Stabilization, safety, and security of distributed systems

Research in distributed systems is now at a crucial point in its evolution, marked by the importance of dynamic systems such aspeer-to-peer networks, large-scale wireless sensor networks

of Distributed Systems

Commenced Publication in 1973

Founding and Former Series Editors:

Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen

ISSN 0302-9743 ISSN 1611-3349 (electronic)

Lecture Notes in Computer Science

ISBN 978-3-319-49258-2 ISBN 978-3-319-49259-9 (eBook)

DOI 10.1007/978-3-319-49259-9

Library of Congress Control Number: 2015943848

LNCS Sublibrary: SL1 – Theoretical Computer Science and General Issues

© Springer International Publishing AG 2016

This work is subject to copyright All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on micro films or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed.

The use of general descriptive names, registered names, trademarks, service marks, etc in this publication does not imply, even in the absence of a speci fic statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use.

The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication Neither the publisher nor the authors or the editors give a warranty, express or implied, with respect to the material contained herein or for any errors or omissions that may have been made.

Printed on acid-free paper

This Springer imprint is published by Springer Nature

The registered company is Springer International Publishing AG

The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland

The papers in this volume were presented at the 18th International Symposium onStabilization, Safety, and Security of Distributed Systems (SSS), held November 8–10,

2016, in Lyon, France

SSS is an international forum for researchers and practitioners in the design anddevelopment of distributed systems with self-* properties: self-stabilizing, self-configuring, self-organizing, self-managing, self-healing, self-optimizing, self-adaptive,self-repairing, self-protecting, etc They mainly aim to tolerate different kinds of unde-sirable phenomena without human intervention Research in distributed systems is now at

a crucial point in its evolution, marked by the importance of dynamic systems such aspeer-to-peer networks, large-scale wireless sensor networks, mobile ad hoc networks,cloud computing, mobile agent computing, opportunistic networks, and robotic networks.Moreover, new applications with self-* requirements are currently coming up in differentfields such as grid and Web services, banking and e-commerce, e-health and robotics,aerospace and avionics, automotive, and industrial process control, among others.SSS started as the Workshop on Self-Stabilizing Systems (WSS), the first two ofwhich were held in Austin in 1989 and in Las Vegas in 1995 Since 1995, theworkshop has been held biennially; it was held in Santa Barbara (1997), Austin (1999),and Lisbon (2001) As interest grew and the community expanded, in 2003, the title

of the forum was changed to the Symposium on Self-Stabilizing Systems (SSS) SSSwas organized in San Francisco in 2003 and in Barcelona in 2005 As SSS broadenedits scope and attracted researchers from other communities, significant changes weremade in 2006 It became an annual event, and the name of the conference was changed

to the International Symposium on Stabilization, Safety, and Security of DistributedSystems (SSS) From then, SSS conferences were held in Dallas (2006), Paris (2007),Detroit (2008), Lyon (2009), New York (2010), Grenoble (2011), Toronto (2012),Osaka (2013), Paderborn (2014), and Edmonton (2015)

This year the Program Committee was organized into three groups reflecting themajor trends related to self-* systems: (a) Self-* and Autonomic Computing,(b) Foundations, and (c) Networks, Multi-Agent Systems, and Mobility

We received 53 submissions from 30 countries Each submission was reviewed by

at least three Program Committee members with the help of external reviewers Out

of the 53 submitted papers, 23 papers were selected for presentation The symposiumalso included nine short papers Selected papers from the symposium will be published

in a special issue of Theory of Computing Systems (TOCS) journal This year, we werevery fortunate to have three distinguished invited speakers: Hagit Attiya (Technion,Israel), Joseph Halpern (Cornell University, USA), and Maurice Herlihy (BrownUniversity, USA)

We would like to deeply thank the program vice chairs, Stéphane Devismes, VijayGarg, Manish Parashar, Yvonne-Anne Pignolet, Sergio Rajsbaum, and RogerWattenhofer We sincerely acknowledge the tremendous time and effort that the

Program Committee members have put in for the symposium We are grateful to theexternal reviewers for their valuable and insightful comments We also thank themembers of the Steering Committee for their invaluable advice We gratefullyacknowledge the publicity chair, Janna Burman, local organization chair, Eddy Caron,and the Organizing Committee members for their time and invaluable effort that greatlycontributed to the success of this symposium Last but not least, on behalf of theProgram Committee, we thank all the authors who submitted their work to SSS.Finally, the process of paper submission, selection, and compilation of the pro-ceedings was greatly simplified thanks to the strong and friendly interface of theEasyChair system (http://www.easychair.org).

Franck Petit

Track 1: Self-* and Autonomic Computing

Stéphane Devismes University of Grenoble, France

Manish Parashar Rutgers University, USA

Track 2: Foundations

Track 3: Networks, Multi-Agent Systems, and Mobility

Yvonne Anne Pignolet ABB Corporate Research, Switzerland

Roger Wattenhofer ETH-Zurich, Switzerland

Local Arrangements Chairs

Publicity Committee

Janna Burman (Chair) University of Paris-Sud, France

Webmasters

Daniel Balouek-Thomert ENS de Lyon/NewGeneration-SR, LIP, FranceViolaine Villebonnet Inria, LIP, Lyon, France

Program Committee

Self-* and Autonomic Computing

Chairs: Stéphane Devismes and Manish Parashar

Abhishek Chandra University of Minnesota, USA

Sylvie Delaet Université Paris Sud, LRI, France

Swan Dubois Université Pierre et Marie Curie, LIP6, FrancePascal Felber University of Neuchatel, Switzerland

Taisuke Izumi Nagoya Institute of Technology, Japan

Yoonhee Kim Sookmyung Women’s University, South Korea

Alexander Schwarzmann University of Connecticut, USA

Naveen Sharma Rochester Institute of Technology, USA

Rafael Tolosana University of Zaragoza, Spain

Volker Turau Hamburg University of Technology, GermanyGiuseppe Valetto Fondazione Bruno Kessler, Italy

Yukiko Yamauchi Kyushu University, Japan

Franco Zambonelli University of Modena and Reggio Emilia, ItalyFoundations

Chairs: Vijay Garg and Sergio Rajsbaum

Fathiyeh Faghih McMaster University, Canada

Ylies Falcone University of Grenoble, France

Panagiota Fatourou University of Ioannina, Greece

Leszek Gasieniec University of Liverpool, UK

Danny Hendler Ben-Gurion University, Israel

Kishore Kothapalli IIIT Hyderabad, India

Evangelos Kranakis Carleton University, Canada

Hammurabi Mendes University of Rochester, USA

Neeraj Mittal University of Texas Dallas, USA

Achour Mostefaoui University of Nantes, France

David Peleg Weizmann Institute, Israel

Philipp Woelfel University of Calgary, Canada

Networks, Multi-Agent Systems, and Mobility

Chairs: Yvonne Anne Pignolet and Roger Wattenhofer

Michael Borokhovich AT&T, USA

Shiri Chechik Tel Aviv University, Israel

Christian Scheideler University of Paderborn, Germany

Masafumi Yamashita Kyushu University, Japan

Steering Committee

Ajoy K Datta (Chair) University of Nevada, Las Vegas, USA

Shlomi Dolev Ben-Gurion University of the Negev, Israel

Mohamed Gouda National Science Foundation, USA

Toshimitsu Masuzawa Osaka University, Japan

Franck Petit UPMC, Sorbonne Universities, France

Sébastien Tixeuil UPMC, Sorbonne Universities, France

Yavuz KorogluHari KrishnanIvan Li

Leader Election in Rings with Bounded Multiplicity (Short Paper) 1Karine Altisen, Ajoy K Datta, Stéphane Devismes, Anạs Durand,

and Lawrence L Larmore

Synchronous Gathering Without Multiplicity Detection: A Certified

Algorithm 7Thibaut Balabonski, Amélie Delga, Lionel Rieg, Sébastien Tixeuil,

and Xavier Urbain

On the Power of OracleX? for Self-Stabilizing Leader Election

in Population Protocols 20Joffroy Beauquier, Peva Blanchard, Janna Burman,

and Oksana Denysyuk

Self-stabilizing Byzantine-Tolerant Distributed Replicated State Machine 36Alexander Binun, Thierry Coupaye, Shlomi Dolev,

Mohammed Kassi-Lahlou, Marc Lacoste, Alex Palesandro,

Reuven Yagel, and Leonid Yankulin

Self-stabilizing Robots in Highly Dynamic Environments 54Marjorie Bournat, Ajoy K Datta, and Swan Dubois

Packet Efficient Implementation of the Omega Failure Detector 70Quentin Bramas, Dianne Foreback, Mikhail Nesterenko,

and Sébastien Tixeuil

Probabilistic Asynchronous Arbitrary Pattern Formation (Short Paper) 88Quentin Bramas and Sébastien Tixeuil

