t o d e t e r m i n e i t s p r e c i se p r o p e r ti e s .

M a n y o t h e r B y z a n t i n e G e n e r a l s s o l u t i o n s h a v e b e e n

f o u n d t h a t i m p r o v e i n s o m e w a y u p o n t h e o n e s i n [ 5 ] - -

u s u a l l y b y re d u c i n g t h e n u m b e r o f m e s s ag e s . O u r t w o i n-

t e r a c t i v e c o n s i st e n c y a l g o r i t h m s g e n e r a t e a b o u t n ra+l m e s -

s a g e s, w h i l e t h e r e a r e m o r e r e c e n t a l g o r i t h m s i n w h i c h t h e

n u m b e r o f m e s s a g e s is p o l y n o m i a l i n n a n d m . A s u r v e y

o f t h e s e r e s u l t s c a n b e f o u n d i n [ 1 0 ]. A l l t h e c u r r e n t a l g o -

r i t h m s t h a t d o n o t u s e s i g n e d m e s s a g e s r e q u i r e m o r e r o u n d s

o f m e s s a g e p a s s i n g th a n A l g o r i t h m O M .

O n e s h o u l d c o m p a r e t h e s e m e s s a g e r e q u i r e m e n t s w i t h

t h o s e o f t h e k n o w n a l g o r i t h m s n o t b a s e d u p o n B y z a n t i n e

G e n e r a l s s o l u t i o n s - - n a m e l y , A l g o r i th m C O N a n d t h e a l go -

r i t h m s o f H a l p e r n a n d L u n d e l i u s . T h e l a s t tw o r e q u i r e , in

t h e w o r s t c a s e , a b o u t n : m e s s a g e s . A l g o r i t h m C O N d o e s

n o t r e q u i r e a n y m e s s a g e p a s s i n g p e r se , j u s t t h e r e a d i n g o f

e v e r y c l o c k b y e a c h p r o c e s s . I f t h i s i s d o n e b y s e n d i n g c l o c k

v a l u e s i n m e s s a g e s , t h e n i t t o o r e q u i r e s a b o u t n 2 m e s s a g e s .

P r o c e s s - c o n t r o l s y s t e m s , w h i c h w e s e e a s t h e m a i n a p -

p l i c a t i o n o f o u r c l o c k - s y n c h r o n i z a t i o n a l g o r i t h m s , u s e a

s m a l l n u m b e r o f p r o c e s s e s , s o t h e n u m b e r o f m e s s a g e s i s

n o t p r o h i b i t i v e . H o w e v e r , t h e n u m b e r o f r o u n d s o f m e s s a g e

p a s s i n g i s s i g n i f i c a n t , s i n c e i t i n c r e a s e s t h e t i m e n e e d e d t o

p e r f o r m t h e c l o c k s y n c h r o n i z a t io n . T h e r e f o r e , f o r p ro c e s s -

c o n t r o l a p p l i c a t i o n s , A l g o r i t h m O M i s t h e b e s t B y z a n t i n e

G e n e r a l s a l g o r i t h m n o t u s i n g s ig n e d m e s s a g e s , s o i t i s t h e

b e s t c a n d i d a t e f o r c o n v e r t i n g t o a c l o c k - s y n c h r o n i z a t i o n a l-

g o r i t h m .

I n a n y e v e n t, o u r m e t h o d o f c o n s t r u c t i n g A l g o -

r i t h m C O M d e p e n d s v e r y st r o n g l y o n th e n a t u r e o f A l g o -

r i t h m O M . O t h e r B y z a n t i n e G e n e r a l s s o l u ti o n s m i g h t l e a d

t o c lo c k s y n c h r o n i z a t i o n a l g o r i t h m s t h a t a r e b e t t e r t h a n A l -

g o r i t h m C O M i n s o m e a p p l i c a t i o n s , b u t w e d o n ' t k n o w h ow

t o c o n s t r u c t s u c h a l g o r i t h m s . N e i t h e r d o w e n o t k n o w h o w

t o c o n s t r u c t c l o c k - s y n c h r o n i z a t i o n a l g o r i t h m s f r o m s i g n e d -

m e s s a g e B y z a n t i n e G e n e r a l s s o l u t io n s o t h e r t h a n A l g o -

r i t h m S M . H o w e v e r , t h e H a l p e r n a l g o r i t h m , w h i c h is n o t

d e r i v e d fr o m a B y z a n t i n e G e n e r a l s s o l u t io n , s e e m s t o m a k e

t h i s a n u n i n t e r e s t i n g p r o b l e m .

R E F E R E N C E S

[1 ] D . D o le v . T h e B y z a n t i n e G e n e r a l s S t r i k e A g a i n .

