Open Problems in a Logic of Gossips
Krzysztof R. Apt (Centrum Wiskunde & Informatica, Amsterdam, The, Netherlands, University of Warsaw, Warsaw, Poland), Dominik Wojtczak, (University of Liverpool, Liverpool, UK)

TL;DR
This paper discusses open problems in a logic for distributed gossip protocols, highlighting unresolved questions about their semantics, correctness, and extensions with common knowledge, despite recent advances in their formal verification.
Contribution
It identifies and clarifies key open issues in the logic of gossip protocols, providing background and partial results to guide future research.
Findings
Decidability of semantics and truth for the logic
Decidability of the logic with common knowledge operator
Identification of open questions and challenges
Abstract
Gossip protocols are programs used in a setting in which each agent holds a secret and the aim is to reach a situation in which all agents know all secrets. Such protocols rely on a point-to-point or group communication. Distributed epistemic gossip protocols use epistemic formulas in the component programs for the agents. The advantage of the use of epistemic logic is that the resulting protocols are very concise and amenable for a simple verification. Recently, we introduced a natural modal logic that allows one to express distributed epistemic gossip protocols and to reason about their correctness. We proved that the resulting protocols are implementable and that all aspects of their correctness, including termination, are decidable. To establish these results we showed that both the definition of semantics and of truth of the underlying logic are decidable. We also showed that the…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsLogic, Reasoning, and Knowledge · Multi-Agent Systems and Negotiation · Distributed systems and fault tolerance
Open Problems in a Logic of Gossips
Krzysztof R. Apt Centrum Wiskunde & Informatica
Amsterdam, The NetherlandsUniversity of Warsaw
Warsaw, Poland [email protected] University of Liverpool
Liverpool, UK
Dominik Wojtczak University of Liverpool
Liverpool, UK [email protected]
Abstract
Gossip protocols are programs used in a setting in which each agent holds a secret and the aim is to reach a situation in which all agents know all secrets. Such protocols rely on a point-to-point or group communication. Distributed epistemic gossip protocols use epistemic formulas in the component programs for the agents. The advantage of the use of epistemic logic is that the resulting protocols are very concise and amenable for a simple verification.
Recently, we introduced a natural modal logic that allows one to express distributed epistemic gossip protocols and to reason about their correctness. We proved that the resulting protocols are implementable and that all aspects of their correctness, including termination, are decidable. To establish these results we showed that both the definition of semantics and of truth of the underlying logic are decidable. We also showed that the analogous results hold for an extension of this logic with the ‘common knowledge’ operator.
However, several, often deceptively simple, questions about this logic and the corresponding gossip protocols remain open. The purpose of this paper is to list and elucidate these questions and provide for them an appropriate background information in the form of partial of related results.
1 Introduction
Gossip protocols concern a set up in which each agent holds initially a secret and the aim it to arrive, by means of point-to-point or group communications (called calls), at a situation in which all agents know each other secrets. During the calls the agents exchange some, possibly all, secrets they know.
These protocols were successfully used in a number of domains, for instance communication networks [21], computation of aggregate information [26], and data replication [28]. For a more recent account see [25] and [27].
In [11] a dynamic epistemic logic was introduced in which gossip protocols could be expressed as formulas. These protocols rely on agents’ knowledge and are distributed, so they are distributed epistemic gossip protocols. This means that they can be seen as special cases of knowledge-based programs introduced in [19].
In [4] a simpler modal logic was introduced that is sufficient to define these protocols and to reason about their correctness. This logic is interesting in its own rights and was subsequently studied in a number of papers. In particular, in [6], and in the full version in [9], we established decidability of its semantics and truth for a limited fragment. Building upon these results we then proved that the distributed gossip protocols, the guards of which are defined in this logic, are implementable, that their partial correctness is decidable, and that termination and two forms of fair termination of these protocols are decidable, as well. Further, in [5] the computational complexity of this fragment was studied and in [7] we considered its extension with the common knowledge operator for which we established analogous decidability results.
In spite of the simplicity of this modal logic several natural questions about it and the gossip protocols defined using this logic remain open. In what follows we discuss these problems. For each of them we provide the relevant background information and establish some partial results.
Among these partial results let us mention the following ones:
- •
When the agents form a star graph, each correct distributed epistemic gossip protocol in the framework of [4] has to rely on guards with the modal operators (Theorem 7.3 in Section 7). This is relevant since the complexity of determining truth of guards is higher in presence of modal operators (see Section 4).