Flocking with Oblivious Robots 94Davide Canepa, Xavier Defago, Taisuke Izumi,

and Maria Potop-Butucaru

Making Local Algorithms Wait-Free: The Case of Ring Coloring 109Armando Castađeda, Carole Delporte, Hugues Fauconnier,

Sergio Rajsbaum, and Michel Raynal

Meta-algorithm to Choose a Good On-Line Prediction (Short Paper) 126Alexandre Dambreville, Joanna Tomasik, and Johanne Cohen

On-Line Path Computation and Function Placement in SDNs 131Guy Even, Moti Medina, and Boaz Patt-Shamir

Infinite Unlimited Churn (Short Paper) 148Dianne Foreback, Mikhail Nesterenko, and Sébastien Tixeuil

Perfect Failure Detection with Very Few Bits 154Pierre Fraigniaud, Sergio Rajsbaum, Corentin Travers, Petr Kuznetsov,

and Thibault Rieutord

Snap-Stabilizing Tasks in Anonymous Networks 170Emmanuel Godard

Polynomial Silent Self-Stabilizing p-Star Decomposition (Short Paper) 185Mohammed Haddad, Colette Johnen, and Sven Kưhler

Analysis of Computing Policies Using SAT Solvers (Short Paper) 190Marijn J.H Heule, Rezwana Reaz, H.B Acharya,

and Mohamed G Gouda

An Efficient Silent Self-stabilizing 1-Maximal Matching Algorithm Under

Distributed Daemon Without Global Identifiers 195Michiko Inoue, Fukuhito Ooshita, and Sébastien Tixeuil

Self-stabilizing Byzantine Clock Synchronization with Optimal Precision 213Pankaj Khanchandani and Christoph Lenzen

DecTDMA: A Decentralized-TDMA: With Link Quality Estimation

for WSNs 231Olaf Landsiedel, Thomas Petig, and Elad M Schiller

Self-stabilizing Metric Graphs 248Robert Gmyr, Jonas Lefèvre, and Christian Scheideler

Near-Optimal Self-stabilising Counting and Firing Squads 263Christoph Lenzen and Joel Rybicki

Snap-Stabilizing PIF on Arbitrary Connected Networks in Message

Passing Model 281Florence Levé, Khaled Mohamed, and Vincent Villain

Towards Efficient and Robust BFT Protocols with ER-BFT (Short Paper) 298Lucas Perronne and Sara Bouchenak

Global Versus Local Computations: Fast Computing with Identifiers

(Short Paper) 304Mikặl Rabie

Automatic Addition of Conflicting Properties 310Mohammad Roohitavaf and Sandeep S Kulkarni

Complete Visibility for Robots with Lights in O(1) Time 327Gokarna Sharma, Ramachandran Vaidyanathan, Jerry L Trahan,

Costas Busch, and Suresh Rai

PSVR- Self-stabilizing Publish/Subscribe Communication for Ad-Hoc

Networks (Short Paper) 346

G Siegemund and V Turau

Asynchronous Non-Bayesian Learning in the Presence of Crash Failures 352Lili Su and Nitin H Vaidya

Robust Multi-agent Optimization: Coping with Byzantine Agents with

Input Redundancy 368Lili Su and Nitin H Vaidya

Plane Formation by Semi-synchronous Robots in the Three Dimensional

Euclidean Space 383Taichi Uehara, Yukiko Yamauchi, Shuji Kijima,

and Masafumi Yamashita

Searching for an Evader in an Unknown Graph by an Optimal Number

of Searchers 399Takahiro Yakami, Yukiko Yamauchi, Shuji Kijima,

and Masafumi Yamashita

Wait-Free Solvability of Colorless Tasks in Anonymous

Shared-Memory Model 415Nayuta Yanagisawa

Author Index 431

with Bounded Multiplicity

(Short Paper)

Karine Altisen1, Ajoy K Datta2, St´ephane Devismes1, Ana¨ıs Durand1(B),

and Lawrence L Larmore2

1 Universit´e Grenoble Alpes, Grenoble, France

{karine.altisen,stephane.devismes,anais.durand}@imag.fr

2 UNLV, Las Vegas, USA

{ajoy.datta,lawrence.larmore}@unlv.edu

Abstract We study leader election in unidirectional rings of homonym

processes that have noa priori knowledge on the number of processes.

We show that message-terminating leader election is impossible for anyclass of ringsK k with bounded multiplicity k ≥ 2 However, we show that

process-terminating leader election is possible in the sub-classU ∗ ∩ K k,whereU ∗is the class of rings which contain a process with a unique label.

1 Introduction

We consider deterministic leader election in unidirectional rings of homonym

processes The model of homonym processes [1,3] has been introduced as a eralization of the classical fully identified model Each process has an identifier,

gen-called here label, which may not be unique Let L be the set of labels present in

a system of n processes Then, |L| = 1 (resp., |L| = n) corresponds to the fully

anonymous (resp., fully identified) model

Related Work Homonyms have been mainly studied for solving the

consen-sus problem in networks where processes are subjected to Byzantine failures [1]

However, Delporte et al [2] have recently considered the leader election problem

in bidirectional rings of homonym processes They have given a necessary and

suf-ficient condition on the number of distinct labels needed to design a leader tion algorithm Precisely, they show that there exists a deterministic solution for

elec-message-terminating (i.e., processes do not terminate but only a finite number of

messages are exchanged) leader election on a bidirectional ring if and only if the

number of labels is strictly greater than the greatest proper divisor of n

Assum-ing this condition, they give two algorithms The first one is message-terminatAssum-ingand does not assume any further extra knowledge The second one assumes the

processes know n, is process-terminating (i.e., every process eventually halts),

and is asymptotically optimal in messages In [3], Dobrev and Pelc investigate

a generalization of the process-terminating leader election in both bidirectionalc

 Springer International Publishing AG 2016

B Bonakdarpour and F Petit (Eds.): SSS 2016, LNCS 10083, pp 1–6, 2016.

and unidirectional rings of homonym processes In their model, processes a

pri-ori know a lower bound m and an upper bound M on the (unknown) number

of processes n They propose algorithms that decide whether the election is

pos-sible and perform it, if so They give synchronous algorithms for bidirectional

and unidirectional rings working in time O(M ) using O(n log n) messages They also give an asynchronous algorithm for bidirectional rings that uses O(nM )

messages, and show that it is optimal; no time complexity is given

Contribution We explore the design of process-terminating leader election

algorithms in unidirectional rings of homonym processes which, contrary to [2,3],

know neither the number of processes n, nor any bound on it We study two

dif-ferent classes of unidirectional rings with homonym processes, denoted by U ∗

andK k.U ∗is the class of all ring networks in which at least one label is unique.

K k is the class of all ring networks where no label occurs more than k times,

so k is an upper bound on the multiplicity of the labels We prove that there

are no message-terminating leader elections for any classK k with k ≥ 2 despite processes know k, since K k includes symmetric labeled rings However, we give

a process-terminating leader election algorithm for the sub-classU ∗ ∩ K k

Inter-estingly, there are labeled rings (e.g., a ring of three processes with labels 1, 2,

and 2) for which we can solve process-terminating leader election, whereas itcannot be solved in the model of [2,3]

2 Preliminaries

p n, operating in asynchronous message-passing model, where links are FIFO and

reliable p i can only receive messages from its left neighbor, p i−1, and can only

send messages to its right neighbor, p i+1 Subscripts are modulo n.

We assume that each process p has a label, p.id; labels may not be distinct For any label  in the ring R, let mlty[  ] = |{p : p.id = }|, the multiplicity of 

in R Comparison is the only operator permitted on labels.

Leader Election An algorithm Alg solves the message-terminating leader

election problem, noted MT-LE, in a ring network R if every execution of Alg

on R satisfies the following conditions:

1 The execution is finite

2 Each process p has a Boolean variable p.isLeader s.t when the execution terminates, L.isLeader is true for a unique process (i.e., the leader).

3 Every process p has a variable p.leader s.t when the execution terminates,

p.leader = L.id, where L satisfies L.isLeader

An algorithm Alg solves the process-terminating leader election problem, noted PT-LE, in a ring network R if it solves MT-LE and satisfies the following

additional conditions:

4 p.isLeader is initially false and never switched from true to false: each

decision of being the leader is irrevocable Consequently, there should be atmost one leader in each configuration

5 Every process p ∈ R has a Boolean variable p.done, initially false, such that

p.done is eventually true for all p, indicating that p knows that the leader

has been elected More precisely, once p.done becomes true, it will never again become false, L.isLeader is equal to true for a unique process L, and

p.leader is permanently set to L.id.

