## Section: New Results

### Models and abstractions: dealing with dynamics

#### Reducing the cost of Byzantine consensus in synchronous systems

Participant : Achour Mostefaoui.

In a system composed of n processes where at most t can exhibit a Byzantine behavior, it is known since early eighties that t need to be smaller then a third of the total number of process to make the Byzantine consensus problem decidable. Moreover, it has been proved that the minimum number of communication steps needed is t + 1 in the worst case. Yet, this protocol is extremely costly in terms of the size of messages and local computation (this protocol is called EIG for Exponential Information Gathering). So far, lowering this cost has led to consider smaller values of t (such as t<n/4 ) and an increased latency (2t + 2 steps). One protocol exist with a reasonable (polynomial) cost with the initial number of steps but is extremely complex. The goal of this work is to design a simple algorithm that is as simple and resilient as the EIG protocol but with a quadratic number of steps.

#### Peer-to-peer polling without cryptography

Participants : Kévin Huguenin, Anne-Marie Kermarrec.

This work has been done in collaboration with Rachid Guerraoui and
Maxime Monod (EPFL, Switzerland). The emergence of social networks
provides a framework for polling a community easily by the mean of
peer-to-peer techniques. Polling is not as critical as voting as the
accuracy on the tally is less important. Yet, it must provide similar
properties to electronic voting, such as voter privacy, fairness, and
probabilistic accuracy. The core idea of the work is to build a
decentralized protocol without cryptography ensuring this properties
with high probability by the mean of peer-to-peer deterrent power :
*every action in the protocol may be subject to verification by
peers* . Ensuring that any malicious action is detected with
probability one or at least close to one, we increase the accuracy of
the tally by limiting the proportion of peers misbehaving. Privacy is
ensured probabilistically by using peers as proxies for emitting
ballots making vote recovery impossible for reasonable proportion of
malicious nodes. This work has been published in 2009 in the
international conference OPODIS
[45] . We are currently working on
extension to n-ary polling.

#### Bridging the Gap between population and gossip-based protocols

Participants : Marin Bertier, Anne-Marie Kermarrec.

In this work, we establish a correlation between population and gossip-based protocols. Studying the equivalence between them, we propose a classification of gossip-based protocols, based on the nature of the underlying peer-sampling service. First, we show that the class of gossip protocols, where each node relies on an arbitrary sample, is equivalent to population protocols. Second, we show that gossip-based protocols, relying on a more powerful peer sampling providing peers with a clearly identified set of other peers, are equivalent to community protocols, a variant of population protocols. Leveraging the resemblances between these areas enables to provide a theoretical framework for distributed systems where global behaviours emerge from a set of local interactions, both in wired and wireless settings. This work has been presented at SIRROCCO 2009 [31] . We also study the impact of the agents mobility model on the convergence speed of population protocols. We perform our study by considering several mobility models traditionally used in the ad-hoc network community. We propose an augmented population protocol model where each edge of the interaction graph is weighted, representing the probability of two agents to interact.

#### STAR

Participants : Erwan Le Merrer, Anne-Marie Kermarrec.

STAR is a fully decentralized self-stabilizing randomized membership
protocol building a strongly connected overlay graph with
sub-logarithmic diameter and almost homogeneous logarithmic degree.
STAR is the first protocol to simultaneously maintain the following
properties on the resulting graph G : (i) The graph maintains the
*Eulerian* property, i.e., that the in-degree and out-degree of
each node are the same, and G is strongly connected. (ii) The
out-degree of each node automatically converges to an average of 2ln(n) + O(1) without any node knowing the exact size n of the
network. (iii) The diameter of the overlay graph is with high probability. (iv) STAR is
self-stabilizing. Starting from an arbitrary graph topology, or after
disruptive error, STAR causes the overlay graph to converge to the
desired properties. This work has been done in collaboration with
Prof. Ajoy Datta, University of Nevada, Las Vegas.

#### Agreement in anonymous systems

Participants : François Bonnet, Michel Raynal.

This work addresses the consensus problem in asynchronous systems prone to process crashes, where additionally the processes are anonymous (they cannot be distinguished one from the other: they have no name and execute the same code). To circumvent the three computational adversaries (asynchrony, failures and anonymity) each process is provided with a failure detector of a class denoted , that gives it an upper bound on the number of processes that are currently alive (in a non-anonymous system, the classes and -the class of perfect failure detectors- are equivalent).

After having designed a simple -based consensus algorithm where
the processes decide in 2t + 1 asynchronous rounds (where t is an
upper bound on the number of faulty processes), we have shown that
2t + 1 is a lower bound for consensus in the anonymous systems
equipped with . Then addressing early-decision, we have designed
and proved correct an early-deciding algorithm where the processes
decide in min(2f + 2, 2t + 1) asynchronous rounds (where f is the
actual number of process failures). This leads to think that anonymity
doubles the cost (wrt. synchronous systems) and it is conjectured that
min(2f + 2, 2t + 1) is the corresponding lower bound. These results
have then been extended to k -set agreement problem, for which we
have introduced a family of failure detector classes that generalizes the class ( = _{0}) and
designed an algorithm that solves the k -set agreement in
asynchronous rounds. This last formula relates the cost
( ), the coordination degree of the problem (k ), the
maximum number of failures (t ) and the the strength ( ) of the
underlying failure detector.

#### Looking for weakest failure detectors

Participants : François Bonnet, Michel Raynal.

