Verification of Immediate Observation Population Protocols

by   Javier Esparza, et al.

Population protocols (Angluin et al., PODC, 2004) are a formal model of sensor networks consisting of identical mobile devices. Two devices can interact and thereby change their states. Computations are infinite sequences of interactions satisfying a strong fairness constraint. A population protocol is well-specified if for every initial configuration C of devices, and every computation starting at C, all devices eventually agree on a consensus value depending only on C. If a protocol is well-specified, then it is said to compute the predicate that assigns to each initial configuration its consensus value. In a previous paper we have shown that the problem whether a given protocol is well-specified and the problem whether it computes a given predicate are decidable. However, in the same paper we prove that both problems are at least as hard as the reachability problem for Petri nets. Since all known algorithms for Petri net reachability have non-primitive recursive complexity, in this paper we restrict attention to immediate observation (IO) population protocols, a class introduced and studied in (Angluin et al., PODC, 2006). We show that both problems are solvable in exponential space for IO protocols. This is the first syntactically defined, interesting class of protocols for which an algorithm not requiring Petri net reachability is found.



There are no comments yet.


page 1

page 2

page 3

page 4


Automatic Analysis of Expected Termination Time for Population Protocols

Population protocols are a formal model of sensor networks consisting of...

The Complexity of Verifying Population Protocols

Population protocols [Angluin et al., PODC, 2004] are a model of distrib...

Lower Bounds on the State Complexity of Population Protocols

Population protocols are a model of computation in which an arbitrary nu...

Parameterized Analysis of Immediate Observation Petri Nets

We introduce immediate observation Petri nets, a class of interest in th...

On the Flatness of Immediate Observation Petri Nets

In a previous paper we introduced immediate observation (IO) Petri nets,...

On the Necessary Memory to Compute the Plurality in Multi-Agent Systems

We consider the Relative-Majority Problem (also known as Plurality), in ...

Finding Cut-Offs in Leaderless Rendez-Vous Protocols is Easy

In rendez-vous protocols an arbitrarily large number of indistinguishabl...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Population protocols [2, 3] are a model of distributed, concurrent computation by anonymous, identical finite-state agents. They capture the essence of distributed computation in different areas. In particular, even though they were introduced to model networks of passively mobile sensors, they are also being studied in the context of natural computing [12, 7]. They also exhibit many common features with Petri nets, another fundamental model of concurrency.

A protocol has a finite set of states and a set of transitions of the form , where . If two agents are in states, say, and , and the protocol has a transition of the form , then the agents can interact and simultaneously move to states and . Since agents are anonymous and identical, the global state of a protocol is completely determined by the number of agents at each local state, called a configuration. A protocol computes a boolean value for a given initial configuration if in all fair executions starting at it, all agents eventually agree to this value111An execution is fair if it is finite and cannot be extended, or it is infinite and satisfies the following condition: if appears infinitely often in the execution, then every step enabled at is taken infinitely often in the execution.—so, intuitively, population protocols compute by reaching a stable consensus. Observe that a protocol may compute no value for some initial configuration, in which case it is deemed not well-specified [2].

Population protocols are parameterized systems. Every initial configuration yields a different finite-state instance of the protocol, and the specification is a global property of the infinite family of protocol instances so generated. More precisely, the specification is a predicate stipulating the boolean value that the protocol must compute from the initial configuration .

Initial verification efforts for verifying population protocols studied the problem of checking if is correctly computed for a finite set of initial configurations, a task within the reach of finite-state model checkers. In 2015 we obtained the first positive result on parameterized verification [9]. We showed that the problem of deciding if a given protocol is well-specified for all initial configurations is decidable. The same result holds for the correctness problem: given a protocol and a predicate, deciding if the protocol is well-specified and computes the predicate. Unfortunately, we also showed [9, 10] that both problems are as hard as the reachability problem for Petri nets. Since all known algorithms for Petri net reachability run in non-primitive recursive time in the worst case, the applicability of this result is limited.

In this paper we initiate the investigation of subclasses of protocols with a more tractable well specification and correctness problems. We focus on the subclass of immediate observation protocols (IO protocols), introduced and studied by Angluin et al. [4]. These are protocols whose transitions have the form . Intuitively, in an IO protocol an agent can change its state from to by observing that another agent is in state . This yields an elegant model of protocols in which agents interact through sensing: If an agent in state senses the presence of another agent in state , then it can change its state to . The other agent typically does not even know that it has been sensed, and so it keeps its current state. They also capture the notion of catalysts in chemical reaction networks.