J our na l o f A l gor it hms 8, l (1982), 14-30.

[ 2] D . D o l e v , J . H a l p e r n . a n d H . R . S t r o n g . O n t h e P o s -

s i b i l i t y a n d I m p o s s i b i l i t y o f A c h i e v i n g C l o c k S y n c h r o -

n i z a t i o n . Proceedings o f the S ix teenth Ann ual A C M

S T O C Con f e r e nc e (May 1984) .

[ 3] J . H a l p e r n , B . S i m o n s a n d R . S t r o n g . F a u l t - T o l e r a n t

C l o c k S y n c h r o n i z a t i o n . Proceedings of the Third An -

nua l AC M S y mpos i um on P r i nc ip l e s o f D i st ri but ed

Compu t i ng ( A u g u s t 1 9 8 4 ) ] t h e s e p r o c e e d i n g s ] .

[4] L . L a m p o r t . T h e I m p l e m e n t a t i o n o f R e l i a b l e D i s -

t r i b u t e d M u l t i p r o c e s s S y s t e m s . Compu t e r N e t wor k s

2 (1978) , 95 -114 .

[5] L . L a m p o r t , R . S h o s t a k a n d M . P e a s e . T h e B y z a n t i n e

G e n e r a l s P r o b l e m . AC M T r ans . on P r og . L ang . and

Sys . 4 , 3 ( Ju ly 1982) , 382-401 .

[6 ] L . L a m p o r t . U s i n g T i m e I n s t e a d o f T i m e o u t f o r

F a u l t - t o l e r a n t D i s t r i b u t e d S y s t e m s . A C M T r a n s . o n

Prog. Lang. and Sys . 6, 2 (April 1984), 254-280.

[7 ] L . L a m p o r t a n d P . M . M e l l i a r - S m i t h . S y n c h r o n i z -

i n g C l o c k s in t h e P r e s e n c e o f F a u l t s . S u b m i t t e d t o

J our na l o f the AC M .

[8 ] A N e w F a u l t - t o l e r a n t A l g o r i t h m f o r C l o c k S y n c h r o n i -

z a t i o n . Proceedings o f the Third An nual A CM Sym po-

s ium on Principles o f Dis tr ibuted Comp ut ing ( A u g u s t

1 9 84 ) ] t h e s e p r o c e e d i n g s ] .

[ 9] M . P e a s e , R . S h o s t a k a n d L . L a m p o r t . R e a c h i n g

A g r e e m e n t i n t h e P r e s e n c e o f F a u l t s . Journ. ACM.27, 2 (Apr. 1980), 228-234.

[ 10 ] H . R . S t r o n g a n d D . D o l e v . B y z a n t i n e A g r e e -

m e n t . In te l lec tual Leverage for the In format ion Soci -

e ty (Compcon) . I E E E C o m p u t e r S o c i e t y P r e s s , N e w

York , 77 -82 .

[ 11 ] J . W e n s l e y e t . a l . S I F T : D e s i g n a n d A n a l y s i s o f a

F a u l t - T o l e r a n t C o m p u t e r f o r A i r c r a f t C o n t r o l . Pro-

ceedings o f the IE EE 66, 10 (O ct. 1978).

7 4


Introduction Clocks,events and process states Synchronizing physical clocks

Grandfather-clocks-for-less - Grandfather Clocks: Unique Timepieces

Stavelet Clocks

Vector Clocks

digital clocks and clocks

Calendars Clocks

Ancient Clocks

Time Clocks

Biological Clocks

Pendulum clocks

Physical Clocks. Topics r Physical Clocks r Clock Synchronization Algorithms

Kitchen Clocks

Clocks Escapments

wall clocks cuckoo clocks home furniture lighting

ZEN Clocks

Cyprus Conference 2007 Simplex PoE Clocks. 2 Simplex PoE Clocks

System Clocks

Evergreen clocks

GPS Clocks

Molecular Clocks

Coldplay - Clocks

Logical Clocks

Lamport clocks

Clocks 2013.2.22

Markus Messner, Christina Novoszel Clocks – Anwendung & Realisierung Clocks Anwendung & Realisierung

Wall Clocks

Segmented Clocks

Rapport Clocks

Clocks & Watches2

Clocks 213

European Clocks

Xilinx UG725 ML623 IBERT Getting Started Guide (ISE 13.4 ... · Q113 112 Clocks 113 Clocks 115 Clocks 114 Clocks 116 Clocks 114 Clocks Q115 Q112 Q116 Q114 X-Ref Target - Figure 1-3

Coldplay Clocks

Alarm Clocks

Cuckoo Clocks