The new situation comes from a logic puzzle known as the two generals problem born in the framework of the communication between two entities, whose solution is immediate if nothing goes wrong but becomes impossible in the presence of unpredictable transmission faults. Although it is obvious that poorly functioning lines may prevent a sound exchange of information, what is surprising is that the communication may not reach a final state just because transmission faults are possible, even if they do not actually occur.
Let us see why. Two generalsG1 andG2, each one heading an army, camp at the foot of a hill where a third general E, the enemy, is lodged in a fortress with his troops. A coordinated attack of the two generalsG1, G2 will defeat E and the fortress will be conquered, while a solitary attack will result in a disastrous failure because E enjoys a better strategic position.G1 andG2 communicate by sending messengers to agree on a time to attack. So the leader general, for exampleG1, sends a message to G2 saying: “lets do it tomorrow at nine o’clock,”G2 receives the message, and both attack concurrently. No further communication is needed if there is the certainty that the messages arrive at their destination. But how do the generals behave if they fear that a messenger can be ambushed by the enemy?G1 can send the same message to B, but before ordering the attack must make certain that the messenger has completed the mission, hence he waits for an acknowledgement fromG2 e.g., in the form: “I received the message and agree to attack at nine o’clock.”
Now in turnG2 wants to make certain thatG1 has received his answer before attacking, so G1 must confirm once received the message from G2, and so on. Since before attacking each general wants to receive from the other an acknowledgment of the last message sent, the exchange will go on for ever
algorithmWITHDRAWAL
At ATM terminal T, user U requests to withdraw an amount$ from bank B.
T sends a requestM1=R(U,$) toB;
(upon reception of M1 and if $is available) B sends an authorizationM2=A(U,$) toT; (upon reception ofM2)
T pays $ toU and sends a confirmationM3=C(U,$) toB;
(upon reception of M3)
B withdraws $ from the account ofU.
FIGURE 8.9: A protocol for bank withdrawal.
(and in any case well after “nine o’clock” of the next day). The attack is then impossible.
This scheme reflects a situation arising in distributed systems, where a problem may be easily solved if everything works well, but becomes impossible to handle in the presence of even intermittent faults. A classical application is in a banking system: a simplified version of a protocol for withdrawal at ATM terminals is shown in Figure 8.9.8
This protocol works correctly only in the absence of transmission faults. If M1 or M2 fails to arrive the protocol is interrupted with the (minor) conse-quence thatUcannot withdraw the sum required. A failure in the transmission ofM3 is considered more serious because a dishonest user could cash a sum without being charged and the bankB would suffer a loss. To prevent such a case, B could modify its portion of the protocol by making a precaution-ary withdrawal from the account ofU before sending the authorizationM2, and then confirming such a withdrawal upon reception ofM3. In this case, if M2 fails, the users account is charged without making the corresponding sum available at the terminal, and the user would suffer a loss. It can be easily seen that, as for the two generals, an exchange of messages could go on for-ever without reaching a state of consistency between U and B, for which a rendezvouson different grounds is necessary.
As one may expect the two generals problem has been extended to more than two entities, thus moving from the theory of communications to the world of distributed systems working in the presence of faults.9
A fundamental demand is that all entities attain common knowledge on the
8Actual ATM terminals work differently. See thebibliographical notesat the end of the chapter.
9The extended version, called the Byzantine generals problem, is far too complicated to be presented here. The term Byzantine refers to protocols where different faults may be generated by a malicious “adversary” with the purpose of subverting the process. The rationale behind this approach is that a protocol resistant to Byzantine faults would resist any faults.
system in a limited number of steps, because the success of certain cooperative actions may depend on it. Clearly this possibility depends on the parameters of the problem and in many cases is not attainable. More generally there is a subtle interdependence between knowledge, communication, and action. An additional complication comes from the lack of reflexivity of certain relations, as typically occurs in a directed graph where a nodeAmay point to nodeBbut the converse is not necessarily true. This raises new challenges in information propagation becauseB cannot send a message toAif a path of directed arcs fromBtoAdoes not exist, so that achieving common knowledge on the whole system may become hard for all the entities. Lack of reflexivity occurs in a wealth of different situations, and different solutions have been proposed from case to case, some of them being really surprising. Among others, a brainteaser pertaining to a non-reflexive world known well before the advent of computer networks is frequently used to understand how common knowledge can be attained in a distributed system by other means than mere message exchange.