6 Every process p eventually halts (local termination decision) after p.done

becomes true

Ring Network Classes An algorithm Alg is MT-LE (resp., PT-LE) for the

class of ring network R if Alg solves MT-LE (resp., PT-LE) for every network

R ∈ R It is important to note that, for Alg to be MT-LE (resp., PT-LE) for a

classR, Alg cannot be given any specific information about the network (such

as its cardinality) unless that information holds for all members ofR, since we

require that Alg works for every R ∈ R without any change in its code.

We consider two main classes of ring networks U ∗ is the class of all ring

networks in which at least one label is unique.K kis the class of all ring networks

such that no label occurs more than k times, where k ≥ 1.

3 Impossibility Result

A labeled ring network R is symmetric if it has a non-trivial rotational symmetry,

i.e., there is some integer 0 < d < n such that p i+d and p i have the same label

for all i In our model, it is straightforward to see that there is no solution to the leader election problem for a symmetric ring Now, for any k ≥ 2, K k containssymmetric rings Hence, follows

4 Leader Election in U∗∩ Kk

For any k ≥ 2, we give the algorithm U k that solves PT-LE for the classU ∗ ∩K k

(see Table1) Uk always elects the process of minimum unique label to be the

leader, namely the process L such that L.id = min {x : mlty[ x ] = 1} In U k,

each process p has the following variables.

1 p.id, constant of unspecified label type, the label of p.

2 p.init, Boolean, initially true.

3 p.active, Boolean, which indicates that p is active If ¬p.active, we say p is

passive Initially, all processes are active, and when U k is done, the leader isthe only active process A passive process never becomes active

4 p.cnt, an integer in the range 0 k + 1 Initially, p.cnt = 0 p.cnt will give

to p a rough estimate of the frequency of its label in the ring.

5 p.leader , of label type When U k is done, p.leader = L.id.

6 p.isLeader , Boolean, initially false, follows the problem specification tually, L.isLeader becomes true and remains true, while, for all p = L,

Even-p.isLeader remains f alse for the entire execution.

7 p.done, Boolean, initially false, follows the problem specification.

Uk uses only one kind of message Each message is the forwarding of a token

which is generated at the initialization of the algorithm, and is of the formx, c,

where x is the label of the originating process, and c is a counter, an integer in the range 0 k + 1, initially zero.

Table 1 Actions of Process p in Algorithm Uk

The fundamental idea of Uk is that a process becomes passive, i.e., is no more

candidate for the election, if it receives a message that proves its label is notunique or is not the smallest unique label Initially, every process initiates a tokenwith its own label and counter zero (see (a)) No tokens are initiated afterwards.The token continually moves around the ring – every time it is forwarded, itscounter and the local counter of the process are incremented if the forwarding

process has the same label as the token (e.g., Step (a) →(b)) Thus, if the message

C

0

B 0B

1

A

 4

true if there is a star next to the node The black bubble contains the elected label

x, c is in a channel, that token was initiated by a process whose label is x, and

has been forwarded c times by processes whose labels are also x The token could

also have been forwarded any number of times by processes with labels which

are not x Thus, the counter in a message is a rough estimate of the frequency

of its label in the ring

If a process receives a message whose counter is less than p.cnt, and p.cnt ≥ 1,

this proves its label is not unique since its counter grows faster than the one of

another label In this case, p executes Action A4 and becomes passive (e.g.,

Step (b)→(c)) Similarly, if a process p has a unique label but not the smallest

one, it will become passive executing Action A6 when p receives a message with the same non-zero counter but a label lower than p.id (e.g., Step (d)→(e)).

In both cases, it happens at the latest when the process receives the message

L.id, 1, i.e., before the second time L receives its own token.

So, after the token of L has made two traversals of the ring, it is the only

surviving token (the others are consumed by Action A7) and every process but

L is passive The execution continues until the leader L has seen its own label

return to it k + 1 times, otherwise L cannot be sure that what it has seen is not part of a larger ring instead of several rounds of a small ring Then, L designates

itself as leader by Action A9 (see Step (f)→(g)) and its token does a last traversal

of the ring to inform the other processes of its election (e.g., Step (g) →(h)) The

execution ends when L receives its token after k + 2 traversals (see (i)).

1 Delporte-Gallet, C., Fauconnier, H., Guerraoui, R., Kermarrec, A., Ruppert, E.,

Tran-The, H.: Byzantine agreement with homonyms Distrib Comput 26(5–6),

321–340 (2013)

2 Delporte-Gallet, C., Fauconnier, H., Tran-The, H.: Leader election in rings withhomonyms In: Networked Systems - 2nd International Conference, NETYS, pp.9–24 (2014)

3 Dobrev, S., Pelc, A.: Leader election in rings with nonunique labels Fundam Inform

59(4), 333–347 (2004)

Multiplicity Detection: A Certified Algorithm

Thibaut Balabonski3, Am´elie Delga2,4, Lionel Rieg1, S´ebastien Tixeuil4,5,

and Xavier Urbain2,3(B)

1 Coll`ege de France, 75006 Paris, France

2 Ecole Nat Sup d’Informatique Pour l’Industrie et l’Entreprise (ENSIIE),´

91025 ´Evry, France

3 LRI, CNRS UMR 8623, Universit´e Paris-Sud,

Universit´e Paris-Saclay, Orsay, FranceXavier.Urbain@lri.fr

4 UPMC Sorbonne Universit´es, LIP6-CNRS 7606, Paris, France

5 Institut Universitaire de France, Paris, France

Abstract In mobile robotic swarms, the gathering problem consists in

coordinating all the robots so that in finite time they occupy the samelocation, not known beforehand Multiplicity detection refers to the abil-ity to detect that more than one robot can occupy a given position Whenthe robotic swarm operates synchronously, a well-known result by Cohenand Peleg permits to achieve gathering, provided robots are capable ofmultiplicity detection

We present a new algorithm for synchronous gathering, that does not

assume that robots are capable of multiplicity detection, nor make anyother extra assumption Unlike previous approaches, our proof correct-ness is certified in the model where the protocol is defined, using the Coqproof assistant

1 Introduction

Networks of mobile robots have captured the attention of the distributed puting community, as they promise new applications (rescue, exploration, sur-veillance) in potentially dangerous (and harmful) environments Since its initialpresentation [19], this computing model has grown in popularity1 and manyrefinements have been proposed (see [14] for a recent state of the art) From atheoretical point of view, the interest lies in characterising the exact conditionsfor solving a particular task

com-A computing model for mobile robots In the model we consider, robots operate

in Look-Compute-Move cycles In each cycle a robot “Looks” at its surroundingsand obtains (in its own coordinate system) a snapshot containing some infor-mation about the locations of all robots Based on this visual information, the

1 The 2016 SIROCCO Prize for Innovation in Distributed Computing was awarded to

Masafumi Yamashita for this line of work

c

 Springer International Publishing AG 2016

B Bonakdarpour and F Petit (Eds.): SSS 2016, LNCS 10083, pp 7–19, 2016.

robot “Computes” a destination location (still in its own coordinate system) andthen “Moves” towards the computed location When the robots are oblivious,the computed destination in each cycle depends only on the snapshot obtained

in the current cycle (and not on the past history of execution) The snapshotsobtained by the robots are not necessarily consistently oriented in any manner.The execution model significantly impacts the solvability of collaborativetasks Three different levels of synchronisation have been considered Thestrongest model [19] is the fully synchronised (FSYNC) model where eachstage of each cycle is performed simultaneously by all robots On the otherhand, the asynchronous model [14] (ASYNC) allows arbitrary delays betweenthe Look, Compute and Move stages and the movement itself may take anarbitrary amount of time, possibly a different amount for each robot In thesemi-synchronous (SSYNC) model [19], which lies somewhere between the twoextreme models, time is discretised into rounds and in each round an arbitrarysubset of the robots are active The active robots in a round perform exactly oneatomic Look-Compute-Move cycle in that round It is assumed that the sched-uler (seen as an adversary) is fair in the sense that it guarantees that in anyconfiguration, any robot is activated within a finite number of steps

Furthermore, the scheduler has the ability to stop a robot before it hascompleted its move, provided the robot has already moved by some positive

distance δ Now, if a robot r wants to move by some distance d < δ, once vated by the scheduler, the scheduler then cannot stop r until it completes its movement The value of δ is unknown to the robots, and is just meant to prevent

acti-the scheduler to make acti-them move by infinitely small distances These stoppable

moves are referred to as flexible moves in the remainder of the paper.

