Rational Consensus

by   Joseph Y. Halpern, et al.
cornell university

We provide a game-theoretic analysis of consensus, assuming that processes are controlled by rational agents and may fail by crashing. We consider agents that care only about consensus: that is, (a) an agent's utility depends only on the consensus value achieved (and not, for example, on the number of messages the agent sends) and (b) agents strictly prefer reaching consensus to not reaching consensus. We show that, under these assumptions, there is no ex post Nash Equilibrium, even with only one failure. Roughly speaking, this means that there must always exist a failure pattern (a description of who fails, when they fail, and which agents they do not send messages to in the round that they fail) and initial preferences for which an agent can gain by deviating. On the other hand, if we assume that there is a distribution π on the failure patterns and initial preferences, then under minimal assumptions on π, there is a Nash equilibrium that tolerates f failures (i.e., π puts probability 1 on there being at most f failures) if f+1 < n (where n is the total number of agents). Moreover, we show that a slight extension of the Nash equilibrium strategy is also a sequential equilibrium (under the same assumptions about the distribution π).



There are no comments yet.


page 1

page 2

page 3

page 4


Coalitional game with opinion exchange

In coalitional games, traditional coalitional game theory does not apply...

Verification of Eventual Consensus in Synod Using a Failure-Aware Actor Model

Successfully attaining consensus in the absence of a centralized coordin...

The Nash Equilibrium with Inertia in Population Games

In the traditional game-theoretic set up, where agents select actions an...

Reaching Distributed Equilibrium with Limited ID Space

We examine the relation between the size of the id space and the number ...

Hotelling Games with Multiple Line Faults

The Hotelling game consists of n servers each choosing a point on the li...

From Behavioral Theories to Econometrics: Inferring Preferences of Human Agents from Data on Repeated Interactions

We consider the problem of estimating preferences of human agents from d...

Controlling Human Utilization of Failure-Prone Systems via Taxes

We consider a game-theoretic model where individuals compete over a shar...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Consensus is a fundamental problem in distributed computing; it plays a key role in state machine replication, transaction commitment, and many other tasks where agreement among processes is required. It is well known that consensus cannot be deterministically achieved in asynchronous systems [9], but can be achieved in synchronous systems even if we allow Byzantine failures (see, e.g., [16]). The assumption in all these solutions is that the reason that processes do not follow the protocol is that they have been taken over by some adversary.

There has been a great deal of interest recently in viewing at least some of the processes as being under the control of rational agents, who try to influence outcomes in a way that promotes their self interest. Halpern and Teague HT04 were perhaps the first to do this. Their focus was on secret sharing and multiparty computation. Following ADH13,AGLS14,BCZ12,GKTZ12, we are interested in applying these ideas to standard problems in game theory. And like ADGH06,Alvisi05,BCZ12, we are interested in what happens when there is a mix of rational and faulty agents. For the purposes of this paper, we restrict to crash failures. As we shall see, a number of subtle issues arise even in this relatively simple setting.

We focus on the fair consensus problem, where fairness means that the input of every agent is selected with equal probability. Fairness seems critical in applications where we do not want agents to be able to influence an outcome unduly. For instance, when agents must decide whether to commit or abort a transaction, it is useful to ensure that the outcome reflects the preferences of the agents, so that if a majority of agents prefers a particular outcome, it is selected with higher probability. Abraham, Dolev and Halpern ADH13 present a protocol for fair leader election that even tolerates coalitions of rational agents. That is, in equilibrium, a leader is elected, and each agent is elected with equal probability. Fair leader election can be used to solve fair consensus (for example, once a leader is elected, the consensus value can be taken to be the leader’s value). However, the protocol of [2] assumes that there are no faulty agents. Groce et al. GKTZ12 directly provide protocols for consensus with rational agents, but again, they do not consider faulty agents and do not require fairness. Afek et al. AGLS14 and Bei, Chen, and Zhang BCZ12 provide protocols for consensus with crash failures and rational agents. However, Afek et al.’s protocol works only under strong assumptions about agents’ preferences, such as an agent having a strict preference for outcomes where it learns the input of other agents, while Bei, Chen, and Zhang require that their protocol be robust to deviations (that is, it achieves agreement even if rational agents deviate), a requirement that we view as unreasonably strong (see Section 3). Neither of these protocols satisfy the fairness requirement. Moreover, the protocol proposed by Afek et al. is not even an equilibrium if some agent knows the input of other agents. As we show, this is not an accident.