Angluin et al. focused on the expressive power of IO protocols. Our main result is that for IO protocols, both the well specification and correctness problems can be solved in (we also show the problem is -hard). This is the first time that the verification problems of a substantial class of protocols are proved to be solvable in elementary time. To ensure elementary time, our proof uses techniques significantly different from previous results [9]. The key to our result is the use of counting constraints to symbolically represent possibly infinite (but not necessarily upward-closed) sets of configurations. A counting constraint is a boolean combination of atomic threshold constraints of the form . We prove that, contrary to the case of arbitrary protocols, the set of configurations reachable from a counting set (the set of solutions of a counting constraint) is again a counting set and we characterize the complexity of representing this set. We believe that this result can be of independent interest for other parameterized systems.

Angluin et al. [4] proved that IO protocols compute exactly the predicates represented by counting constraints. Our main theorem yields a new proof of this result as a corollary. But it also goes further. Using our complexity results, we can provide a lower bound on the state complexity of IO protocols, i.e., on the number of states necessary to compute a given predicate. These results complement recent bounds obtained for arbitrary protocols [5].

2 Immediate Observation Population Protocols

2.1 Preliminaries

A multiset on a finite set is a mapping , thus, for any , denotes the number of occurrences of element in . Operations on like addition, subtraction, or comparison, are extended to multisets by defining them component wise on each element of . Given , we denote by the multiset consisting of one occurrence of element , that is, the multiset satisfying and for every . Given define . Given a total order on , a multiset

can be equivalently represented by the vector


2.2 Protocol Schemes

A protocol scheme consists of a finite non-empty set of states and a set . If , we write and call it a transition.

Confugurations of a protocol scheme are given by populations. A population is a multiset on with at least two elements, i.e., . The set of all populations is denoted . Intuitively, a configuration describes a collection of identical finite-state agents with as set of states, containing agents in state .

Pairs of agents interact using transitions from . Formally, given two configurations and and a transition , we write if

(Recall that is the multiset consisting only of one occurrence of .) From the definition of interaction, it is easily seen that, inside the tuple , the ordering between and and between and is irrelevant. We write for a sequence of transitions if there exists a sequence of configurations satisfying . We also write if for some transition , and call an interaction. We say that is reachable from if for some (possibly empty) sequence of transitions.

Note that transitions are enabled only when there are at least two agents. This is why we assume that populations have at least two elements.

An execution of is a finite or infinite sequence of configurations such that for each . An execution is fair if it is finite and cannot be extended, or it is infinite and for every step , if for infinitely many indices , then and for infinitely many indices [2, 3]. Informally, if appears infinitely often in a fair execution, then every step enabled at is taken infinitely often in the execution.

Given a set of configurations and a transition of a protocol scheme , we define:

  • and .

  • ; for every ; and .

We also define . The sets and are defined as above for .

2.2.1 Immediate Observation Protocol Schemes

A protocol scheme is immediate observation (IO) if all its transitions are immediate observation. A transition is immediate observation iff . Consider, for instance, a transition where and are all distinct. Observe that the transition is immediate observation since . Intuitively, in an interaction specified by an immediate observation transition, one agent observes the state of another and updates it own state, but the observed agent remains as it was (and its state, unmodified by the interaction, is given by ). Other typical examples of immediate observation transitions are , and where and are all distinct. Note that in the last two cases, the state of two agents are the same before and after interacting.

2.3 Population Protocols

As Angluin et al. [2], we consider population protocols as a computational model, computing predicates , where is a non-empty, finite set of input variables.

An input mapping for a protocol scheme is a function that maps each input population to a configuration of . The set of initial configurations is . An input mapping is Presburger if the set of pairs such that is definable in Presburger arithmetic. An input mapping is simple if there is an injective map such that . That is, each input variable is assigned a (distinct) state, and a population over is assigned the initial configuration consisting of agents in the state and no other agents. Unless otherwise specified, we restrict our attention to the class of simple input mappings.

An output mapping for a protocol scheme is a function that associates to each state of an output value in . The output mapping induces the following properties on configurations: a configuration is a

  • -consensus for if and a consensus if it is a -consensus for some ;

  • dissensus if it is a -consensus for no (that is is a dissensus if and ).

A population protocol is a triple , where is a protocol scheme, is a simple input mapping, and is an output mapping. The population protocol is immediate observation (IO) if is immediate observation.

An execution stabilizes to for a given if there exists such that is a -consensus for every (if the execution is finite, then this means for every between and the length of the execution). Notice that there may be many different executions from a given configuration , each of which may stabilize to or to or not stabilize at all (by visiting infinitely many dissensus or infinitely many and consensus).

A population protocol is well-specified if for every input configuration , every fair execution of starting at stabilizes to the same value . Otherwise, it is ill-specified. The well specification problem asks if a given population protocol is well-specified?

