# Verification of Threshold-Based Distributed Algorithms by Decomposition to Decidable Logics

Verification of fault-tolerant distributed protocols is an immensely difficult task. Often, in these protocols, thresholds on set cardinalities are used both in the process code and in its correctness proof, e.g., a process can perform an action only if it has received an acknowledgment from at least half of its peers. Verification of threshold-based protocols is extremely challenging as it involves two kinds of reasoning: first-order reasoning about the unbounded state of the protocol, together with reasoning about sets and cardinalities. In this work, we develop a new methodology for decomposing the verification task of such protocols into two decidable logics: EPR and BAPA. Our key insight is that such protocols use thresholds in a restricted way as a means to obtain certain properties of "intersection" between sets. We define a language for expressing such properties, and present two translations: to EPR and BAPA. The EPR translation allows verifying the protocol while assuming these properties, and the BAPA translation allows verifying the correctness of the properties. We further develop an algorithm for automatically generating the properties needed for verifying a given protocol, facilitating fully automated deductive verification. Using this technique we have verified several challenging protocols, including Byzantine one-step consensus, hybrid reliable broadcast and fast Byzantine Paxos.

## Authors

• 1 publication
• 4 publications
• 2 publications
• 8 publications
• 20 publications
• ### A Formally Verified Protocol for Log Replication with Byzantine Fault Tolerance

Byzantine fault tolerant protocols enable state replication in the prese...
09/22/2020 ∙ by Joel Wanner, et al. ∙ 0

Distributed protocols such as Paxos play an important role in many compu...
10/19/2017 ∙ by Oded Padon, et al. ∙ 0

• ### Verifying Accountability for Unbounded Sets of Participants

Little can be achieved in the design of security protocols without trust...
06/22/2020 ∙ by Kevin Morio, et al. ∙ 0

• ### Verifying the Steane code with Quantomatic

In this paper we give a partially mechanized proof of the correctness of...
06/19/2013 ∙ by Ross Duncan, et al. ∙ 0

• ### New method of verifying cryptographic protocols based on the process model

A cryptographic protocol (CP) is a distributed algorithm designed to pro...
11/24/2020 ∙ by A. M. Mironov, et al. ∙ 0

• ### Local Reasoning for Parameterized First Order Protocols

First Order Logic (FOL) is a powerful reasoning tool for program verific...
03/07/2019 ∙ by Rylo Ashmore, et al. ∙ 0

• ### Ensuring Liveness Properties of Distributed Systems (A Research Agenda)

Often fairness assumptions need to be made in order to establish livenes...
11/12/2017 ∙ by Rob van Glabbeek, et al. ∙ 0

##### This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

## 1 Introduction

Fault-tolerant distributed protocols play an important role in the avionic and automotive industries, medical devices, cloud systems, blockchains, etc. Their unexpected behavior might put human lives at risk or cause a huge financial loss. Therefore, their correctness is of ultimate importance.

Ensuring correctness of distributed protocols is a notoriously difficult task, due to the unbounded number of processes and messages, as well as the non-deterministic behavior caused by the presence of faults, concurrency, and message delays. In general, the problem of verifying such protocols is undecidable. This imposes two directions for attacking the problem: (i) developing fully-automatic verification techniques for restricted classes of protocols, or (ii) designing deductive techniques for a wide range of systems that require user assistance. Within the latter approach, recently emerging techniques [28] leverage decidable logics that are supported by mature automated solvers to significantly reduce user effort, and increase verification productivity. Such logics bring several key benefits: (i) their solvers usually enjoy stable performance, and (ii) whenever annotations provided by the user are incorrect, the automated solvers can provide a counterexample for the user to examine.

Deductive verification based on decidable logic requires a logical formalism that satisfies two conflicting criteria: the formalism should be expressive enough to capture the protocol, its correctness properties, its inductive invariants, and ultimately its verification conditions. At the same time, the formalism should be decidable and have an effective automated tool for checking verification conditions.

In this paper we develop a methodology for deductive verification of threshold-based distributed protocols using decidable logic, where we use decomposition into two well-established decidable logics to settle the tension explained above.