The gathering problem The gathering problem is one of the benchmarking tasks

in mobile robot networks, and has received a considerable amount of attention(see [14] and references herein) The gathering task consists in making all robots(considered as dimensionless points in a two dimensional Euclidean space) reach

a single point, not known beforehand, in finite time A foundational result [19]shows that in the SSYNC model, no oblivious deterministic algorithm can solvegathering for two robots2 This result can be extended [11] to the bivalent case,that is, when an even number of robots is initially evenly split in exactly two

locations In general, without extra assumptions in the execution model (e.g.

a common coordinate system, persistent memory, the ability to detect multiplerobots at a given location, use of probabilistic variables, etc.), it is impossible tosolve gathering [16] for any set of at least two robots in the SSYNC model As allpossible executions in SSYNC are also possible in ASYNC, those impossibilitiesalso hold in ASYNC Hence, the only possibility to solve gathering without extraassumptions is to consider the FSYNC model

Cohen and Peleg [9] proposed the center of gravity (a.k.a CoG)

algo-rithm (the robots aim for the location that is the barycenter of all observedrobot locations) for the purpose of convergence (a weaker requirement than

2 http:// pactole.lri.fr/ pub/ cffg2d/ html/ Pactole.Gathering.InR.Impossibility.html.

gathering, which mandates robots to reach locations that are arbitrarily close

to one another) in the SSYNC model They demonstrate that for the FSYNCmodel, robots actually solve gathering since they eventually all become closer

that δ from the barycenter, and hence all reach it in the next round.

However, the CoG algorithm does not prevent more than one robot to occupythe exact same location before gathering, even if they start from distinct loca-

tions For example, consider two robots r1and r2 aligned toward the barycenter

at some round, at distances d1 and d2 (d1 < d2) that are both greater than δ, respectively Then, the scheduler stops r1 after δ and r2 at the same location

Robots r1and r2now occupy the same location One immediate consequence ofthis observation is that in the next round, to compute the barycenter, observing

robots must take into account both r1and r2 That is, using the CoG algorithm,

robots must make use of multiplicity detection, i.e be able to detect how many

robots occupy simultaneously a given location

Overall, the question of gathering feasibility in FSYNC without multiplicitydetection (nor any other additional assumption) remained open

Formal methods for mobile robots Designing and proving mobile robot

proto-cols is notoriously difficult Formal methods encompass a long-lasting path ofresearch that is meant to overcome errors of human origin Not surprisingly,this mechanised approach to protocol correctness was successively used in thecontext of mobile robots [2,3,5,6,11,13,15,17]

Model-checking proved useful to find bugs in existing literature [3] and assessformally published algorithms [3,13,17], in a simpler setting where robots evolve

in a discrete space where the number of possible locations is finite Automatic

program synthesis (for the problem of perpetual exclusive exploration in a

ring-shaped discrete space) is due to Bonnet et al [5], and can be used to obtainautomatically algorithms that are “correct-by-design” The approach was refined

by Millet et al [15] for the problem of gathering in a discrete ring network Asall aforementioned approaches are designed for a discrete setting where both thenumber of locations and the number of robots are known, they cannot be used

in the continuous space where the robots locations take values in a set that isnot enumerable, and they cannot permit to establish results that are valid forany number of robots

The use of a mechanical proof assistant likeCoq3allows for more genericity

as this approach is not limited to particular instances of algorithms Recent uses

of Coq in Distributed Computing include that of Cast´eran et al [7], who useCoq and their libray Loco to prove positive and negative results about subclasses

of LC systems, and that of Altisen et al [1], who provide a Coq framework tostudy self-stabilizing algorithms

Developed for the Coq proof assistant,4 the Pactole5 framework enabledthe use of high-order logic to certify impossibility results [2] for the problem of

3 http://coq.inria.fr.

4 http://coq.inria.fr.

5 Available athttp://pactole.lri.fr.

convergence: for any positive ε, robots are required to reach locations that are

at most ε apart Another classical impossibility result that was certified using

the Pactole framework is the impossibility of gathering starting from a bivalentconfiguration [11] Recently, positive certified results for SSYNC gathering with

multiplicity detection were provided by Courtieu et al [12]

Our contribution We propose a protocol for oblivious mobile robot gathering in

FSYNC that does not require multiplicity detection (nor any other extra tion) Our protocol, called CoGiL (for Center of Gravity of inhabited Locations),

assump-is derived from CoG as follows: robots aim to the barycenter of observed

occu-pied locations (that is, without considering how many robots occupy a given

location) We also present a proof of correctness for our CoGiL protocol

Unlike previous approaches, our proof is certified in the model where the

protocol is defined, using the Coq proof assistant Throughout this paper, links

to the Coq development are italicised in the footnotes The sources package isavailable athttp://pactole.lri.fr, as well as its onlinehtmldocumentation

Roadmap Section2 describes our formal framework, while our case study isdeveloped in Sect.3 Section4 gives some insights about the benefits of ourmethodology for mobile robot protocol design

2 A Formal Model to Prove Robot Protocols

To certify results and to guarantee the soundness of theorems, we use Coq, aCurry-Howard-based interactive proof assistant enjoying a trustworthy kernel.The (functional) language of Coq is a very expressive λ-calculus: the Calcu-

lus of Inductive Constructions (CIC) [10] In this context, datatypes, objects,algorithms, theorems and proofs can be expressed in a unified way, as terms.The reader will find in [4] a very comprehensive overview and good practiceswith reference toCoq Developing a proof in a proof assistant may nonetheless

be tedious, or require expertise from the user To make this task easier, we areactively developing (under the name Pactole) a formal model, as well as lem-mas and theorems, to specify and certify results about networks of autonomousmobile robots It is designed to be robust and flexible enough to express most ofthe variety of assumptions in robots network, for example with reference to theconsidered space: discrete or continuous, bounded or unbounded

We do not expect the reader to be an expert in Coq but of course thespecification of a model for mobile robots in Coq requires some knowledge ofthe proof assistant We want to stress that the framework eases the developer’stask The notations and definitions we give hereafter should be simply read astyped functional expressions

The Pactole model has been sketched in [2,11]; we recall here its maincharacteristics

We use two important features of Coq: a formalism of higher-order logic

to quantify over programs, demons, etc., and the possibility to define inductive

and coinductive types [18] to express inductive and coinductive datatypes andproperties Coinductive types are in particular of invaluable help to express infi-nite behaviours, infinite datatypes and properties on them, as we shall see withdemons.

Robots6 are anonymous, however we need to identify some of them in the

proofs Thus, we consider given a finite set of identifiers, isomorphic to a segment

ofN We hereafter omit this setGunless it is necessary to characterise the number

of robots Robots are distributed in space, at places called locations We call a

configuration7a function from the set of identifiers to the space of locations.

From that definition, there is information about identifiers contained in

con-figurations, notably, equality between configurations does not boil down to the

equality of the multisets of inhabited locations

Under the assumption that robots are anonymous and indistinguishable, wehave to make sure that the embedded algorithm does not make use of thoseidentifiers

Spectrum.8The computation of any robot’s target location is based on the ception they get from their environment, that is, in an FSYNC execution scheme,from a configuration The result of this observation may be more or less accu-rate, depending on sensors’ capabilities A robot’s perception of a configuration

per-is called a spectrum To allow for different assumptions to be studied, we leave abstract the type spectrum (Spect.t) and the notion of spectrum of a loca-

tion Robograms, representing protocols, will then output a location when given

a spectrum (instead of a configuration), thus guaranteeing that assumptionsover sensors are fulfilled For instance, the spectrum for anonymous robots with

strong global multiplicity detection (this capacity refers to the ability to count

exactly how many robots occupy any observed location) could be the multiset

of inhabited locations In a setting where robots do not enjoy the detection of

multiplicity and just know if a location is inhabited or not, the set of inhabited

locations is a suitable spectrum

In the following we will distinguish a demon configuration (resp spectrum), expressed in the global frame of reference, from a robot configuration (resp.

spectrum), expressed in the robot’s own frame of reference At each step ofthe distributed protocol the demon configuration and spectrum are transformed(recentered, mirrored, rotated, and scaled) into the considered robots ones beforebeing given as parameters to the robogram Depending on assumptions, zoomand rotation factors may be constant or chosen by the demon at each step,shared by all robots or not, etc

Demon for flexible movements As moves under consideration are flexible, robots

either reach their goal when it is at most at a certain absolute distance δ, or travel at least δ towards their goal, stopping to an arbitrary location (possibly

the computed goal)

6 http:// pactole.lri.fr/ pub/ cffg2d/ html/ Pactole.Robots.html#Robots.

7 http:// pactole.lri.fr/ pub/ cffg2d/ html/ Pactole.Configurations.html#Configuration.

8 http:// pactole.lri.fr/ pub/ cffg2d/ html/ Pactole.Configurations.html#Spectrum.