Finally, a population protocol computes a predicate if for every , every fair execution of starting at stabilizes to . It follows easily from the definitions that a protocol computes a predicate iff it is well-specified. The correctness problem asks, given a population protocol and a predicate whether the protocol computes the predicate.

3 Counting Constraints and Counting Sets

Let be a set of variables, and let . A constraint of the form , where , is a lower bound, and a constraint of the form , where , is an upper bound. A literal is a lower bound or an upper bound.

A counting constraint is a boolean combination of literals. A counting constraint is in counting normal form (CoNF) if it is a disjunction of conjunctions of literals, where each conjunction, called a counting minterm, contains exactly two literals for each variable, one of them an upper bound and the other a lower bound. We often write a counting constraint in CoNF as the set of its counting minterms. The semantics of a counting constraint is a counting set, a set of vectors in or, equivalently, a set of valuations to the variables in . The semantics is defined inductively on the structure of a counting constraint, as expected. Define () and . Disjunction, conjunction, and negation of counting constraints translates into union, intersection, and complement of counting sets.

The following proposition follows easily from the definition of counting sets and the disjunctive normal form for propositional logic.

Proposition .
  1. Counting sets are closed under Boolean operations.

  2. Every counting constraint is equivalent to a counting constraint in CoNF.

Proof Sketch..

1. Proof is easy. 2. Put the constraint in disjunctive normal form. Remove negations in front of literals using if and remove the enclosing minterm otherwise; and if and remove the enclosing minterm otherwise. Remove minterms containing unsatisfiable literals with . Remove redundant bounds, e.g., replace by . If a minterm does not contain a lower bound (upper bound) for , add (). ∎

Next, we introduce a representation of CoNF-constraints used in the rest of the paper. [Representation of CoNF-constraints] We represent a counting minterm by a pair where and assign to each variable its lower and upper bound, respectively. We represent a CoNF-constraint as the set of representations of its minterms: .

[Measures of counting constraints] The -norm of a counting minterm is , and its -norm is (and if for no ). The - and -norms of a CoNF-constraint are and .

Proposition .

Let be CoNF-constraints over variables.

  • There exists a CoNF-constraint with such that and .

  • There exists a CoNF-constraint with such that and .

  • There exists a CoNF-constraint with such that and .


Remember that a CoNF constraint for minterms in dimension is a -disjunction of -conjunctions, and that the -norm (respectively -norm) is the maximum sum of lower (resp. upper) bounds in one conjunction. The union of two counting sets with CoNF constraints is represented by the disjunction of the two constraints, and it is still CoNF so the result follows. The intersection is represented by a conjunction of the two constraints and so is not CoNF and needs to be rearranged as in Proposition 3. The new -conjunctions of literals (i.e. the new minterms) mix unmodified bounds from and , so the result follows. The complement is represented by the negation of the original constraint, which we rearrange into CoNF using . We obtain -conjunctions with lower bounds of the form , with an upper bound in a minterm of the original constraint. This yields and the reasoning is similar for the -norm. ∎

Remark .

The counting sets contain the finite, upward-closed and downward-closed sets:

  • Every finite subset of is a counting set. Indeed, with for every , and so finite sets are counting sets too.

  • A set is upward-closed if whenever and , we have , where we write if the ordering holds pointwise (meaning for every ). Upward-closed sets are counting sets. Indeed, by Dickson’s lemma, every upward-closed set has a finite set of minimal elements with respect to , and so the set is where and for every .

  • A set is downward-closed if whenever and , we have . Since a set is downward-closed iff its complement is upward-closed, every downward-closed set is a counting set. Further, it is easy to see that downward-closed sets are represented by counting constraints where for every .

Next, we define a well-quasi-ordering on counting sets. For two counting minterms and , we write if . For CoNF-constraints and , define the ordering if for each counting minterm there is a counting minterm such that . Note that implies .

For every , the ordering on counting sets represented by CoNF-constraints of -norm at most is a well-quasi-order.


We first prove that counting minterms with form a better quasi order. For two counting minterms and , we write if . Let be an infinite sequence of counting minterms of -norm at most , where . Since there are only finitely many mappings of norm at most , the sequence contains an infinite subsequence such that every minterm of satisfies for some mapping . So is of the form By Dickson’s lemma, there are such that , and so . Hence, defining be the set of all counting minterms of -norm at most we find that is a well-quasi-order. In fact, standard arguments show that this is a better-quasi-order [1]. Hence, the ordering is a better quasi order on counting constraints [1], implying it is also a well-quasi-order. ∎

4 Reachability Sets of IO Population Protocols

We show that if is a counting set, then and are also counting sets. First we show that we can restrict ourselves to IO protocols in a certain normal form.