To explain our result, we need to briefly recall the standard notion of ex post Nash equilibrium. In a setting where we have an adversary, a protocol is an ex post equilibrium if no agent has any incentive to deviate no matter what the adversary does. Formally, “no matter what the adversary does” is captured by saying that even if we fix the adversary’s choice (so that the agents essentially know what the adversary does), agents have no incentive to deviate. Abraham, Dolev, and Halpern ADH13 provide protocols for leader election (and hence consensus) that achieve ex post Nash equilibrium if there are no failures. Here, we show that even in synchronous systems, there is no consensus protocol that is an ex post Nash equilibrium if there can be even one crash failure.

In the case of crash failures, the adversary can be viewed as choosing two things: the failure pattern—which agents fail, when they fail, and which other agents they send a message to in the round that they fail, and the initial configuration—what the initial preference of each of the agents is. Roughly speaking, the reason that we cannot obtain an ex post Nash equilibrium is that if the failure pattern and initial configuration have a specific form, a rational agent can take advantage of knowing this to increase the probability of obtaining consensus on its preferred value.

There might seem to be an inconsistency here. It is well known that we can achieve consensus in synchronous systems with crash failures, so it seems that we shouldn’t have any difficulty dealing with one possibly faulty agent and one rational agent who does not follow the protocol. After all, we can view a rational agent who deviates from the protocol as a faulty agent. But there is no contradiction. When the agent deviates from the purported equilibrium, consensus is still reached, just on a different value. That is, a rational agent may want to deviate so as to bias the decision, although a consensus is still reached.

To get around our impossibility result, rather than trying to achieve ex post Nash equilibrium, we assume that there is some distribution on contexts: pairs consisting of a failure pattern and an initial configuration . We show that under appropriate assumptions about , if agents care only about consensus—specifically, if (a) an agent’s utility depends only on the consensus value achieved (and not, for example, on the number of messages the agent sends) and (b) agents strictly prefer reaching consensus to not reaching consensus—then there is a Nash equilibrium that tolerates up to failures, as long as , where is the total number of agents. Specifically, we make two assumptions about , namely, we assume that supports reachability and is uniform. Roughly speaking, we say that supports reachability if it attributes small probability to particular failure patterns that prevent information from one agent reaching an agent that has not crashed by the end of the protocol; we say that is uniform if it attributes equal probability to equivalent failures of different agents. We believe that these assumptions apply in many practical systems; we discuss this further in Section 4.

Our Nash equilibrium strategy relies on “threats”; the threat that there will be no consensus if an agent deviates (and is caught). There might be some concern that these are empty threats, which will never be carried out. The notion of sequential equilibrium [15] is intended to deal with empty threats. Roughly speaking, a strategy is a sequential equilibrium if all agents are best responding to what the others are doing even off the equilibrium path. We generalize sequential equilibrium to our setting, where there might be failures, and show that the strategy that gives a Nash equilibrium can be slightly extended to give a sequential equilibrium that tolerates up to failures.

The rest of this paper is organized as follows. In Section 2 we discuss the model that we are using. Our main technical results on Nash equilibrium and sequential equilibrium are given in Section 3. We conclude with some discussion of the assumptions in Section 4.

2 Model

We consider a synchronous message-passing system with agents and reliable communication channels between each pair of agents. Time is divided into synchronous rounds. Each round is divided into a send phase, where agents send messages to other agents, a receive phase, where agents receive messages sent by other agents in the send phase of that round, and an update phase, where agents update the value of variables based on what they have sent and received. We denote by the set of agents and assume that they have commonly-known identifiers in . Round takes place between time and time .

We now formalize the notion of run. We take a round- history for agent to be a sequence of form , where is agent ’s initial preference and has the form , where is the set of messages that sent in round tagged by who they were sent to, is the set of messages that received in round tagged by who they were sent by, and is ’s decision (where denotes that no decision has been made yet and is the set of decision values). A global (round-) history has the form where is a round- history, if receives a message from in round of , then sends to in round in history . A run is a function from time (which ranges over the natural numbers) to global histories such that (a) is a global round- history and (b) if , then for each agent , ’s history in is a prefix of ’s history in .