- •
It is well known (see, e.g., [32] discussed in Section 7) that for 4 agents 4 calls are both needed and sufficient to reach a situation in which all agents know all secrets. The resulting protocol is centralized. We show that when distributed epistemic gossip protocols are used, for 4 agents 5 calls are both needed and sufficient (Theorems 7.14 and 7.16 in Section 7).
- •
In the literature on distributed computing, e.g., on Calculus of Communicating systems (CCS) of [29], there is a wealth of literature on various ways of comparing behaviour of two processes (see, e.g., [30] for an extensive overview of the fundamental concept of bisimulation). Distributed epistemic gossip protocols can be naturally compared by means of a notion that one of them can simulate another. We show that checking it can be done in exponential time (Theorem 8.25 in Section 8).
Further, the arguments used to prove the last result imply that all computations of a terminating gossip protocol are of length .
The paper is organized as follows. In the next section we discuss related work. Then, in Section 3, introduce the already mentioned logic, originally defined in [4], and in Section 4 discuss some natural open problems about it. In Section 5 we recall an extension of this logic with the common knowledge operator and introduce two open problems concerning it. Next, in Section 6, we recall the distributed epistemic gossip protocols considered in [4]. Then, in Sections 7 and 8 we discuss natural open problems about these protocols. For several open problems we provide some partial results.
2 Related work
As already mentioned, distributed epistemic gossip protocols were introduced in [11]. In [10] a tool was presented that given a high level description of an epistemic protocol in this setting generates the characteristics of the protocol. In both papers three types of calls were considered but the ones considered here (initially studied in [4]) differ from them in that we assume that agents not participating in the call are not aware of it. In [4] also two other modes of communication were considered, in which only one agent (the caller or the called one) learns new secrets. The assumptions about the calls used in [11] and [4] were presented in a uniform framework in [3], where in total 18 types of communication were introduced and compared w.r.t. their epistemic strength.
In [22] and [23] centralized gossip protocols were studied the aim of which is to achieve higher-order shared knowledge, for example knowledge of level 2 which stipulates that everybody knows that everybody knows all secrets. In particular, a protocol was presented and proved correct that achieves in steps shared knowledge of level . These matters were further investigated in [13], where optimal protocols for various versions of such a generalized gossip problem were presented. These protocols depend on various parameters, for example type of the underlying graph or the type of communication. Further, different gossip problems were also studied in which some negative goals, for example that certain agents must not know certain secrets, are supposed to be achieved. In [14] such problem were studied further in the presence of temporal constraints, i.e., a given call can only (or has to) be made within a given time interval.
Then in [12] gossip protocols were analyzed as an instance of multi-agent epistemic planning that was subsequently translated into a planning language.
The underlying framework was analyzed from a number of views. In [17] gossip problems were considered in an epistemic framework that provides several parameters allowing us to capture various aspects of it, for example the initial knowledge of the agents, the type of communication used, and the desired type of the protocol (for example, a symmetric one). For some of the combinations of the parameters the minimum number of calls needed to reach the final situation was established. The expected time of termination of several gossip protocols for complete graphs was studied by [18].
Next, in [15] dynamic distributed gossip protocols were studied in which the calls allow the agents not only to share the secrets but also to transmit the links. These protocols were characterized in terms of the class of graphs for which they terminate. They differ from the ones here considered, which are static. This set up was further investigated in [16] where various dynamic gossip protocols were proposed and analyzed. In [20] such protocols were analyzed by embedding them in a network programming language NetKAT proposed in [2].
3 Logic: a recall
We recall here the framework of [4]. We assume a fixed set of agents and stipulate that each agent holds exactly one secret, and that there exists a bijection between the set of agents and the set of secrets. We use it implicitly by denoting the secret of agent by , of agent by , etc. We denote by the set of all secrets.
The language is defined by the following grammar:
[TABLE]
where and .
So is an atomic formula, while is a compound formula. We read as ‘agent is familiar with the secret ’ (or ‘agent holds secret ’) and as ‘agent knows the formula ’. Below we shall freely use other Boolean connectives that can be defined using and in a standard way.
In the sequel we shall use the following formula
[TABLE]
that denotes the fact that agent is familiar with all the secrets (is an ‘expert’).
In the paper we shall use the following sublanguages of :
- •
, its propositional part, which consists of the formulas that do not use the modalities;
- •
, which consists of the formulas without the nested use of the modalities;
- •
, where is a fixed agent, which consists of the formulas from where the only modality is .