4.1 A Normal Form for Immediate Observation Protocols

An IO protocol is in normal form if for every transition , i.e., the state of the observed agent is different from the source state of the observer.

Given an IO population protocol we define an IO protocol in normal form which is well-specified iff is well-specified. Further, the number of states and transitions of is linear in the number of states and transitions of . The mapping is a Presburger mapping even if is simple, but this does not affect our results.

is defined adding transition and states to . First we add a state . Then, we replace each transition of by a transition , where is a primed copy of , and add two further transitions and .

It remains to define the output function of the new states as well as the input mapping of . We define to be a Presburger initial mapping which coincides with on the state of and such that for all and for all and primed state . The output of primed copies is the same as their unprimed version, that is . The only technical difficulty is the definition of the output of state . Because of the way in which we have defined the transitions involving , the agent initially in state cannot leave . Therefore, whatever the output we assign to , the protocol can never reach consensus , and so may not be well-specified even if is. To solve this problem, we add a primed copy of such that and have distinct outputs. Every transition with as observer is duplicated but this time with as observed state. Finally, for every state of , if we add the transition , and otherwise we add the transition . After adding these states, the agent initially in switches between and , and finally stabilizes to the same value the other agents stabilize to.

4.2 The Functions and Preserve Counting Sets

We show that if is a counting set, then and are also counting sets. Further, given a CoNF-constraint representing , we show how to construct a CoNF-constraint representing and . In the following, we abbreviate to , and similarly for other notations involving and , like , , etc.

We start with some simple examples. First, we observe that the result does not hold for arbitrary population protocols. Consider the protocol with four distinct states and one single transition . Let . Then , which is not a counting set. Intuitively, the reason is that the transitions links the number of agents in states and . However, this is only possible because the transition is not IO. Indeed, consider now the protocol with states and one single IO transition . Table 1 lists some typical constraints for , and gives constraints for .

Table 1: The set for two IO transitions and counting minterm . For conciseness and clarity we use equality constraints instead of two inequalities.

Given a minterm , we syntactically define a CoNF-constraint for the set:

That is, captures the set of all configurations that can be obtained from by firing transition an arbitrary number of times.

Let be a minterm and let be an IO transition. Define to be the set given by and all the minterms such that all the following conditions hold:

  1. where .

  2. and for every .

  3. If , then there exists such that , , and .

  4. If , then and there exists such that and .

Given a CoNF-constraint , we define .

Let be an IO protocol and let be a CoNF-constraint. Then . Further, .


It suffices to prove that for every minterm and for every transition we have and . The rest follows easily from the definitions of and of a counting constraint.

Condition (1) holds iff some vector in enables , hence is the set of vectors minus those disabling . If no vector enables then is the singleton . Condition (2) states that the number of agents in states other than and does not change. Condition (3–4) defines the result of firing one or more times.

The inequality follows immediately from (1–4). Observe that may hold if and . ∎

To prove the main theorem of the section, we introduce the following definition.

Given a protocol , let be a set of configurations and let be a CoNF-constraint.

  • Define: ; and for every ; .

  • Similarly, define in the constraint domain: ; and for every .

The -subscript stands for “accelerated.” Observe that we cannot define directly as the infinite union because constraints are only closed under finite unions.

Let be an IO protocol and let be a counting set. Then both and are counting sets.


We first prove that is a counting set. It follows from Definition 4.2 that but for every , hence , and so it suffices to prove that is a counting set.

Let be a CoNF-constraint such that . By Lemma 4.2, is a counting set and for every . By Theorem 3, there exist indices such that , hence since for all , and finally . Since counting sets are closed under finite union, is a counting set.

Finally we show that is also a counting set. Consider the protocol obtained by “reversing” the transitions of , i.e., has a transition iff has a transition . Then in is equal to in . ∎

4.3 Bounding the Size of

Given a CoNF-constraint , we obtain an upper bound on the size of a CoNF-constraint denoting and . More precisely, we obtain bounds on the -norm and -norm of a constraint for as a function of the same parameters for .

We first recall a theorem of Rackoff [14] recast in the terminology of population protocols.

[[14, 6]] Let be a population protocol with set of states and let be a configuration of . For every configuration , if there exists such that , then there exists and such that and . (Recall that and .)

Observe that the bound on the length of depends only on and , but not on . Using this theorem we can already obtain an upper bounds for when is upward-closed. The bound is valid for arbitrary population protocols.

Recall that if is upward-closed we can assume (see Remark 3).

Proposition .

Let be population protocol with states. Let be an upward-closed set of configurations and let be a CoNF-constraint with such that . There exists a CoNF constraint such that and , .


It is well known that if is upward-closed, then so is . (This follows from Lemma 4.2, but is also an easy consequence of the fact that implies for every