The Game of Paxos Technical Report TR-05-24 Harry C. Li, Lorenzo Alvisi, and Allen Clement Abstract We describe two abstractions that show how Lam- port’s Paxos and Castro and Liskov’s PBFT are es- sentially the same consensus protocol, but for differ- ent failure models. The first abstraction is a regular register that captures how processes in both protocols propose and decide values. The second abstraction is tokens that capture how these protocols guaran- tee agreement despite partial failures. Together, the register and tokens provide the abstraction of a write- once regular register, which we claim is an intuitive way to conceptualize Paxos and PBFT. We also point out how details specific to Paxos and PBFT manifest themselves in the implementation of our abstractions. 1 Introduction You find a group of people frantically engaged around a circular table. Intrigued, you edge closer to find that seat belts bind each person into his or her chair. Rather than struggle with their belts, they busily press flashing but- tons on the table. You see the glint of a red token in a lady’s hand, but she quickly inserts the token into a slot and continues pressing buttons. Next, a green sparkle catches your eye and you turn your head in its direction just in time to see a man holding a green token unlock his belt. Your curiosity finally overcomes your caution and you approach the table... The description above captures moments from the Game of Paxos. We use this game to show that Lam- port’s Paxos [7] and Castro and Liskov’s PBFT [2] are the same protocol, but for different failure models. Since solving consensus in an asynchronous system with failures is impossible [4], Paxos gives us the next best thing for crash failures. It guarantees the safety properties of consensus and relies on synchrony only for liveness. PBFT is a state-machine replication pro- tocol for asynchronous systems with Byzantine faults. It demonstrates that Byzantine fault-tolerance can be made practical. At a high-level, these protocols are intuitively simi- lar. They both rely on synchrony only for liveness. In addition, both protocols use leaders to coordinate ac- tions among quorums [3, 10, 11] of processes. While some refer to PBFT as Byzantine Paxos [9], the ex- tent of the similarities between Lamport’s protocol and Castro and Liskov’s is not obvious. It is difficult to characterize these similarities for two main reasons. First, Paxos and PBFT are non- trivial protocols that use message passing over asyn- chronous channels to obtain quorums. The subtleties of the corner cases in such a setting can quickly be- come overwhelming 1 . Second, the most elusive as- pect in these two protocols is in how each guarantees agreement despite leader failures. We provide two in- tuitive abstractions that carve Paxos and PBFT into functionally identical parts that help overcome the above difficulties. Our first abstraction is a register that hides the de- tails of quorum operations. This register has regular consistency semantics [6] with respect to a partial or- der that we define. Processes issue read and write op- erations to this shared register. With a single correct leader, it is easy to see how to guarantee agreement; only the leader writes to the register and the leader writes only one value to the register. Non-leader pro- cesses wait until they read a non-⊥ value, and agree on the value read. Guaranteeing agreement becomes 1 It is a testament to Paxos’s steep learning curve that, to be qualified for a research position, candidates may be required to have at least once tried to understand Paxos by reading the original paper. [13] 1