In the k -set agreement problem, each process (in a set of n
processes) proposes a value and has to decide a proposed value in such
a way that at most k different values are decided. While this
problem can easily be solved in asynchronous systems prone to t
process crashes when k>t , it cannot be solved when kt . Since
several years, the failure detector-based approach has been
investigated to circumvent this impossibility. While the weakest
failure detector class to solve the k -set agreement problem in
read/write shared-memory systems has recently been discovered (PODC
2009), the situation is different in message-passing systems where the
weakest failure detector classes are known only for the extreme cases
k = 1 (consensus) and k = n-1 (set agreement). We have introduced
introduces a candidate for the general case. It presents a new failure
detector class, denoted _{k} , and shows _{1} = ×
(the weakest class for k = 1 ), and (the weakest
class for k = n-1 ). Then, we have investigated the structure of
_{k} and shows it is the combination of two failures detector
classes denoted _{k} and _{k} (that generalize the
previous “quorums” and “eventual leaders” failure detectors
classes). Finally, we have proved that _{k} is a necessary
requirement (as far as information on failure is concerned) to solve
the k -set agreement problem in message-passing systems. This work
has obtained the Best Paper Award at SSS 2009.

#### Implementing a register in a dynamic distributed system

Participants : François Bonnet, Michel Raynal, Anne-Marie Kermarrec.

This work was carried out in collaboration with S. Bonomi and R. Baldoni, Universita' di Roma, La Sapienza, Roma, Italy. Providing distributed processes with concurrent objects is a fundamental service that has to be offered by any distributed system. The classical shared read/write register is one of the most basic ones. Several protocols have been proposed that build an atomic register on top of an asynchronous message-passing system prone to process crashes. In the same spirit, we have addressed the implementation of a regular register (a weakened form of an atomic register) in an asynchronous dynamic message-passing system. The aim is here to cope with the net effect of the adversaries that are asynchrony and dynamicity (the fact that processes can enter and leave the system). Our work focuses on the class of dynamic systems the churn rate c of which is constant. It presents two protocols, one applicable to synchronous dynamic message passing systems, the other one to eventually synchronous dynamic systems. Both protocols rely on an appropriate broadcast communication service (similar to a reliable broadcast). Each requires a specific constraint on the churn rate c . Both protocols are first presented in an as intuitive as possible way, and are then proved correct (ICDCS 2009, SIROCCO 2009).

#### The extended Boroswky-Gafni simulation

Participants : Damien Imbs, Michel Raynal.

The *Borowsky-Gafni (BG) simulation* algorithm is a powerful
tool that allows a set of t + 1 asynchronous sequential processes to
wait-free simulate (i.e., despite the crash of up to t of them) a
large number n of processes under the assumption that at most t of
these processes fail (i.e., the simulated algorithm is assumed to be
t -resilient). The BG simulation has been used to prove solvability
and unsolvability results for crash-prone asynchronous shared memory
systems. In its initial form, the BG simulation applies only to
colorless decision tasks, i.e., tasks in which nothing prevents
processes to decide the same value (e.g., consensus or k -set
agreement tasks). Said in another way, it does not apply to decision
problems such as renaming where no two processes are allowed to decide
the same new name. Very recently (STOC 2009), Eli Gafni has presented
an *extended BG simulation* algorithm (GeBG) that generalizes
the basic BG algorithm by extending it to “colored” decision tasks
such as renaming. His algorithm is based on a sequence of
sub-protocols where a sub-protocol is either the base agreement
protocol that is at the core of BG simulation, or a commit-adopt
protocol.

We have designed a core algorithm for the extended BG simulation
algorithm that is particularly simple. This algorithm is based on two
underlying objects:the base agreement object used in the BG simulation
(as does GeBG), and (differently from GeBG) a new simple object that
we call *arbiter* . As in GeBG, while each of the n simulated
processes is simulated by each simulator, each of the first t + 1
simulated processes is associated with a predetermined simulator that
we called its “owner”. The arbiter object is used to ensure that
the permanent blocking (crash) of any of these t + 1 simulated
processes can only be due to the crash of its owner simulator (SSS
2009).

#### Software transactional systems

Participants : Damien Imbs, Michel Raynal.

The aim of a Software Transactional Memory (STM) is to discharge the
programmers from the management of synchronization in multiprocess
programs that access concurrent objects. To that end, a STM system provides
the programmer with the concept of a transaction. The job of the programmer
is to decompose each sequential process the application is made up of into
transactions. A transaction is a piece of code that accesses concurrent
objects, but contains no explicit synchronization statement.
It is the job of the underlying STM system to provide the illusion
that each transaction appears as being executed atomically.
For efficiency, a STM system allows transactions to execute concurrently.
Consequently, due to the underlying STM concurrency management, a transaction commits or aborts.
Our work on STM has several facets. We have designed a new STM consistency condition, called
*virtual world* consistency. This condition states that no transaction
reads object values from an inconsistent global state.
It is similar to opacity for the committed transactions but weaker for the
aborted transactions. More precisely, it states that (1) the committed
transactions can be totally ordered, and (2) the values read by each aborted
transaction are consistent with respect to its causal past only.
Hence, virtual world consistency is weaker than opacity while keeping
its spirit. Then, assuming the objects shared by the processes are
atomic read/write objects, the paper presents a STM protocol that
ensures virtual world consistency (while guaranteeing the invisibility
of the read operations). From an operational point of view, this protocol
is based on a vector-clock mechanism. Finally, the paper considers the case
where the shared objects are regular read/write objects. It also shows how
the protocol can be weakened to satisfy the *causal consistency*
condition (that is weaker than virtual world consistency) (SIROCCO 2009, PaCT 2009).