Rounds9 in this FSYNC setting are thus characterised by each of the ious robots getting both its new frame of reference, and the ratio of its actualmovement over its computed destination.

obliv-We call demonic action this operation together with the logical properties

ensuring, for example, that new frames of reference make sense, and that the

provided ratio belongs to the [0, 1] interval Demons are streams of demonic

actions As such, they are naturally defined inCoq as a coinductive construct.Synchrony constraints (e.g fairness) may be defined as coinductive properties

cum-Robogram Robograms10may be naturally defined in a completely abstract

man-ner, without any concrete code, in our Coq model They consist of an actualalgorithmpgmthat represents the considered protocol and that takes a spectrum

as input and returns a location, and a compatibility propertypgm_compatting that target locations are the same if equivalent spectra are given (for someequivalence on spectra)

{pgm :> Spect.t→ Location.t;

pgm_compat : Proper (Spect.eq Location.eq) pgm}

Execution of a round The actual location of arrival for a robot is determined by

the protocol, which computes a local target from the perceived spectrum, andthe demon-provided ratio which is applied to the local target to obtain a chosentarget If the distance between the robot’s original location and its chosen target

is more than δ then the robot stops at the chosen target, otherwise it reaches

its protocol-computed destination (local target) This concise way of proceeding

ensures that either the protocol-computed destination is reached or at least δ is

travelled

3 Center of Gravity Algorithms

Notations In the sequel, we denote by: C a configuration, C(r) the location of

Robot r in Configuration C, and S C the global spectrum associated to C.

9 http:// pactole.lri.fr/ pub/ cffg2d/ html/ Pactole.FlexibleFormalism.html.

10http:// pactole.lri.fr/ pub/ cffg2d/ html/ Pactole.CommonFormalism.html#Sig.

robogram.

3.1 Center of Gravity Algorithms Variants

Cohen and Peleg [8,9] define the CoG algorithm as depicted in Algorithm1 Arobot simply moves toward the center of gravity of all robots locations Sincerobots may occupy the same location in space, the proper calculation of thecenter of gravity implies that the robots are capable of strong global multiplicitydetection: for each inhabited location, the robots can count the number of robots

on that location

Algorithm 1 Protocol CoG (for Robot r in Configuration C)

Move toward the centre of gravity of robot locationsc pos=|C|1 ×r∈C C(r)

We define the CoGiL algorithm in Algorithm2 Here, we do not assume thatrobots are capable of multiplicity detection, so robots simply move toward thecenter of gravity of inhabited locations Note that the number of those inhabitedlocations is not necessarily monotonically decreasing

Algorithm 2 Protocol CoGiL (for Robot r in Configuration C)

Move toward the centre of gravity of inhabited locationsc pos= |S1

C | ×p∈S C p

Although CoGiL is extremely similar to CoG, proving its correctness is not.For example, Cohen and Peleg [8] first used in the conference version of theirpaper moments of inertia as a monotonically decreasing measure to prove theconvergence of CoG:

I(q) = |C|1 ×



r∈C

C(r) − q2Expressing this measure with the observed spectrum gives:

I(q) = |S1C | ×



p∈S C

p − q2

Now, without strong global multiplicity detection, it is possible that this

measure is not monotonically decreasing for c pos For example, consider four

robots in a one-dimension metric space, localised at locations 0; 17; 18; 19

1

The center of gravity of the inhabited locations c pos is at 13.5 and I(c pos) =

61.25 Now, consider that δ = 0.1 A possible following configuration is that the

robot on 0 has moved by δ toward c posand the others have stopped at location

16.9.

1

The center of gravity of the inhabited locations c pos is now at 8.5, and

I(c pos ) = 70.56, which is strictly greater than its previous value So, the proof

argument appearing in Cohen and Peleg’s conference paper [8] does not extend

to the case without global strong multiplicity detection

Fortunately, the underlying idea of the proof appearing in the journal version

of Cohen and Peleg [9] can be extended to the case without multiplicity detection

We thus construct our certified proof along the main arguments of theirs

Gathering in the context of flexible movements A way to state Gathering and

Convergence has been already described in [2,11] Those definitions take place

in a context where movements are rigid, and thus the specification of what asolution to Gathering is has to be generalised for the case of flexible movements

We namegathered_atpt the property of a configuration the robots of which are

all gathered at11the same location pt We say that a location pt and an execution

enjoy the propertyGather if all robots are gathered at pt for all rounds of the

(infinite) execution

Streams.forever (Streams.instant (gathered_at pt)) e

WillGather pt e means that the (infinite) execution e is eventually Gathered

for pt That is: there is a (finitely) reacheable instant in e for which pt and what remains of e fulfilsGather

∀ config, ∃ pt : Loc.t, WillGather pt (execute δ r d config).

11http:// pactole.lri.fr/ pub/ cffg2d/ html/ Pactole.Gathering.FlexDefinitions.html#

FlexGatheringDefs.gathered at

12http:// pactole.lri.fr/ pub/ cffg2d/ html/ Pactole.Gathering.FlexDefinitions.html#

FlexGatheringDefs.FullSolGathering

Expressing the protocol in Pactole The space of locations is R2 and its type

isR2.t in the following Writing the algorithm is straightforward in our work, and theCoq implementation is almost exactly an actual robot code Let

frame-ffgatherR2_pgmdenote the code of the algorithm13, which takes a spectrum as

an input and returns a location, and letffgatherR2denote the robogram, that

is the code and its properties (invariance through equivalent spectra)

let spect := Spect.M.elements s in

| _ :: _ :: _⇒ barycenter spect

end

The function computing the barycenter14 is simply:

1 / (INR (List.length E)) * (List.fold_left R2.add E R2.origin)

where INRinjects a natural number into reals

The robogram can be expressed in the demon’s frame of reference The input

spectrum given to the code above is expressed in the robot’s frame of reference(it is a local code) As noticed in [12], we establish explicitly and formally that it

is sufficient to reason about the protocol in the frame of reference of the demon.The geometrical concepts in use in the protocol are invariant under the changes

of frame that are allowed: scaling, rotation, symmetry and translation, hence wecan express the global configuration after one round without making reference

to the frames of each robot15 (Lemmaround_simplify)

Eventually no-one moves The main difficulty is to establish that after a finite

number of steps, no robot will change its location This amounts to finding ameasure that decreases for a well founded ordering along with the execution

To this goal, we consider the maximal distance16 dm(C) between any two

robots in a configuration C.

max_dist_spect (spectrum_of conf)

13http:// pactole.lri.fr/ pub/ cffg2d/ html/ Pactole.Gathering.InR2.

16http:// pactole.lri.fr/ pub/ cffg2d/ html/ Pactole.Gathering.InR2.

FSyncFlexNoMultAlgorithm.html#GatheringinR2.max dist spect ex

If this distance is less than δ then after one step all robots are gathered

and we are done (Theorem round_last_step17) If not, we prove that if a

configuration C1 is obtained after one round from a configuration C0 such that

dm(C0) > δ, then dm(C1) ≤ dm(C0)− δ This part is established through

Theoremround_lt_config:18

Theorem round_lt_config: ∀ d conf δ, δ > 0

→ FullySynchronous d

→ δ ≤ measure conf

→ measure (round δ ffgatherR2 (head d) conf) ≤ measure conf - δ.

We may then take as a relevant indication for a configuration C the natural number m(C) =  dm(C) δ  and define accordingly the ordering we use:

(Z.to_nat (up(measure x / δ))) < (Z.to_nat (up(measure y / δ))).

which is well-founded over the naturals

The crucial step is to prove that for any two inhabited locations p1and q1in

C1, p1− q1 ≤ dm(C0)− δ Let us denote by b the location of the barycenter

of inhabited locations in C0 As locations p1 and q1 are inhabited in C1, we

can assume that some robots P and Q occupying them in C1 were previously

in C0 at respectively p0 and q0 Now let us perform a case analysis on whether

p0− b and q0 − b are greater or equal to δ; the only interesting case is

the non-degenerate one where both are greater In this case, P and Q move

towardsb, and in particular p1= p0+ κ × (b − p0) and q1= q0+ μ × (b − q0)

for κ, μ ∈ [0, 1] Let us suppose κ ≤ μ (the other case is symmetrical), then

p1−q1 = (p0+ κ × (b − p0))− (q0+ μ × (b − q0)) ≤ (1−κ) × dm(C0)≤ dm(C0)− δ by Thales’s Basic Proportionality Theorem and since the distance

from any robot tob, the barycenter of locations, is less than or equal to dm(C0).This argument can be trusted it as it is formally certified in our mechanicalframework

Robots stay gathered forever As there is only one phase in the algorithm, the

computed target is always the barycenter of the inhabited locations, which isthe same for all robots We need however technical lemmas to complete the finalproof Firstly that when robots are gathered, they will stay forever at the samelocation, namely:19

→ Gather pt (execute δ ffgatherR2 d conf).

17http:// pactole.lri.fr/ pub/ cffg2d/ html/ Pactole.Gathering.InR2.

FSyncFlexNoMultAlgorithm.html#GatheringinR2.round last step.