In threshold-based protocols, a process may take different actions based on the number of processes from which it received certain messages. This is often used to achieve fault-tolerance. For example, a process may take a certain step once it has received an acknowledgment from a strict majority of its peers, that is, from more than processes, where is the total number of processes. Such expressions as , are called thresholds, and in general they can depend on additional parameters, such as the maximal number of crashed processes, or the maximal number of Byzantine processes.

Verification of such protocols requires two flavors of reasoning, as demonstrated by the following example. Consider the Paxos [19] protocol, in which each process proposes a value and all must agree on a common proposal. The protocol tolerates up to  process crashes, and ensures that every two processes that decide agree on the decided value. The protocol requires processes, and each process must obtain confirmation messages from processes before making a decision. The protocol is correct due to, among others, the fact that if then any two sets of processes have a process in common. To verify this protocol we need to express (i) relationships between an unbounded number of processes and values, which typically requires quantification over uninterpreted domains (“every two processes”), and (ii) properties of sets of certain cardinalities (“any two sets of processes intersect”). Crucially, these two types of reasoning are intertwined, as the sets of processes for which we need to capture cardinalities may be defined by their relations with other state components (“messages from at least processes”). While uninterpreted first-order logic (FOL) seems like the natural fit for the first type of reasoning, it is seemingly a poor fit for the second type, since it cannot express set cardinalities and the arithmetic used to define thresholds. Typically, logics that combine both types of reasoning are either undecidable or not flexible enough to capture protocols as intricate as the ones we consider.

The approach we present relies on the observation that threshold-based protocols and their correctness proofs use set cardinality thresholds in a restricted way as a means to obtain certain properties between sets, and that these properties can be expressed in FOL via a suitable encoding. In the example above, the important property is that every two sets of cardinality at least have a non-empty intersection. This property can be encoded in FOL by modeling sets of cardinality at least using an uninterpreted sort along with a corresponding membership relation between this sort and the sort for processes. However, the validity of the intersection property under the assumption that cannot be verified in FOL.

The key idea of this paper is, hence, to decompose the verification problem of threshold-based protocols into the following problems: (i) Checking protocol correctness assuming certain intersection properties, which can be reduced to verification conditions expressed in the Effectively Propositional (EPR) fragment of FOL [24, 34]. (ii) Checking that sets with cardinalities adhering to the thresholds satisfy the intersection properties (under the protocol assumptions), which can be reduced to validity checks in quantifier-free Boolean Algebra with Presburger Arithmetic (BAPA) [18]. Both BAPA and EPR are decidable logics, and are supported by mature automated solvers.

A crucial step in employing this decomposition is finding suitable intersection properties that are strong enough to imply the protocol’s correctness (i.e., imply the FOL verification conditions), and are also implied by the precise definitions of the thresholds and the protocol’s assumptions. Thus, these intersection properties can be viewed as interpolants

between the FOL verification conditions and the thresholds in the context of the protocol’s assumptions. We present fully automated procedures to find such intersection property interpolants, either eagerly or lazily.

The main contributions of this paper are:

1. We define a threshold intersection property (TIP) language for expressing properties of sets whose cardinalities adhere to certain thresholds; TIP is expressive enough to capture the properties required to prove the correctness of challenging threshold-based protocols.

2. We develop two encodings of TIP, one in BAPA, and another in EPR. These encodings facilitate decomposition of protocol verification into decidable EPR and (quantifier-free) BAPA queries.

3. We show that there are only finitely many TIP formulas (up to equivalence) that are valid for any given protocol. Moreover, we present an effective algorithm for computing all TIP formulas valid for a given protocol, as well as an algorithm for lazily finding a set of TIP formulas that suffice to prove a given protocol.

4. Put together, we obtain an effective deductive verification approach for threshold-based protocols: the user models the protocol and its inductive invariants in EPR using a suitable encoding of thresholds, and defines the thresholds and the protocol’s assumptions using arithmetic; verification is carried out automatically via decomposition to well-established decidable logics.

5. We implement the approach, leveraging mature existing solvers (Z3 and CVC4), and evaluate it by verifying several challenging threshold-based protocols with sophisticated thresholds and assumptions. Our evaluation shows the effectiveness and flexibility of our approach in modeling and verifying complex protocols, including the feasibility of automatically inferring threshold intersection properties.

## 2 Preliminaries

In this section we present the necessary background on the formalization of transition systems using FOL, as well as on the decidable logics used in our work: EPR and BAPA.