Agents are either correct or faulty in a run. An agent fails only by crashing. If it crashes in round of run , then it may send a message to some subset of agents in round , but from then on, it sends no further messages. We assume that all messages sent are received in the round in which they are sent. Thus, we take a failure f of agent to be a tuple , where is a round number (intuitively, the round at which crashes) and is a set of agents (intuitively, the set of agents to whom can send a message before it fails). We assume that if , then is non-empty, so that sends a message to at least one agent in round if fails in round . (Intuitively, if , we are identifying the failure pattern where crashes in round and sends no message with the failure pattern where crashes in round and sends messages to all the agents.) A failure pattern is a set of failures of distinct agents . A run has context if (a) describes the initial preferences of the agents in , (b) if , then sends all messages according to its protocol in each round , sends no messages in each round , and sends messages according to its protocol only to the agents in in round , and (c) all messages sent in are received in the round that they are sent. Let consist of all runs that have context . Let consist of all runs that have as the set of failures.

In the consensus problem, we assume that each agent has an initial preference in some set . For ease of exposition, we take . (Our results can easily be extended to deal with larger sets of possible values.) A protocol achieves consensus if it satisfies the following properties [9]:

  • Agreement: No two correct agents decide different values.

  • Termination: Every correct agent eventually decides.

  • Integrity: All agents decide at most once.

  • Validity: If an agent decides , then was the initial preference of some agent.

We are interested in one other property: fairness. Note that, once we fix a context, a protocol for the agents generates a probability on runs, and hence on outcomes, in the obvious way. Fairness just says that each agent has probability at least of having its value be the consensus value, no matter what the context. More precisely, we have the following condition:

  • Fairness: For each context , if of the nonfaulty agents in have initial preference , then the probability of being the consensus decision conditional on is at least .

It is straightforward to view a consensus problem as a game once we associate a utility function with each agent , where maps each outcome to a utility for . Technically, it is an extensive-form Bayesian game. In a Bayesian game, agents have types, which encode private information. In consensus, an agent’s type is its initial preference. A strategy for agent in this game is just a protocol: a function from information sets to actions. As usual, we view an extensive-form game as being defined by a game tree, with the nodes where an agent moves into information sets where, intuitively, two nodes are in the same information set of agent if has the same information at both. In our setting, the nodes in a game tree correspond to global histories, and agent ’s information set at a global history is determined by ’s history in that global history; that is, we can take ’s information set at a global history to consist of all global histories where ’s history is the same as it is at . Thus, we identify an information set for agent with a history for agent . If is the information set associated with history , we denote by the set of runs where has history in .

In game theory, a strategy for agent is a function that associates with each information set for agent a distribution over the actions that can take at . In distributed computing, a protocol for agent is a function that associates with each history for agent a distribution over the actions that can take at . Since we are identifying histories for agent with information sets, it is clear that a protocol for agent can be identified with a strategy for agent . In consensus, the actions involve sending messages and deciding on values. We assume that there is a special value that an agent can decide on. By deciding on , an agent guarantees that there is no consensus. If we assume that an agent prefers to reach consensus on some value to not reaching consensus at all, in the language of Ben Porath Bp03, this means that each agent has a punishment strategy.

We next want to define an appropriate solution concept for our setting. The standard approach is to say that an equilibrium is a strategy profile

(i.e., a tuple of strategies, one for each agent) where no agent can do better by deviating. “Doing better” is typically taken to mean “gets a higher expected utility”. However, if we do not have a probability on contexts, we cannot compute an agent’s expected utility. We thus consider two families of solution concepts. In the first, we take “doing better” to mean that, for each fixed context, no agent can do better by deviating. Once we fix the context, the strategy profile generates a probability distribution on runs, and we can compute the expected utility. In the second approach we assume a distribution on contexts.

A strategy profile is an -Nash equilibrium if, for each fixed context where there are at most faulty agents in , and all agents , there is no strategy for agent such that can improve its expected utility by more than . Formally, if denotes ’s expected utility if strategy profile is played, conditional on the run being in , we require that for all strategies for , . An -Nash equilibrium is a -Nash equilibrium. The notion of -Nash equilibrium extends the notion of ex post Nash equilibrium by allowing up to faulty agents; a -Nash equilibrium is an ex post Nash equilibrium.111This definition is in the spirit of the notion of -robustness as defined by Abraham et al. [1], where coalitions of size are allowed in addition to “faulty” agents, but here we restrict the behavior of the faulty agents to crash failures rather than allowing the faulty agents to follow an arbitrary protocol, and take . We also allow the deviating agents to fail (this assumption has no impact on our results).