18http:// pactole.lri.fr/ pub/ cffg2d/ html/ Pactole.Gathering.InR2.

FSyncFlexNoMultAlgorithm.html#GatheringinR2.round lt config.

19http:// pactole.lri.fr/ pub/ cffg2d/ html/ Pactole.Gathering.InR2.

FSyncFlexNoMultAlgorithm.html#GatheringinR2.gathered at OK

The counterpart is that a robot that is not at the barycenter of inhabitedlocations will actually move (that is, it will change its location).20

→ FullySynchronous d

→ ¬ R2.eq (conf gid) (barycenter (Spect.M.elements (!! conf)))

→ ¬ R2.eq (round δ ffgatherR2 (Streams.hd d) conf gid)

(conf gid)

We are now ready to tackle the final proof

The final theorem21 states that for all positive δ, the robogramffgatherR2

is a solution to the gathering problem in FSYNC

4 Discussion and Perspectives

We presented the first FSYNC gathering protocol, CoGiL, that does not requirerobots to be capable of multiplicity detection (nor any other extra assump-tions), closing the only remaining open case in Prencipe’s set of impossibilityresults [16] We advocate that proofs for even small variants of oblivious mobilerobot protocols (such a CoGiL, which is a minor variant of Cohen and Peleg’sCoG protocol) should be thoroughly checked from the beginning, using mecha-nised support such as a proof assistant This methodology enabled the possibility

to present a proof for our protocol, whose correctness can be certified

We want to stress that, even if the actual development of a formal proof

remains a difficult task, the specifications of properties and protocols in our

framework do not require a strong expertise with the Coq proof assistant As

an illustration, many of the specifications appearing in this paper, most notablythe specification of the actual protocol, were developed by one of the authorswhile a M1-level trainee (first year master, Bologna process)

We believe a thorough revision of other results in the context of obliviousmobile robots will lay a solid foundation for further research advances Thanks tothe collaborative effort of the Pactole framework, reuse of previous achievements

is facilitated and encouraged

Acknowledgements The authors are grateful to the reviewers who provided

con-structive comments and helped to improve the presentation of this work

20http:// pactole.lri.fr/ pub/ cffg2d/ html/ Pactole.Gathering.InR2.

FSyncFlexNoMultAlgorithm.html#GatheringinR2.not barycenter moves.

21http:// pactole.lri.fr/ pub/ cffg2d/ html/ Pactole.Gathering.InR2.

FSyncFlexNoMultAlgorithm.html#GatheringinR2.FSGathering in R2

A Axioms of the Formalisation

In the main fileFSyncFlexNoMultAlgorithm.v, the last command:

Print Assumptions Gathering_in_R2 shows all the axioms upon which theproof of correctness of our algorithm for gathering inR2relies, in total 31 axioms.Here, we break them down They can be classified in three categories:

– The first category is the axiomatisation of reals numbers from theCoq dard library It is by far the biggest number of axioms, and they are not listedhere

stan-– The second category is the description of the problem

nG : nat

Hyp_nG : 2 ≤ nG

As one can see, it simply means that our proof is valid for any number nG

of robots greater than or equal to 2 Notice that with one robot or less, theproblem is not interesting (trivially solved)

– The third category contains usual geometric properties that are not part ofour library: firstly some properties about barycenters that we think could beprovable from its axiomatisation but are currently left as axioms, that thebarycenter is unique and the result of the function computing the barycenter

similarity_in_R2 : ∀ sim : Sim.t, ∃ u v t : R2.t,

R2norm u = Sim.zoom sim

∧ R2norm v = Sim.zoom sim ∧ perpendicular u v ∧ (∀ pt :

self-2 Auger, C., Bouzid, Z., Courtieu, P., Tixeuil, S., Urbain, X.: Certified ity results for byzantine-tolerant mobile robots In: Higashino, T., Katayama, Y.,Masuzawa, T., Potop-Butucaru, M., Yamashita, M (eds.) SSS 2013 LNCS, vol

impossibil-8255, pp 178–190 Springer, Heidelberg (2013) doi:10.1007/978-3-319-03089-0 13

3 B´erard, B., Lafourcade, P., Millet, L., Potop-Butucaru, M., Thierry-Mieg, Y.,Tixeuil, S.: Formal verification of mobile robot protocols Distributed Computing(2016)

4 Bertot, Y., Cast´eran, P.: Interactive Theorem Proving and Program Development.Coq’Art: The Calculus of Inductive Constructions Texts in Theoretical ComputerScience Springer (2004)

5 Bonnet, F., D´efago, X., Petit, F., Potop-Butucaru, M., Tixeuil, S.: Discovering andassessing fine-grained metrics in robot networks protocols In 33rd IEEE Interna-tional Symposium on Reliable Distributed Systems Workshops, SRDS Workshopps,Nara, Japan, 6–9 October, pp 50–59 IEEE (2014)

6 B´erard, B., Courtieu, P., Millet, L., Potop-Butucaru, M., Rieg, L., Sznajder, N.,Tixeuil, S., Urbain, X.: Formal methods for mobile robots: current results and open

problems Int J Inf Soc 7(3), 101–114 (2015) Invited Paper

7 Cast´eran, P., Filou, V.: Tasks, types and tactics for local computation systems

Stud Inform Univ 9(1), 39–86 (2011)

8 Cohen, R., Peleg, D.: Robot convergence via center-of-gravity algorithms In:Kr´alovi˘c, R., S´ykora, O (eds.) SIROCCO 2004 LNCS, vol 3104, pp 79–88.Springer, Heidelberg (2004) doi:10.1007/978-3-540-27796-5 8

9 Cohen, R., Peleg, D.: Convergence properties of the gravitational algorithm in

asynchronous robot systems siam j comput 34(6), 1516–1528 (2005)

10 Coquand, T., Paulin, C.: Inductively defined types In: Martin-L¨of, P., Mints,

G (eds.) COLOG 1988 LNCS, vol 417, pp 50–66 Springer, Heidelberg (1990).doi:10.1007/3-540-52335-9 47

11 Courtieu, P., Rieg, L., Tixeuil, S., Urbain, X.: Impossibility of gathering, a

certifi-cation Inf Process Lett 115, 447–452 (2015)

12 Courtieu, P., Rieg, L., Tixeuil, S., Urbain, X.: Certified universal gathering inR2for

oblivious mobile robots In: Gavoille, C., Ilcinkas, D (eds.) DISC 2016 LNCS, vol

9888, pp 187–200 Springer, Heidelberg (2016) doi:10.1007/978-3-662-53426-7 14

13 Devismes, S., Lamani, A., Petit, F., Raymond, P., Tixeuil, S.: Optimal grid ration by asynchronous oblivious robots In: Richa, A.W., Scheideler, C (eds.)SSS 2012 LNCS, vol 7596, pp 64–76 Springer, Heidelberg (2012) doi:10.1007/978-3-642-33536-5 7

explo-14 Flocchini, P., Prencipe, G., Santoro, N.: Distributed Computing by ObliviousMobile Robots Synthesis Lectures on Distributed Computing Theory Morgan &Claypool Publishers (2012)

15 Millet, L., Potop-Butucaru, M., Sznajder, N., Tixeuil, S.: On the synthesis of mobilerobots algorithms: the case of ring gatheringD In: Felber, P., Garg, V (eds.) SSS

2014 LNCS, vol 8756, pp 237–251 Springer, Heidelberg (2014) doi:10.1007/978-3-319-11764-5 17

16 Prencipe, G.: Impossibility of gathering by a set of autonomous mobile robots

Theoret Comput Sci 384(2–3), 222–231 (2007)

17 Aminof, B., Murano, A., Rubin, S., Zuleger, F.: Verification of asynchronousmobile-robots in partially-known environments In: Chen, Q., Torroni, P., Villata,S., Hsu, J., Omicini, A (eds.) PRIMA 2015 LNCS (LNAI), vol 9387, pp 185–200.Springer, Heidelberg (2015) doi:10.1007/978-3-319-25524-8 12

18 Sangiorgi, D.: Introduction to Bisimulation and Coinduction Cambridge sity Press (2012)

Univer-19 Suzuki, I., Yamashita, M.: Distributed anonymous mobile robots: formation of

geometric patterns SIAM J Comput 28(4), 1347–1363 (1999)

On the Power of Oracle Ω? for Self-Stabilizing

Leader Election in Population Protocols

Joffroy Beauquier1, Peva Blanchard2, Janna Burman1(B),

and Oksana Denysyuk3

1 LRI, Universit Paris-Sud, Orsay, France

{beauquier,burman}@lri.fr

2 LPD, EPFL, Lausanne, Switzerland

peva.blanchard@epfl.ch

3 University of Calgary, Calgary, Canada

Abstract This paper considers the fundamental problem of

self-stabilizing leader election (SSLE) in the model of population protocols.