##### Transition Systems in FOL

We model distributed protocols as transition systems expressed in many-sorted FOL. A state of the system is a first-order (FO) structure over a vocabulary that consists of sorted constant, function and relation symbols, s.t. satisfies a finite set of axioms in the form of closed formulas over . is the domain of mapping each sort to a set of objects (elements), and is the interpretation function. A FO transition system is a tuple , where and are as above, is the initial condition given by a closed formula over , and TR is the transition relation given by a closed formula over where describes the source state of the transition and describes the target state. We require that TR does not modify any symbol that appears in . The set of initial states and the set of transitions of the system consist of the states, respectively, pairs of states, that satisfy , respectively, TR. The set of reachable states is defined as usual. In practice, we define FO transition systems using a modeling language with a convenient syntax [28].

##### Properties and inductive invariants.

A safety property is expressed by a closed FO formula over . The system is safe if all of its reachable states satisfy . A closed FO formula Inv over is an inductive invariant for a transition system and property if the following formulas, called the verification conditions, are valid (equivalently, their negations are unsatisfiable): (i) , (ii) and (iii) , where results from substituting every symbol in Inv by its primed version. Requirements (i) and (ii) ensure that Inv represents a superset of the reachable states, hence together with (iii) safety follows. We also use inductive invariants to verify arbitrary first-order LTL formulas via the reduction of [29, 30].

##### Effectively Propositional Logic (EPR)

The effectively-propositional (EPR) fragment of FOL is restricted to formulas without function symbols and with a quantifier prefix in prenex normal form. Satisfiability of EPR formulas is decidable [24]. Moreover, EPR formulas enjoy the finite model property, meaning that a satisfiable formula is guaranteed to have a finite model. The size of this model is bounded by the total number of existential quantifiers and constants in the formula. While EPR does not allow any function symbols nor quantifier alternation except , we consider a straightforward extension of EPR that maintains these properties and is supported by mature solvers such as Z3 [4]. The extension allows function symbols and quantifier alternations as long as the formula’s quantifier alternation graph, denoted , is acyclic. For in negation normal form, is a directed graph where the set of vertices is the set of sorts and the set of edges is defined as follows:

• Function edges: let be a function in from sorts to sort . Then there is a edge from to for every .

• Quantifier edges: let be an existential quantifier that resides in the scope of the universal quantifiers in . Then there is a edge from to for every .

The quantifier alternation graph is extended to sets of formulas as expected.

##### Boolean Algebra with Presburger Arithmetic (BAPA)

Boolean Algebra with Presburger Arithmetic (BAPA) [18] is a FO theory defined over two sorts: , representing integers, and , representing subsets of a finite universe. The language is defined by the following grammar:

 F::= B1=B2∣L1=L2∣L1

where defines linear integer terms, where denotes an integer variable, defines an (interpreted) integer constant symbol , is an integer constant symbol that represents the size of the finite set universe, is an uninterpreted integer constant symbol (as opposed to the constant symbols from ), and denotes set cardinality; defines set terms, where denotes a set variable, is a (interpreted) set constant symbol that represents the empty set, and is an uninterpreted set constant symbol; and defines the set of BAPA formulas, where and are atomic arithmetic formulas and is an atomic set formula. (Other set constraints such as can be encoded in the usual way). Note that BAPA formulas are closed under Boolean operations and allow quantification over integer variables (), and over set variables (). In the sequel, we also allow arithmetic terms of the form where is a positive integer and , as any formula that contains such terms can be translated to an equivalent BAPA formula by multiplying by .

A BAPA structure consists of a domain mapping sort to the set of all integers and mapping the sort to the set of all subsets of a finite universe , called the universal set, and an interpretation function of the symbols for integer and set operations. The semantics of terms and formulas is as expected. The interpretation of the complement operation is defined with respect to . In particular, this means that . The integer constant is interpreted to the size of , i.e. . The uninterpreted constant symbols may be interpreted arbitrarily.

Both validity and satisfiability of BAPA formulas (with arbitrary quantification) are decidable [18], and the quantifier-free fragment is supported by CVC4 [2], a mature SMT solver.