Given a distribution on contexts and a strategy profile , and determine a probability on runs denoted in the obvious way. We say that is an -Nash equilibrium if, for all agents and all strategies for , we have , where now the expectation is taken with respect to the probability . A -Nash equilibrium is a 0–-Nash equilibrium. If puts probability 1 on there being no failures, then we get the standard notion of (-) Nash equilibrium.

3 Possibility and Impossibility Results for Consensus

In this section, we consider the consensus problem from a game-theoretic viewpoint. We focus on the case where agents care only about consensus, since this type of utility function seems to capture many situations of interest. For the rest of this section, let be ’s utility if its initial preference is decided, let be ’s utility if there is consensus, but not on ’s initial preference, and let be ’s utility if there is no consensus. The assumption that agents care only about consensus means that, for all , .

Note that although we assume that agents prefer consensus to no consensus, unlike Bei, Chen, and Zhang. BCZ12, we do not require that our algorithms guarantee consensus when rational agents deviate. Our algorithm does guarantee that there will be consensus if there are no deviations. On the other hand, we allow for the possibility that a deviation by a rational agent will result in there being no consensus. For example, suppose that a rational agent pretends to fail in a setting where there is a bound on the number of crash failures. That means that if other agents actually do crash, then some agent will detect that agents seem to have crashed. Our algorithm requires that if an agent detects such an inconsistency, then it aborts. If the probability that agents actually crash is low, in our framework, a rational agent may decide that it is worth the risk of pretending to crash if the potential gain is sufficiently large. Bei, Chen, and Zhang would not permit this, since they require consensus even if rational agents deviate from the algorithm. This requirement thus severely limits the possible deviations.

3.1 An Impossibility Result

We start by showing that there is no fair consensus protocol that is an -Nash equilibrium.

Theorem 1.

If solves fair consensus, agents care only about consensus, and , then is not an -Nash equilibrium


Consider the initial configuration where all agents but have initial preference 0 and has initial preference 1. If is the failure pattern where no agent fails, by Fairness, the agents must decide 1 with positive probability in context . It follows that there must be a failure pattern where only agent fails but the agents decide 1 with positive probability in context . (In , fails only after a decision has been made in .) If is the failure pattern where only fails, and fails immediately, before sending any messages, then it is clear that no agents can distinguish this context from one where all agents have initial preference 0, so all agents must decide 0, by the Validity requirement.

Put a partial order on failure patterns where only crashes by taking if either crashes in an earlier round in than in , or crashes in the same round in both and , but the set of agents to whom sends a message in is a subset of the set of agents to whom sends a message in . Clearly . Thus, there exists a minimal failure pattern such that , only fails in , the consensus is on 1 with positive probability in context , the consensus is 0 with probability 1 in all contexts where only agent fails in and . We can assume without loss of generality that sends a message to some agent in the round in which fails. To see this, note that if crashes in the first round then must send a message to some agent (otherwise and the decision is 0 with probability 1). And if crashes in round , we have assumed that sends at least one message before crashing (recall that we identify an agent crashing at round and sending no messages with the agent crashing at round and sending to all agents).

Now suppose that an agent that receives a message from in round pretends not to receive that message. This makes the situation indistinguishable from the context where is just like except that does not send a message to in round . Since , the decision must be 0 with probability 1 in context . Since has initial preference in , can increase its expected utility by this pretense, so is not an -Nash equilibrium. ∎

3.2 Obtaining a -Nash equilibrium

We now prove a positive result. If we are willing to assume that there is a distribution on contexts with some reasonable properties, then we can get a fair -Nash equilibrium. But, as we show below, there are some subtle problems in doing this.

Before discussing these problems, it is useful to recall some results from social choice theory. Consider a setting with agents where each has a preference order (i.e., a total order) over some set of outcomes. A social-choice function is a (possibly randomized) function that maps a profile of preference orders to an outcome. For example, we can consider agents trying to elect a leader, where each agent has a preference order over the candidates; the social-choice function chooses a leader as a function of the expressed preferences. A social-choice function is incentive compatible if no agent can do better by lying about its preferences. The well-known Gibbard-Satterthwaite theorem [10, 18] says that if there are at least three possible outcomes, then the only incentive-compatible deterministic social-choice function is a dictatorship; i.e., the function just chooses a player and takes the outcome to be ’s most-preferred candidate, ignoring all other agents’ preferences. Gibbard Gibbard77 extends this result to show that if there are at least three outcomes, then the only randomized incentive-compatible social-choice function is a random dictatorship, which essentially amounts to choosing some player according to some probability distribution and then choosing ’s value.