In this model an unknown number of asynchronous, anonymous andfinite state mobile agents interact in pairs.SSLE has been shown to be

impossible in this model without additional assumptions This bility can be circumvented for instance by augmenting the system with an

impossi-oracle (an external module providing supplementary information useful

to solve a problem) Fischer and Jiang have proposed solutions toSSLE,

for complete communication graphs and rings, using the oracleΩ?, called

theeventual leader detector In this paper, we investigate the power of Ω? on larger families of graphs We present two important results.

Our first result states that Ω? is powerful enough to allow solving SSLE over arbitrary communication graphs of bounded degree Our

second result states that,Ω? is the weakest (in the sense of Chandra,

Hadzilacos and Toueg) for solvingSSLE over rings We also prove that

this result does not extend to all graphs; in particular not to the family

of arbitrary graphs of bounded degree

Keywords: Networks of mobile agents · Population protocols ·

Self-stabilization·Leader election·Oracles

1 Introduction

There are fundamental problems in distributed computing that are subject toimpossibility results The impossibility can be related to the system asynchrony,limited resources, the presence of failures, their type, or other general condi-tions For instance, the consensus problem has been shown to be impossible inasynchronous systems even with only one crash fault [19] An elegant approachfor circumventing the impossibility of consensus is the abstraction known as

failure detectors introduced by Chandra and Toueg [14] A failure detector can

be viewed as an oracle, which provides to the system nodes a supplementaryinformation about failures allowing to solve a given problem A fundamentalc

 Springer International Publishing AG 2016

B Bonakdarpour and F Petit (Eds.): SSS 2016, LNCS 10083, pp 20–35, 2016.

issue is to determine the oracle providing the minimum amount of informationfor solving the problem Among the different failure detectors proposed to solve

consensus in the conventional asynchronous communication model, the eventual

leader elector Ω, has been proven to be the weakest [13] Informally, that meansthat it supplies the minimum supplementary information necessary to obtain asolution

In this work, we consider a very basic communication model called

popu-lation protocols It has been introduced as a model for large networks of tiny,

anonymous and asynchronous mobile agents communicating in pairs [1] The

network has an unbounded but finite population of agents, each with only O(1)

states, implying that the size of the population is unknown to the agents Withsuch minimal assumptions, the impossibility results are not a surprise For exam-ple, consensus is impossible in such a model even without any crash failure [7]

Another impossibility concerns a problem called self-stabilizing leader election (SSLE), which consists in electing a leader (a distinguishable agent) in a self- stabilizing way Self-stabilization [17] is a framework for dealing with transientstate-corrupting faults and can be viewed as allowing the system to start from

an arbitrary configuration In this work, we focus on this fundamental problem

SSLE that is shown to be impossible in many different cases [4,5,18]

The eventual leader elector Ω of Chandra and Toueg and other

classi-cal failure detectors cannot be used with population protocols, because theyassume that the network nodes have unique identifiers, unavailable to anony-mous bounded state agents in population protocols Many other previous ora-cles, like those proposed for anonymous models (e.g., [10]), cannot be used inpopulation protocols either, e.g., because they assume finite, but unboundedmemory depending on the size of the network (see a survey in [7])

To deal with this issue, Fischer and Jiang introduced a new type of oracle, called

the eventual leader detector [18] and denoted by Ω? Instead of electing a leader, like

Ω, Ω? simply reports to each agent an (eventually correct) estimate about whether

or not one or more leaders are present in the network (see Sects.2and3.2for a formaldefinition) This oracle does not require unique identifiers and has additional dras-tic differences One of the important differences is motivated by the self-stabilizing

nature of the SSLE problem considered in [18] While Ω is designed to circumvent impossibility related to crash faults, Ω? is designed to deal with state-corrupting faults Thus, while Ω is related to a failure pattern and is independent of the pro- tocol using it, Ω? interacts with the protocol, providing information related to the system configurations reached during the execution With Ω?, there is some sort

of feedback loop: the outputs of the oracle influence the protocol; and conversely,the protocol influences the outputs of the oracle Yet, there are some features in

common with Ω Both Ω and Ω? are unreliable in the sense that Ω? can make

errors, that is, to give false information at some point and at some agents, and is only

required to eventually provide correct answers, similarly to Ω Finally, such weak guarantees allow both Ω and Ω? to be implemented in practice using timeouts and

other features often found in real systems (more details about the implementation

of Ω? can be found in [18]; about Ω, in [14])

To demonstrate the power of Ω?, [18] gives a uniform solution to SSLE using Ω? in complete communication graphs and rings Uniform means that

the solution is independent of the actual communication graph; the agents onlyknow the graph family to which the graph belongs Our focus here is on uniformsolutions too.1

Contribution In this work, we investigate the power of Ω? In particular,

in Sect 4, we show that its power exceeds considerably the case of rings andcomplete graphs (concerned in [18]) In fact, Ω? is sufficient for solving SSLE

on almost all graphs, the only restriction being that the graph must be connected(obvious) and of bounded degree (related to the model requirement of boundedagent states)

In Sect.5, we show that SSLE allows to implement Ω? on rings Coupled with the fact that Ω? is sufficient for solving SSLE on rings [18], this implies that

any oracle strong enough for solving SSLE on rings can be used to implement

Ω? (on rings); i.e Ω? is the weakest oracle for solving SSLE on rings.

In contrast with the previous case, we also show that over arbitrary

commu-nication graphs of bounded degree (and more generally, over non-simple graph families), SSLE is not equivalent to Ω? (Theorem2) Intuitively, our results

mean that, whereas SSLE and Ω? are not equivalent over certain families of

graphs, this difference disappears on rings due to the strong communicationconstraints imposed by this topology Due to the lack of space, some proofs aremissing or sketched All complete proofs appear in [6]

For modeling oracles and problems, and obtaining relations between them,

we use the formal framework proposed in [5] and adapted to population protocols(see Sect.2.2) In this framework, there is no difference between an oracle and aproblem, so the relations that we exhibit can equivalently be viewed as relationsbetween oracles or between problems Note that the framework and our resultsconcern an extremely general class of oracles

Related Work Being an important primitive in distributed computing, leader

election has been extensively studied in various other models, however muchless in population protocols Because of model differences, previous results donot directly extend to the model considered here For surveys on these previousresults in other models, refer to [4,18] In the following, we mention only the

most relevant works to SSLE in population protocols.

It was shown, e.g in [2,9], that fast converging population protocols can

be designed using an initially provided unique leader Moreover, many stabilizing problems on population protocols become possible given a leader(though together with some additional assumptions, see, e.g., [4,8]) Neverthe-

self-less, SSLE is impossible in population protocols over general connected

com-munication graphs [4] Yet, [4] presents a non-uniform solution for SSLE on

rings A uniform algorithm for rings and complete graphs is proposed in [18],

but uses Ω? Recently, [11] showed that at least n agent states are necessary and

1 This is in contrast to the non-uniform solutions given toSSLE over rings in [4] thatdoes not use oracles

sufficient to solve SSLE over a complete communication graph, where n is the

population size (unavailable in population protocols) For the enhanced model

of mediated population protocols (M P P ) [20], it is shown in [21] that (2/3)n

agent states and a single bit memory on every agent pair are sufficient to solve

SSLE It is also shown that there is no M P P that solves SSLE with constant

agent’s state and agent pair’s memory size, for arbitrary n In [12], versions of

SSLE are considered assuming Ω? together with different types of local fairness

conditions In the current paper, we consider only global fairness (classical for

population protocols)

In [5], it is shown that the difficulty in solving SSLE in population protocols

comes from the requirement of self-stabilization Indeed, [5] presents a solution

for arbitrary graphs with a uniform initialization without any oracle Then, [5]

proposes also a solution for SSLE over arbitrary graphs, but the protocol uses a

much stronger oracle This oracle can be viewed as a composition of two copies

of Ω?, where one copy is used to control the number of (stationary) leaders and

another one to control the number of moving tokens There, tokens are usedfor eliminating supplementary leaders In this paper, we prove that, surprisinglyenough, there is no need to control the number of tokens and that a single

instance of Ω? is enough (at least, in the case of bounded degree graphs) Finally,

[5] shows that SSLE and Ω? are not equivalent over complete communication graphs Here, we extend this result to so called non-simple families of graphs

(Theorem2)

2 Model and Definitions

We use here the definitions of [1,4,18] with some slight adaptations A

com-munication graph is a directed graph G = (V, E) with n vertices Each vertex

represents a finite-state sensing device called an agent, and an edge (u, v) cates the possibility of a communication (interaction) between u and v in which

indi-u is the initiator and v is the responder The orientation of an edge corresponds

to this asymmetry in the communications In this paper, every graph is weaklyconnected

A population protocol A(Q, X, Y, Out, δ) consists of a finite state space Q, a

finite input alphabet X, a finite output alphabet Y , an output function Out :

Q → Y and a transition function δ : (Q × X)2 → P(Q2) that maps any tuple

(q1, x1, q2, x2) to a non-empty (finite) subset δ(q1, x1, q2, x2) inQ2.2A (transition)

rule of the protocol is a tuple (q1, x1, q2, x2, q1 , q2 ) s.t (q 1, q 2) ∈ δ(q1, x1, q2, x2)

and is denoted by (q1, x1)(q2, x2)→ (q 

1, q 2) The protocolA is deterministic if for

every tuple (q1, x1, q2, x2), the set δ(q1, x1, q2, x2) has exactly one element

2The input alphabet can be viewed as the set of possible values given to the agents

from the outside environment, like sensed values, output values from another protocol

or from an oracle The output alphabet can be viewed as the set of values that theprotocol itself outputs outside.X and Y are both the interface values of the protocol.