## 3 First-Order Modeling of Threshold-Based Protocols

Next we explain our modeling of threshold-based protocols as transition systems in FOL (Note that FOL cannot directly express set cardinality constraints). The idea is to capture each threshold by a designated sort, such that elements of this sort represent sets of nodes that satisfy the threshold. Elements of the threshold sort are then used instead of the actual threshold in the description of the protocol and in the verification conditions. For verification to succeed, some properties of the sets satisfying the cardinality threshold must be captured in FOL. This is done by introducing additional assumptions (formally, axioms of the transition system) expressed in FOL, as discussed in Sec. 4.

##### Running Example.

We illustrate our approach using the example of Bosco—an asynchronous Byzantine fault-tolerant (BFT) consensus algorithm [38]. Its modeling in first-order logic using our technique appears alongside an informal pseudo-code in Fig. 1.

In the BFT consensus problem, each node proposes a value and correct nodes must decide on a unique proposal. BFT consensus algorithms typically require at least two communication rounds to reach a decision. In Bosco, nodes execute a preliminary communication step which, under favorable conditions, reaches an early decision, and then call an underlying BFT consensus algorithm to ensure reaching a decision even if these conditions are not met. Bosco is safe when ; it guarantees that a preliminary decision will be reached if all nodes are non-faulty and propose the same value when  (weakly one-step condition), and even if some nodes are faulty, as long as all non-faulty nodes propose the same value, when  (strongly one-step condition).

Bosco achieves consensus by ensuring that (a) no two correct nodes decide differently in the preliminary step, and (b) if a correct node decides value in the preliminary step then every correct process calls the underlying BFT consensus algorithm with proposal . Property (a) is ensured by the fact that a node decides in the preliminary step only if more than nodes proposed the same value. When , two sets of cardinality greater than have at least one non-faulty node in common, and therefore no two different values can be proposed by more than nodes. Similarly, we can derive property (b) from the fact that a set of more than nodes and a set of nodes intersect in nodes, which, after removing nodes which may be faulty, still leaves us with more than nodes, satisfying the condition in line 9.

### 3.1 Threshold-based protocols

##### Parameters and resilience conditions.

We consider protocols whose definitions depend on a set of parameters, Prm, divided into integer parameters, , and set parameters, . always includes , used to represent the total number of nodes (assumed to be finite). Protocol correctness is ensured under a set of assumptions called resilience conditions, formulated as BAPA formulas over Prm (this means that all the uninterpreted constants appearing in are from Prm). In Bosco, , where is the maximal number of Byzantine failures tolerated by the algorithm, and , where is the set of Byzantine nodes; .

##### Threshold conditions.

Both the description of the protocol and the inductive invariant may include conditions that require the size of some set of nodes to be “at least ”, “at most ”, and so on, where the threshold is of the form , where is a positive integer, and is a ground BAPA integer term over Prm (we restrict to ensure that the guard can be translated to BAPA). Comparing sizes of two sets is not allowed – we observe that it is not needed for threshold-based protocols. We denote the set of thresholds by . For example, in Bosco, .

Without loss of generality, we assume that all conditions on set cardinalities are of the form “at least ”. This is because every condition can be written in this form, possibly by introducing new threshold expressions and complementing the set which the condition refers to, according to the following rules:

 |X|>ℓk≡|X|≥ℓ+1k|X|≤ℓk≡|Xc|≥k⋅n−ℓk|X|<ℓk≡|X|≤ℓ−1k

### 3.2 Modeling in FOL

##### FO vocabulary for modeling threshold-based protocols.

We describe the protocol’s states (e.g., pending messages, votes, etc.) using a core FO vocabulary that includes sort and additional sorts and symbols. Parameters Prm are not part of the FO vocabulary used to model the protocol. Also, we do not model set cardinality directly. Instead, we encode the cardinality thresholds in FOL by defining a FO vocabulary :

• For every threshold we introduce a threshold sort with the intended meaning that elements of this sort are sets of nodes whose size is at least .

• As the threshold sorts represent sets, each sort is equipped with a binary relation symbol between sort and sort that captures the membership relation of a node (first argument) in a set (second argument).

• For each set parameter we introduce a unary relation symbol over sort that captures membership of a node in the set .

We then model the protocol as a transition system where .