Bei, Chen, and Zehang BCZ12 point out that a strategy profile that solves consensus can be viewed as a social-choice function: agents have preferences over three outcomes, 0, 1, and , and the consensus value (or , if there is no consensus) can be viewed as the outcome chosen by the function. A strategy profile that is a Nash equilibrium is clearly incentive-compatible; no agent has an incentive to lie about its preferences. Thus, it follows from Gibbard’s Gibbard77 result that a solution to rational consensus must be a randomized dictatorship. And, indeed, our protocols can be viewed as implementing a randomized dictatorship: one agent is chosen at random, and its value becomes the consensus value. However, implementing such a randomized dictatorship in our setting is nontrivial because of the possibility of failures.222We remark that Theorem 1 of Bei, Chen, and Zhang BCZ12 claims that, given a fixed failure pattern, a strategy profile for consensus that is a Nash equilibrium must implement a dictatorship, rather than randomized dictatorship. While this is true if we restrict to deterministic strategies, neither we nor Bei, Chen, and Zhang do so. We have not checked carefully whether results of Bei, Chen, and Zhang that depend on their Theorem 1 continue to hold once we allow for randomized dictatorships.

3.2.1 A naive protocol

We start with a protocol that, while not solving the problem, has many of the essential features of our solution, and also helps to point out the subtleties. Consider the following slight variant of one of the early protocols for consensus [8]: In round 1, each agent broadcasts a tuple , where is ’s initial preference, and is a random element in . For round , each agent broadcasts all the tuples that received and did not already forward in earlier rounds. At the end of round , each agent checks for consistency; specifically, it checks that it has received tuples from at least agents and that it has not received distinct tuples claimed to have been sent by some agent . If detects an inconsistency, then decides . Otherwise, suppose that received tuples from agents. Then computes the sum mod of the values for each agent from which it received a tuple. If the sum is , then decides on the value of the agent with the st highest id among the agents from which it received tuples. (Here is where we are implementing the random dictatorship.) Note that the random value is used by in computing the consensus value if exactly faulty agents are discovered; the remaining random values sent by agent in the first round are discarded.

It is straightforward to check that if all nonfaulty agents follow this protocol, then they will all agree on the set of tuples received (see the proof of Theorem 2 for an argument similar in spirit), and so will choose the same decision value, and each agent whose value is considered has an equal chance of having their value determine the outcome. But this will not be in general a -Nash equilibrium if allows up to failures, that is, puts probability 0 on all failure patterns that have more than failures and .

Consider a distribution that puts positive probability on all contexts with at most failures, and an initial configuration where agent 1 prefers 1, but all other agents prefer 0. Agent 1 follows the protocol in the first round, and receives a message from all the other agents. We claim that agent 1 may have an incentive to pretend to fail (without sending any messages) at this point. Agent 1 can gain by doing this if one of the other agents, say agent 2, crashed in the first round and sent a message only to agent 1. In this case, if 1 pretends to crash, no other agent will learn 2’s initial preference, so 1’s initial preference will have a somewhat higher probability (at least ) of becoming the consensus decision. Of course, there is a risk in pretending to crash: if agents really do crash, then an inconsistency will be detected, and the decision will be . Let be the probability of there being fewer than failures and at least one agent crashing in the first round who does not send to any agent other than 1 (this is the probability that 1 gains some utility by its action); let be the probability of there being crashes other than 1 (this is an upper bound on the probability that 1 loses utility by its action). Then 1’s expected gain by deviating is at least

This is a small quantity. However, if is reasonably large and failures are unlikely, we would expect to be much smaller than , so as the number of failures that the protocol is designed to handle increases, deviating becomes more and more likely to produce a (small) gain.