We call it theproblem of the jealous Amazons. Its tricky solution is based on the known fact that Amazons are very smart and all of them assume that the others are as smart as they are (the associated implicit assumption is that the entities in a network are as smart as the Amazons).10
In the country of Amazons, just as elsewhere, when somebody has an un-faithful partner, everybody knows about it except for him/her-self, a clear lack of reflexivity. According to a version of the myth no men were permitted to have sexual encounters with Amazons or reside in their country, and female children were adopted from other tribes and brought up as future Amazons to prevent their community from dying out. Nevertheless, when visiting a neigh-boring tribe for adopting children, the Amazons were exposed to heterosexual temptations that occasionally resulted in their habitual female partners being cheated. Of course every Amazon knew immediately of their cheated colleagues except for the cheated ones.
But enough is enough. One day, after the visit of her subjects to a tribe of handsome men, the Queen of the Amazons proclaimed a firm resolution in Main Street:
“In this country there are unfaithful Amazons. For the sake of social order all further visits abroad are suspended until morality is fully restored in the kingdom. It is not permitted to communicate on this issue in any way, however, as soon as one of you is certain that her partner has had an affair outside of the couple, you shall kill her on that precise day.”
The Amazons went back to their activities. Knowing the Queens severity, none of them ventured to speak or even to mention the problem, although all other rumors were immediately spread as usual. It turns out that there were
10The problem is generally formulated on “cheating wives”(see thebibliographical notes), but is also found under different names, with different formulations. We adopt a “jealous Amazons” version which refers to more open relations.
thirteen unfaithful Amazons. Twelve quiet days went by, but in the morning of the thirteenth day, thirteen arrows pierced the hearts of the culprits. How was this possible? The question is interesting becauseapparentlythe Queens speech did not add anything to what everybody already knew, that is that some Amazons had been cheating. We will return to this point later, noting that a clear novelty lies in the triggering order that specifies that action has to be taken in a given interval of time (“that precise day”).
First note that the result, valid here for thirteen Amazons, is valid for any number k of Amazons and the rule becomes: “if there are k unfaithful Amazons, in the k−th day all of them will be killed.” It is convenient to start examining the question from small values of k and then generalize the reasoning to arbitrary values. If k = 1 there is only one unfaithful Amazon and everybody knows it except for her partner. This poor lady, not having heard before about infidelity, immediately understands and kills her partner in the same day. Here is the point where the apparent neutrality of the Queens speech fails, because her assertion on the existence of cheating Amazons is new information for the cheated one. Ifk= 2, the two cheated Amazons know about one unfaithful partner and wait with anxiety until midnight of the first day to know if the culprit that they know has been killed (recall that all rumors spread immediately). Such a piece of news would have confirmed that they had complete knowledge of the kingdom, that is, there was only one unfaithful Amazon. However no news arrives in the morning, so they understand that the unfaithful ladies are indeed two including their own partners, and in the second day both culprits are killed. By induction, kcheated Amazons know aboutk−1 unfaithful partners. They wait up to midnight of the (k−1)−th day and start looking for news. As none of the cheating Amazons they know about is reported as being killed, they understand the situation and, on that k−thday, shoot an arrow into their partners’ hearts.
Note that for any Amazon the uncertainty is only between two values k andk−1 and the problem can be solved because the Amazons are capable of quick logic reasoning (they must be able to react within twenty-four hours).
Furthermore, although Amazons may cheat sexually they are honorable war-riors. Having full knowledge of what happens in the kingdom except possibly of herself, each one of the cheating Amazons knows that eventually she will be executed but does not try to escape her just punishment (e.g., by fleeing to a neighboring tribe). The argument for establishing the day of ones own execu-tion is left as an exercise. The problem is subtler than it may appear because a couple of Amazons may have been mutually unfaithful and, as honorable subjects, they face each other and cast the arrows at the same time.
The jealous Amazons paradigm is relevant, for example, in designing com-puter network protocols where a knowledge of the system leading to certain actions may be acquired with message exchange, but also through the exam-ination of particular events that may occur. To make it clear, let us look in some more detail than we have considered so far at the diffusion of messages in a network.