We are interested only in states (FO structures over ) where the interpretation of the threshold sorts and membership relations is according to their intended meaning in a corresponding BAPA structure. The intended meaning is captured by a BAPA structure (over Prm) that satisfies the resilience condition, and whose universal set coincides with the set of nodes. Formally, these are -extensions, defined as follows:

###### Definition 1

We say that a FO structure over and a BAPA structure over Prm are compatible if , where is the powerset operator. For such compatible structures and a set of thresholds over Prm, the -extension of by is the structure over defined as follows:

Note that for the -extension to be well defined as a FO structure, we must have that for every threshold . This means that a -extension by only exists if , i.e., there exists at least one set that satisfies each threshold in . This is ensured by the following condition:

###### Definition 2 (Feasibility)

is -feasible if for every .

##### Expressing threshold constraints.

Cardinality constraints can be expressed in FOL over the vocabulary using quantification. To express the condition that , i.e., that there are at least nodes that satisfy the FO formula over (where are additional free variables in ), we use the following first-order formula over : , where is the threshold sort assigned to . Similarly, to express the property that a node is a member of a set parameter (e.g., to check if , i.e., a node is faulty) we use the FO formula . For example, in Fig. 1, fig. 1 (right) uses the FO modeling to express the condition in fig. 1 (left). This modeling is sound in the following sense:

###### Lemma 1 (Soundness)

Let be a FO structure over , a compatible BAPA structure over Prm s.t. and a -feasible set of thresholds over Prm. Then there exists a (unique) -extension of by . Further:

1. For every and FO valuation : iff ,

2. For every , formula , and FO valuation : iff .

###### Definition 3

A first-order structure over is threshold-faithful if it is a -extension of some by some (as in Lem. 1).

##### Incompleteness.

Lem. 1 ensures that the FO modeling can be soundly used to verify the protocol. It also ensures that the modeling is precise on threshold-faithful structures (Def. 1). Yet, the FO transition system is not restricted to such states, making it an abstraction of the actual protocol. To have any hope to verify the protocol, we must capture some of the intended meaning of the threshold sorts and relations. This is obtained by adding FO axioms to the FO transition system. Soundness is maintained as long as the axioms hold in all threshold-faithful structures. We note that the set of all FO formulas over that hold in all threshold-faithful structures is not recursively enumerable111In a threshold-faithful structure the set of nodes must be finite, so validity of a general formula in all threshold-faithful structures can easily encode validity of FOL over finite structures, which has no complete proof system., which is where the essential incompleteness of our approach lies.

## 4 Decomposition via Threshold Intersection Properties

In this section, we identify a set of properties we call threshold intersection properties. When captured via FO axioms, these properties suffice for verifying many threshold-based protocols (all the ones we considered). Importantly, these are properties of sets adhering to the thresholds that do not involve the protocol state. As a result, they can be expressed both in FOL and in BAPA. This allows us to decompose the verification task into: (i) checking that certain threshold properties are valid in all threshold-faithful structures by checking that they are implied by (carried out using quantifier free BAPA), and (ii) checking that the verification conditions of the FO transition-system with the same threshold properties taken as axioms are valid (carried out in first-order logic, and in EPR if quantifier alternations are acyclic).

### 4.1 Threshold Intersection Property Language

Threshold properties are expressed in the threshold intersection property language (TIP). TIP is essentially a subset of BAPA, specialized to have the properties listed above.

##### Syntax.

We define TIP as follows, where is a threshold (of the form ) and :

 F ::=B≠∅∣Bc=∅∣g≥t(B)∣F1∧F2∣∀x:g≥t.F B ::=a∣ac∣x∣xc∣∅∣∅c∣B1∩B2

TIP restricts the use of set cardinality to threshold guards with the meaning . No other arithmetic atomic formulas ( or ) are allowed. TIP only allows guarded quantifiers over set variables, that is, quantification is restricted to sets of a certain cardinality. We exclude negation, disjunction and existential quantification in formulas. We restrict comparison atomic formulas to and , which correspond to asserting that the cardinality of the set represented by is at least , respectively . Furthermore, we forbid set union and restrict complementation to atomic set terms. We refer to such formulas as intersection properties since they express properties of intersections of (atomic) sets.

###### Example 1

In Bosco, the following property captures the fact that the intersection of a set of at least nodes and a set of more than nodes consists of at least non-faulty nodes. This is needed for establishing correctness of the protocol.