3.2.2 A -Nash equilibrium

There are three problems with the preceding protocol. The first is that, even if 1 pretends to fail, 1’s value will be considered a potential consensus value, since everyone received the value before 1 failed. This means that there is little downside in pretending to fail. Roughly speaking, we deal with this problem by taking into consideration only the values of nonfaulty agents when deciding on a consensus value. The second problem is that since agents learn the random values that will be used in determining the consensus value in round 1, they may be able to guess with high probability the value that will be decided on at a point when they can still influence the outcome. To address this problem, agents do not send these random values in the first round; instead, they use secret sharing [19], so as to allow the nonfaulty agents to reconstruct these random values when they need to decide on the consensus value. This prevents agents from being able to guess with high probability what the decision will be too early. The third problem is that in some cases agents can safely lie about the messages sent by other agents (e.g., can pretend that another agent did not crash). We could solve this by assuming that messages can be signed using unforgeable signatures. We do not need this or any other cryptographic assumption. Instead, we use some randomization to ensure that if an agent lies about a message that was sent, it will be caught with high probability.

Thus, in our algorithm, an agent generates random numbers for two reasons. The first is that it generates random numbers , where is used in choosing the consensus value if there are exactly faulty agents discovered, and then, as we suggested above, shares them using secret sharing, so that the numbers can be reconstructed at the appropriate time (see below). The second is that it generates additional random numbers, denoted , one for each agent , in each round , and sends them to in round . Then if agent claims that it got a message in round from , it will have to also provide as proof.

In more detail, we proceed as follows. Initially, each agent generates a random tuple , where is in . It then computes random polynomials , each of degree , such that . It then sends to agent . The upshot of this is that no agent will be able to compute given this information (since one point on a degree-1 polynomial gives no information regarding ). In addition, in round 1, each agent sends to each agent , just as in the naive algorithm; it also generates the random number and a special random number

, and sends each agent the vector

, where for and . (As we said, these random numbers form a “signature”; their role will become clearer in the proof.) Finally, in round 1, agent sends a status report ; we discuss this in more detail below. In the receive phase of round 1, agent adds all the values received from other agents to the set .

In round with , again sends a status report and a vector . For each agent , is a tuple of the form , where is the first round that knows that crashed ( if believes that has not yet crashed), and is either the vector of random values sent by in (if believes that has not yet crashed) or an agent that told that crashed in round . The tuple is computed by setting for to be , the random number sent by in the previous round (this will be used to prove that really got a message from in the previous round—it is our replacement for unforgeable signatures); again, is a random value generated by . In round , also sends the secret shares it received in round 1 from each agent (i.e., the value that it received from , assuming that did not lie). This enables to compute the polynomials , and hence the secret for .

If detects an inconsistency in round , then decides , where detects an inconsistency in round if the messages received by are inconsistent with all agents following the protocol except that up to agents may crash. This can happen if

  1. sends incorrectly formatted messages;

  2. and agents and disagree about the random values and sent by in round ;

  3. and some agent reports that sent a value in round different from the value sent by to in round ;

  4. and it is not possible to interpolate a polynomial

    through the shares received by from in round 1 and the values received from in round .

  5. some agent sends a status report in round that says that crashed in some round and either receives a message from in round or some agent sends a status report saying that it received a message from in a round ;

  6. for some agents , , and , sends a status report in round that says that crashed in round and that reported this, but sends a status report in round that says that did not crash before round ;

  7. for some agents , , and , sends a status report in round that says that did not crash by round and crashed in some round , while sends a status report in round saying that crashed in round (so either ignored the report about sent by or lied to );

  8. more than crashes are detected by by round (i.e., or more agents have not sent messages to or were reported to crash in some round up to and including ).

If agent does not detect an inconsistency at some round , proceeds as follows in round . For each round in a run , agent computes , the set of agents that it believes did not crash up to and including round . Take (the set of all agents). Say that round in run seems clean if . As we show (Theorem 2), if no inconsistency is detected in run , then there must be a round in that seems clean. Moreover, we show that if is the first round in that seems clean to a nonfaulty agent , then all the nonfaulty agents agree that is the first round that seems clean in , and they agree on the initial preference of all agents in , and the random numbers sent by these agents in round messages in run . The agents then use these random numbers to choose an agent among the agents in and take to be the consensus value.

The pseudocode for the strategy (protocol) that implements this idea is given in Figure 1.