A configuration is a mapping C : V → Q specifying the states of the agents

in the graph, and an input assignment is a mapping α : V → X specifying the input values of the agents An input trace T is an infinite sequence T = α1α2 .

of input assignments It is constant if α1 = α2 = An input trace can be

viewed as the sequence of input values given to the agents from the outsideenvironment

We now define agents’ interactions (called here actions) involving the input values An action is a pair σ = (e, r) where r is a rule (q1, x1)(q2, x2)→ (q 

1, q2)

and e = (u, v) is a directed edge of G, representing a meeting of two interacting agents u and v Let C, C  be configurations, α be an input assignment, and u, v

be distinct agents We say that σ is enabled in (C, α) if C(u) = q1, C(v) = q2and

α(u) = x1, α(v) = x2 We say that (C, α) goes to C  via σ, denoted (C, α) − → C σ ,

if σ is enabled in (C, α), C  (u) = q1 , C  (v) = q2 and C  (w) = C(w) for all w ∈

V−{u, v} In other words, C  is the configuration that results from C by applying the transition rule r to the pair e of two interacting agents We write (C, α) → C  when (C, α) − → C σ  for some action σ Given an input trace T in = α0α1 , we

write C − → C ∗  if there is a sequence of configurations C0C1 C k s.t C = C0,

C  = C k and (C i , α i)→ C i+1, for all 0≤ i < k, and we say that C  is reachable

from C given the input trace T in.

An execution is a sequence of configurations, input assignments and actions (C0, α0, σ0) (C1, α1, σ1) such that for each i, (C i , α i)−→ C σ i i+1 In addition,

the sequence satisfies global fairness if, for every C, C  , α s.t (C, α) → C , if

(C, α) = (C i , α i ) for infinitely many i, then C  = C j for infinitely many j This

definition together with the finite state space assumption, implies that, if in anexecution there is an infinitely often reachable configuration, then it is infinitelyoften reached [3] Global fairness can be viewed as an attempt to capture therandomization inherent to real systems, without introducing randomization inthe model

The output function Out : Q → Y is extended from states to urations and produces an output assignment Out(C) : V → Y defined as

config-Out(C)(v) = Out(C(v)), given a configuration C The output trace

associ-ated to the execution E = (C0, α0, σ0)(C1, α1, σ1) is given by the sequence

T out = Out(C0)Out(C1) In the sequel, we use the word trace for both input

and output traces

The definitions below are adopted from [5] and different from the ones in [4,18].They are required to obtain a proper framework for defining oracles and estab-lishing relations between them and/or between problems.3 In particular, thisframework is real time independent, which in turn provides self-implementableoracles, in contrast with the traditional failure detectors [15,16] In short, in this

framework, we define a general notion of behaviour, which is a relation between

input and output traces A problem and an oracle are defined as behaviours

3 In [18], whereΩ? has been introduced, the oracle is defined in a rather informal way.

Then, to compare behaviours, we define a partial order relation using an abstract

notion of implementation by a population protocol using a behaviour.

In the following, a communication graph G is supposed to be fixed and is

sometimes implicitly referenced

A schedule is a sequence of edges (representing meetings) An input or an output trace T = α0α1 is said to be compatible with the schedule S =

(u0, v0)(u1, v1) if, for every meeting i, for every agent w different from u iand

v i , α i (w) = α i+1 (w) That is, any two consecutive assignments of a compatible

trace can differ only on the values of the two meeting (neighboring) agents Thisdefinition is natural since an agent can only be activated during a meeting, and

it makes no sense to allow a change in inputs which cannot be detected by theagents Note also that the output trace (associated with an execution with a

schedule S) is necessarily compatible with S by definition.

A history H is a couple (S, T ) where S is a schedule and T is a trace ible with S Depending on the type of trace, a history can be either an input or

compat-an output history A behaviour B over a family of graphs F is a function that, for a graph G ∈ F and a schedule S on G, maps every input history H in with

schedule S to a set B(G, H in ), or simply B(H in), of output histories with the

same schedule S The output histories of B(H in ) are the legal output histories

and output alphabets Y1, Y2(for the output traces) In the following, T Z denotes

a trace with values in Z.

Let S be a schedule on G ∈ F If Y1= X2= Z, the serial composition B =

B2◦ B1is the behaviour overF, with alphabets X1, Y2s.t (S, T Y2)∈ B(S, T X1)

iff there exists a trace T Z compatible with S, s.t (S, T Z) ∈ B1(S, T X1) and

(S, T Y2)∈ B2(S, T Z).

The parallel composition B = B1⊗B2is the behaviour overF, with alphabets

X1×X2, Y1×Y2s.t (S, T Y1, T Y2)∈ B(S, T X1, T X2) iff (S, T Y1)∈ B1(S, T X1) and

(S, T Y2)∈ B2(S, T X2)

If X1= U × V and Y1= U × W , the self-loop composition B = Self U (B1)

on U is the behaviour over F, with alphabets V, W , s.t (S, T W) ∈ B(S, T V)

iff there exists a trace T U compatible with S s.t (S, T U , T W) ∈ B1(S, T U , T V)

As already mentioned, the self-loop composition is necessary to describe theinteractions between a protocol and an oracle

Given a (possibly infinite) setU of behaviours, a composition of behaviours

in U is defined inductively as either a behaviour in the family U, or the parallel,

serial or self-loop composition of compositions of behaviours in U.

The behaviour B2is called a sub-behaviour of B1if they are defined over thesame family of graphsF, and for every graph G ∈ F, for every history H on G,

B2(G, H) ⊆ B1(G, H).

Given a population protocolA with input alphabet X and output alphabet

Y , the behaviour Beh(A) associated to the protocol A is the behaviour with

input alphabet X, output alphabet Y s.t (S, T Y) ∈ Beh(A)(S, T X) iff thereexists an execution ofA with schedule S, input trace T X and output trace T Y.

A problem and an oracle are simply defined as behaviours Now, we are

ready to define what it means for a protocol A to implement a behaviour (or

solve the problem) B using an oracle O The population protocol A implements

the behaviour B (or solves the problem B) using the behaviour O if there exists

a composition B ∗ involving the behaviours O and Beh(A), s.t B ∗ is a

sub-behaviour of B.

We say that a behaviour B1 is weaker than a behaviour B2 over a graphfamily F, denoted by B1 F B2, if there exists a self-stabilizing4 population

protocol that implements B1using B2overF The two behaviours are equivalent

overF, denoted B1 F B2, if B1F B2 and B2F B1 In the case where B2

is a problem and B1 is an oracle, B1 is the weakest oracle for implementing B2overF The reason is that, because B1 F B2, any oracle that can be used to implement B2, can be used to implement B1, and thus, B1 is weaker than anysuch oracle

3 Specific Behaviours

ELE is defined with the input alphabet {⊥} (i.e., no input) and the output

alphabet {0, 1} such that, given a graph G and a schedule S on G, a history

(S, T ) ∈ ELE(S) if and only if the output trace T has a constant suffix T  =

ααα and there exists an agent λ such that α(λ) = 1 and α(u) = 0 for every

there is an implicit output map that maps a state to 1 if it is a leader state, and

to 0 otherwise

In our framework, the problem of Self-Stabilizing Leader Election (SSLE)

consists in defining a population protocol that solvesELE using another

behav-iour (if necessary) and starting from arbitrary initial configurations

Informally, Ω? (introduced in [18]) reports to agents whether or not one or moreleaders are present Thus, it does not distinguish between the presence of one or

more leaders in a configuration (of a protocol composed with Ω?).

Formally, Ω? is simply a relation between input and output traces with binary

values The input and output alphabets are {0, 1} Given an assignment α, we

denote by l(α) the number of agents that are assigned the value 1 by α Given

a graph G and a schedule S on G, (S, T out) ∈ Ω?(S, T in) if and only if the

4 In this paper, we are only interested in comparing oracles as far as self-stabilization

is concerned