 ∀x:g≥n−t.∀y:g≥n+3t+12.g≥n−t+12(x∩y∩fc)
##### Semantics.

As TIP is essentially a subset of BAPA, we define its semantics by translating its formulas to BAPA, where most constructs directly correspond to BAPA constructs, and guards are translated to cardinality constraints: Set terms (derived from ) are also set terms of BAPA, and most set formula constructs map to constructs of BAPA directly. The only constructs that are not in BAPA are those involving guards, which correspond to a special case of cardinality constraints. We therefore define the following translation :

 B(g≥ℓk(b))\tiny\rm def% =k⋅|b|≥ℓB(∀x:g. φ)\tiny\rm def=∀x. ¬B(g(x))∨B(φ)

The notions of structures, satisfaction, equivalence, validity, satisfiability, etc. are inherited from BAPA. In particular, given a set of BAPA resilience conditions over the parameters Prm, we say that a TIP formula is -valid, denoted , if .

If is quantifier-free (which is the typical case), -validity of TIP formulas can be checked via validity checks of quantifier-free BAPA formulas, supported by mature solvers. Note that -validity of a formula of the form is equivalent to , allowing to replace quantification over sets by quantification over integers, thus improving performance of existing solvers.

### 4.2 Translation to FOL

To verify threshold-based protocols, we translate TIP formulas to FO axioms, using the threshold sorts and relations. To translate , we follow the principle in (Sec. 3.2):

 FO(¬φ) = ¬FO(φ) FO(n∈bc) = ¬FO(n∈b) FO(φ1∧φ2) = FO(φ1)∧FO(φ2) FO(n∈∅) = false FO(∀x:g.φ) = ∀x:setg.FO(φ) FO(n∈a) = membera(n) FO(n∈b1∩b2) = FO(n∈b1)∧FO(n∈b2) FO(n∈x) = membert(n,x) FO(b≠∅) = ∃n:node.FO(n∈b) where x is guarded by t FO(bc=∅) = ∀n:node.FO(n∈b) FO(g≥t(b)) = ∃x:sett.∀n:node.% membert(n,x)→FO(n∈b)

We lift to sets of formulas: .

##### Soundness of the translation to FOL.

Next, we state the soundness of the translation, which intuitively means that is “equivalent” to over threshold-faithful FO structures (Def. 1). This justifies adding as a FO axiom whenever is -valid.

###### Theorem 4.1 (Translation soundness)

Let be a first-order structure over , a compatible BAPA structure over Prm, and the -extension of by . Then for every closed TIP formula , we have

###### Corollary 1

For every closed TIP formula such that , we have that is satisfied by every threshold-faithful first-order structure.

This justifies using the translation to FOL in order to generate first-order axioms from TIP formulas that are entailed by the resilience conditions. Namely, if , then may be safely added as a first-order axiom.

## 5 Automatically Inferring Threshold Intersection Properties

To apply the approach described in Sec. 3 and 4 for verifying threshold-based protocols, it is crucial to find suitable threshold properties for a given protocol.That is, given the resilience conditions and a FO transition system modeling the protocol, we need to find a set of TIP formulas such that (i) for every , and (ii) the VCs of the transition system with the axioms are valid.

In this section, we address the problem of automatically inferring such a set . In particular, we prove that for any protocol that satisfies a natural condition, there are finitely many -valid TIP formulas (up to equivalence), enabling a complete automatic inference algorithm. Furthermore, we show that (under certain reasonable conditions formalized in this section), the FO axioms resulting from the inferred TIP properties have an acyclic quantifier alternation graph, facilitating protocol verification in EPR.

##### Notation.

For the rest of this section, we fix a set Prm of parameters, a set of resilience conditions over Prm, and a set of thresholds. Note that and . Therefore, for uniformity of the presentation, given a set of thresholds, we define and replace atomic formulas of the form and by the corresponding guard formulas. As such, the only atomic formulas are of the form where . Note that guards in quantifiers are still restricted to where . Given a set , we also denote .

### 5.1 Finding Consequences in the Threshold Intersection Property Language

In this section, we present Aip– an algorithm for inferring all -valid TIP formulas. A naïve (non-terminating) algorithm would iteratively check -validity of every TIP formula. Instead, Aip prunes the search space relying on the following condition, which essentially states that no guard is “equivalent” to with respect to .