Lines 114 initialize the values of and , as well as the random numbers required in round ; that is, generates and the corresponding polynomial used for secret sharing for , and random vectors for , where . In phase (the “sending” phase) of round , sends and . If , then also sends and to , where ; that is, is ’s share of the secret . Finally, if , instead of sending to , sends all the shares it has received from other agents, so that all agents can compute the secret (lines 17-22). In phase 2 (the “receive” phase) of round , processes all the messages received and keeps track of all agents who have crashed (lines 24-40). If receives a round message from , then adds to if , includes in the vector sent by to , and updates the status report of each agent . Specifically, if reports that crashed in a round and earlier considered it possible that was still nonfaulty at round , then includes in the fact that crashed and that is an agent that reported this fact (lines 31-35); if does not receive a round message from and believed that did not crash before, then marks as crashed (line 37). In phase 3 (the “update” phase) of round , generates the random value for the next round. If detects an inconsistency, then decides (line 44); if no inconsistency is detected by the end of round , then decides on a value (lines 49-59) by computing the set for every round , determining the earliest round that seems clean (), computing a random number , where is the number of crashes that occurred before , by summing the random numbers of (computed by interpolating the polynomials), and deciding on the value of the agent in with the st highest id.

3: random in
4:for all  do
5:        All agents are initially active
6:       for all  do
8:        random in Random number to be used by in round
9:        Proves that sends round 1 message to
10:for all  do
11:        random in A random number for each possible value of
12:        random polynomial of degree with
13:       for all  do
16:for all round such that  do
17:       Phase 1: send phase
18:             for all  do
19:                    if  then Send to                     
20:                    if  then Send to                     
21:                    if  then Send to                                  
22:       EndPhase
24:       Phase 2: receive phase
26:             for all  do
27:                    if receive valid message from  then
28:                          if  then contains all the values that has seen                           
29:                           Note that is still active
30:                          for all  do
31:                                 if  and and  then
32:                                        crashed earlier than previously thought
34:                                 else if  then
36:                    else if  for some  then
37:                           detects a crash of
38:                          for all  do
40:       EndPhase
42:       Phase 3: update phase
43:             if an inconsistency is detected then
44:                    Decide() Punishment
45:                    decided
46:             else if  then
47:                    for all  do
48:                           random in                     
49:             else if decided =  then
51:                    for all  do
52:                           Agents that did not crash up to round                     
53:                     first round such that First round that seems clean
54:                     Number of crashes prior to
55:                    for all  do
56:                           unique polynomial interpolating the values received otherwise, an inconsistency was detected
58:                     Calculate a random number in
59:                    Decide(), where is the st highest id in              
60:       EndPhase
Algorithm 1 : ’s consensus protocol with initial value

We now prove that gives a -Nash equilibrium, under reasonable assumptions about . We first prove that the protocol satisfies all the properties of fair consensus without making any assumptions about .

Theorem 2.

solves fair consensus if at most agents crash, , and all the remaining agents follow the protocol.


Consider a run where all agents follow and at most agents crash. It is easy to see that no inconsistency is detected in . Since an agent crashes in at most one round and there are at most faulty agents, there must exist a round when no agent crashes. Let be the first such round. We prove that for all nonfaulty agents and , for all (where denotes ’s version of in run , and similarly for ). To see this, fix two nonfaulty agents and . Agent adds agent to iff receives a message from in every round of run , and receives no status report indicating that crashed in some round . If , then it must be the case that also received a message from in every round of and neither received nor sent a status report indicating that crashed in a round ; otherwise would have learned about this crash by round and would have told by round that was faulty (since is nonfaulty). Thus, . If , then sends a round message to all agents for all ; and since no agents fail in round , by assumption, we again have . Thus, ; similar arguments give the opposite inclusion.

Note that since no agent crashes in round , it is easy to see that we must have for all nonfaulty agents , so round seems clean. With these observations, we can now prove that satisfies each requirement of Fair Consensus in .

Validity: Since no inconsistency is detected, every agent decides a value different from in . Agent always finds some round that seems clean, computes a nonempty set , which includes at least , and knows the random numbers sent by these agents in round . Since contains only initial preferences, decides the initial preference of some agent in .

Termination and Integrity: Every agent either crashes before deciding or decides exactly once at the end of round .

Agreement: We have shown that all nonfaulty agents and agree on for all . We thus omit the superscripts and on from here on in. Given this, they agree on whether each round seems clean and thus agree that some is the first round that seems clean in . Moreover, and receive identical round messages from the agents in . It follows that adds a tuple to for iff adds that tuple to . Suppose that . Since must include all the nonfaulty agents, we must have . Clearly, if , then and must receive the values and in round messages sent by . Agents and also receive from each nonfaulty agent . Since there are at least nonfaulty agents, and follows , and will be able to interpolate the polynomial , and compute . Consequently, and agree on the information relevant to the consensus decision, so must decide on the same value.