###### Definition 4

is -non-degenerate if for every it holds that .

If then is degenerate in the sense that is always -valid, and is never -valid unless is also degenerate. (Note that checking if a threshold is degenerate amounts to a (non) entailment check in BAPA, which is decidable.)

We observe that we can (i) push conjunctions outside of formulas (since distributes over ), and assuming non-degeneracy, (ii) ignore terms of the form as, under the assumption that is non-degenerate, they will not appear in -valid formulas. These observations are formalized by the following lemma.

###### Lemma 2

If is -feasible and -non-degenerate, then for every -valid in TIP, there exist s.t. and for every , is of the form:

 ∀x1:g≥t1…∀xq:g≥tq. g≥t(x1∩…∩xq∩a1…∩ak)

where , , , , and the ’s are distinct.

We refer to of the form above as simple, and refer to as its atomic guard.

###### Proof (sketch)

Let be a formula in TIP such that . Since universal quantification distributes over conjunction, there exist such that and for every , the formula is conjunction-free, i.e., is a quantified atomic formula.

Since is -valid, each of the ’s is -valid as well. This means, because is -non-degenerate, that the term cannot appear in the formula. Furthermore, the term as well as duplicated instances of terms in can be omitted, resulting in an equivalent formula. As a result, the essence of the proof is to show that will not appear in -valid formulas.

Consider such with atomic guard and a universally quantified variable with guard . Recall that is -non-degenerate and let be such that but , i.e., . Since is also -feasible, we have that in particular . Therefore, taking a valuation where shows that , hence is not -valid. ∎

By Lem. 2, it suffices to generate all simple -valid formulas. Next, we show that this can be done more efficiently by pruning the search space based on a subsumption relation that is checked syntactically avoiding -validity checks.

###### Definition 5 (Subsumption)

For every , we denote if one of the following holds: (1) , or (2) and , or (3) , and .

When , means that , and when and , means that . We lift the relation to a partial order over simple formulas:

###### Definition 6

Given simple formulas

 α= ∀x1:g≥h1…∀xq:g≥hq. g≥t(x1∩…∩xq∩hq+1…∩hk) β= ∀x1:g≥h′1…∀xq′:g≥h′q′. g≥t′(x1∩…∩xq′∩h′q′+1…∩h′k′)

we say that if (i) , and (ii) there exists an injective function s.t. for any it holds that .

###### Lemma 3

Let be simple formulas such that . If then .

###### Corollary 2

If no simple formula with quantifiers is -valid then no simple formula with more than quantifiers is -valid.

Alg. 1 depicts Aip that generates all -valid simple formulas, relying on Lem. 3. Alg. 1 is designed to emit all -valid simple formulas, including ones that are subsumed or entailed by others, since BAPA entailment does not imply entailment between the FO translations222It is worth mentioning that if the FO formulas that encode subsumption over (Def. 5) are included in the FO translations (these are the formulas for and for where and ), then subsumption between simple formulas does actually imply entailment between the FO translations. . Aip uses a naïve search strategy; different strategies can be used (e.g. [25]). Based on Cor. 2, Aip terminates if for some number of quantifiers no -valid formula is discovered.

###### Lemma 4 (Soundness)

Every formula that is returned by the algorithm is -valid.

###### Lemma 5 (Completeness)

If is -feasible and -non-degenerate, then for every -valid TIP formula there exist s.t. and Aip yields every .

The proof to Lem. 4 follows directly from Lem. 3. Proof Lem. 5 is obtained by using Lem. 3 and 2, and Cor. 2. Next, we characterize the cases in which there are finitely many -valid TIP formulas, up to equivalence, and thus, Aip is guaranteed to terminate.

###### Definition 7

is -sane if for every , .

Sanity implies that no threshold in is equivalent to or to under (in particular, this implies non-degeneracy). In fact, it captures a stronger requirement that for every pair of thresholds, there is a model of in which one of them is not interpreted as and the other is not interpreted as .

###### Theorem 5.1

Assume that is -feasible. Then the following conditions are equivalent:

1. There are finitely many -valid simple formulas.

2. There are finitely many -valid TIP formulas, up to equivalence.

3. is -sane.

The proof that (3) implies (1) uses the following lemma.

###### Lemma 6

If is -sane, then for every and , there exists a number s.t. for every ,

###### Proof (of Lem. 6)

Let be arbitrary guards. As is -sane, there is a structure such that and if , or otherwise. Either way, we have that and .

We define . Wlog the universal set of is . We define a valuation for in which for every we set . We then get that for all , and . Hence, By Lem. 3 this also holds for any . ∎

###### Proof (of Thm. 5.1)

By Lem. 2, (1) implies (2). Then (2) implies (3) since whenever , then any formula of the form is -valid. Finally we show that (3) implies (1). Let , where is the number defined by Lem. 6. Then every -valid simple TIP formula must have less than quantifiers, as otherwise there exists such that at least quantifiers have guard . Suppose that is the atomic guard of , then this means that at least quantifiers have guard , and thus, from Lem. 3 and Lem. 6, we get that . ∎

###### Corollary 3 (Termination)

If is -feasible and -sane, Aip terminates.

### 5.2 From TIP to Axioms in EPR

The set of simple formulas generated by Aip, , is translated to FOL axioms as described in Sec. 4.2. Next, we show how to ensure that the quantifier alternation graph (Sec. 2) of is acyclic.

###### Observation 1

A simple formula with atomic guard induces quantifier alternation edges in from the threshold sorts of the guards of its universal quantifiers (these are thresholds in ) to the threshold sort of if or to the sort if . If , no quantifier alternation edges are induced by .

Therefore, from Lem. 3, for a -valid , cycles in may only occur if they occur in the graph obtained by . Furthermore, if is not acyclic, then the atomic guard must be equal to one of the quantifier guards. We refer to such a formula as a cyclic formula. We show that, under the following assumption, we can eliminate all cyclic formulas from .

###### Definition 8

is -acyclic if for every , if then .

Intuitively, if is not -acyclic, then it has (at least) two “equivalent” thresholds, making one of them redundant. If that is the case, we can alter the protocol and its proof so that one of these guards is eliminated and the other one is used instead.

To facilitate elimination of cyclic formulas, we also need to strengthen the sanity requirement (Def. 7) to refer to the set parameters as well:

###### Definition 9

is -sane if is -sane and, in addition, for every and , .

###### Theorem 5.2

Assume that is -feasible and -acyclic and that is -sane. Let be the set of simple -valid formulas returned by Aip, and let . Then the verification conditions of the first-order transition system with axioms are valid if and only if they are valid with axioms . Further, the quantifier alternation graph of is acyclic.

To prove the theorem we first prove the following lemma:

###### Lemma 7

If is -feasible and is -sane, then for every -valid simple formula , if is cyclic, then .

###### Proof (sketch)

Let . Following Observation 1, because is cyclic, there must exist such that . Assume without loss of generally that this is (the threshold associated with the first quantifier). If , then we get that . Because is -sane, there is such that but and . Because is -feasible, a valuation over exists such that (this is well-defined since -feasibility ensures that ), , hence the guards of the quantifiers are satisfied, but , from which we conclude that is not -valid. This means that . Similarly, assume , then we have that , and because is -sane (which ensures that there is such that but and ), we again conclude that is not -valid. This means that . The conclusion is that , for which .

##### Proof of Thm. 5.2.

Let be the set of all -valid TIP formulas, and let be defined as in the theorem. Lem. 7 shows that as required. Assume is cyclic with a cycle . Following Observation 1, the sort cannot be in . Let be such that . Because is transitive, we get that and , which by definition of means that , and because is -acyclic, we get that , i.e., corresponds to a self loop over a single sort . By Observation 1, a self loop may only arise from a cyclic formula. Hence, each cycle in is induced by a single cyclic formula. As contains no cyclic formulas, we conclude that contains no cycles. ∎

### 5.3 Finding Minimal Properties Required for a Protocol

If consists of all acyclic -valid TIP formulas returned by Aip, using as FO axioms leads to divergence of the verifier. To overcome this, we propose two variants.

##### Minimal Equivalent Δmin.

Some of the formulas in are implied by others, making them redundant. We remove such formulas using a greedy procedure that for every , checks whether , and if so, removes from . Note that if is acyclic, the check translates to (un)satisfiability in EPR.

This procedure results in s.t.