Fairness: The probability of the initial preference of each agent in being decided is . Since , if nonfaulty agents in initially have preference , then the probability of being decided is at least . Since contains all the nonfaulty agents, Fairness holds. ∎

It remains to show that is a -Nash equilibrium. We show that is a -Nash equilibrium under appropriate assumptions about . Specifically, we assume that supports reachability and is uniform, notions that we now define. The reachability assumption has three parts. The first two parts consider how likely it is that some information that an agent has will reach an agent that will decide on a value; the third part is quite similar, and considers how likely it is that a nonfaulty agent becomes aware that an agent failed in round . Of course, the answer to these questions depends in part on whether agents are supposed to send messages in every round (as is the case with ). In the formal definition, we implicitly assume that this is the case. (So, effectively, the reachability assumption is appropriate only for protocols where agents send messages in every round.) Given agents and , a round- information set for , a failure pattern compatible with , in that , and , say that a nonfaulty agent is reachable from without between rounds and given if there is a sequence of agents different from such that , for , has not failed prior to round according to , and either does not fail in round or, if , fails in round but sends a message to before failing (i.e., if , then ), and .

Note that if is nonfaulty according to , then a nonfaulty agent is certainly reachable from without between rounds and ; just take . But even if fails in round according to , as long can send a message to a nonfaulty agent other than , or there is an appropriate chain of agents, then a nonfaulty agent is reachable from without by round . The probability of there being a failure pattern for which a nonfaulty agent is reachable from without depends in part on how many agents are known to have failed in ; the more agents are known not to have failed, the more likely we would expect a nonfaulty agent to be reachable from without .

We also want this condition to hold even conditional on a set of failure patterns, provided that the set of failure patterns does not favor particular agents failing. To make this precise, we need a few more definitions. Say that an agent is known to be faulty in if is faulty in all runs in ; thus, is known to be faulty in if did not send a message to at round according to . Say that a set of failure patterns satisfies the permutation assumption with respect to a set of failures and an information set if, for all permutations of the agents that keep fixed the agents that fail in or are known to be faulty in , if , then so is , where is the failure pattern that results by replacing each triple by . satisfies the permutation assumption with respect to if satisfies it with respect to the empty set of failures and . Let .

We say that supports reachability if for all agents , all time- information sets such that agents are not known to be faulty in , failure pattern , and all sets of failure patterns that satisfy the permutation assumption with respect to and , we have that

  1. if is not known to be faulty in and is not in , then

  2. if is not known to be faulty in and is not in , then

  3. if a message from some agent not in was received up to and including round but not in round , then

The first two requirements essentially say that if hears from in round , then it is likely that other agents will hear from as well in a way that affects the decision, even if does not forward ’s information. That is, it is unlikely that will fail right away, and do so in a way that prevents its information from having an effect. Similarly, the third requirement says that if does not hear from in round (as reflected in ), then it is likely that other agents will hear that crashed at or before round even if does not report this fact.

We next define the notion of uniformity. Given two failure patterns and , we say that and are equivalent if there is a permutation of the agents such that . We say that is uniform if, for all equivalent failure patterns and and vectors of initial preferences, we have . Intuitively, if is uniform, then the probability of each failure pattern depends only on the number of messages omitted by each agent in each round; it does not depend on the identity of faulty agents.

The following lemma will prove useful in the argument, and shows where the uniformity assumption comes into play. Roughly speaking, the lemma says that if the agents run , then each agent ’s expected value of its initial preference being the consensus value is just its current knowledge about the fraction of nonfaulty agents that have its initial preference. The lemma’s claim is somewhat stronger, because it allows for expectations conditional on certain sets of agents failing.

Before stating the lemma, we need some definitions. Let consist of all runs where a decision is made and the first round that seems clean is . A set of failure patterns, a failure pattern , a round- information set for , and are compatible if (a) all the failures in happen before round , (b) , and (c) satisfies the permutation assumption with respect to and . Given an agent and a run where consensus is reached, let be the number of agents who apparently have not crashed in the first round of that seems clean (i.e., if is the first clean round in , then ), and let be the number of these agents in that have initial preference . Given an information set and a failure pattern , let be the set of agents who are faulty in ; let consist of the agents known to be faulty in ; let ; and let be the agents not in that have initial preference 1. Note that and

are random variables on runs (i.e., functions from runs to numbers); technically,