Each call, written as , concerns two different agents, the caller, , and the callee, . After the call the caller and the callee learn each others secrets. Calls are denoted by , . Abusing notation we write to denote that agent is one of the two agents involved in the call .
Following [4] we stipulate that agents not involved in the call are not aware of it. This will be addressed in Definition 1 below.
In what follows we focus on call sequences. Unless explicitly stated each call sequence is assumed to be finite. The empty sequence is denoted by . We use to denote a call sequence and to denote the set of all finite call sequences. Given call sequences and and a call we denote by the outcome of adding at the end of the sequence and by the outcome of appending the sequences and . We say that is a subsequence of a call sequence if for some call sequences and we have .
To describe what secrets the agents are familiar with, we use the concept of a gossip situation. It is a sequence , where \{A\}\mbox{>\subseteq>}\mathsf{Q}_{a}\mbox{>\subseteq>}\mathsf{Sec} for each agent . Intuitively, is the set of secrets is familiar with in the gossip situation . The initial gossip situation is the one in which each equals and is denoted by . It reflects the fact that initially each agent is familiar only with his own secret, . We say that an agent is an expert in a gossip situation if is familiar in with all the secrets, i.e., if .
Each call transforms the current gossip situation by modifying the sets of secrets the agents involved in the call are familiar with as follows. Consider a gossip situation and a call .
Then
[TABLE]
where , and for , .
So the effect of a call is that the caller and the callee share the secrets they are familiar with.
The result of applying a call sequence to a gossip situation is defined inductively as follows:
[TABLE]
Example 1
We will use the following concise notation for gossip situations. Sets of secrets will be written down as lists. E.g., the set will be written as . Gossip situations will be written down as lists of lists of secrets separated by dots. E.g., if there are three agents, , and , then and the gossip situation ) will be written as .
Let . Consider the call sequence . It generates the following successive gossip situations starting from :
[TABLE]
Hence .
As calls progress in sequence from the initial situation, agents may be uncertain about which call sequence took place. This uncertainty is captured by the appropriate equivalence relations on the call sequences.
Definition 1
Fix an agent . We define as the smallest equivalence relation satisfying the following conditions:
[Base]* ,*
[Step]* Suppose .*
- (i)
If , then and . 2. (ii)
If there exists and such that , then .
In (i) we formalize the assumption that the agents are not aware of the calls they do not participate in. In turn, in (ii) we capture the intuition that two call sequences are indistinguishable for an agent if the sets of his calls in both sequences are the same and in each sequence he observes the same set of secrets. For instance, by (i) we have . But we do not have since , while .
Next, we recall the definition of truth.
Definition 2
Consider a call sequence . We define the satisfaction relation inductively as follows (clauses for Boolean connectives are as usual and omitted):
[TABLE]
Further, we say that is true, and write , when . Also, we say that and are equivalent if \forall\bm{\mathsf{c}}\ \bm{\mathsf{c}}\models\phi\mbox{>\leftrightarrow>}\psi.
So a formula is true after the call sequence whenever secret belongs to the set of secrets agent is familiar with in the situation generated by the call sequence applied to the initial situation . Hence iff agent is an expert in .
The knowledge operator is interpreted as customary in epistemic logic, using the equivalence relations .
4 Open problems about the logic
The first problem concerns the propositional part of the language . In [5] we established that the problem of determining the complexity of the semantics of the language of (i.e, determining whether for a given call sequence ) is in P, while the problem of determining truth in the language of (i.e, determining whether for all call sequences ) is co-NP-complete. Note that the latter implies that checking whether there exists a call sequence such that is NP-complete.
Problem 1
Find an axiomatization of .
Comments
We stipulate that the following formula should be an axiom:
[TABLE]
It formalizes the fact that communication is bidirectional and that agents learn secrets through a chain of calls, and is easily seen to be true. Here and elsewhere we make use of the fact that there is a bijection between secrets and agents, which allows us to use agents (here and ) when referring to the corresponding secrets (here and ). Note that the second disjunction is finite, since we postulate that the agents a_{1},\mbox{\ldots},a_{k} are pairwise different.
Here is the version of (1) when has three agents that is more readable:
[TABLE]
Assuming a sound and complete proof system for Boolean formulas formula (1) implies the following natural formula of stating that each agent can learn a new secret only by revealing its own:
[TABLE]
To see the claim it suffices to note that (1) implies
[TABLE]
from which (2) follows.
In [3] it was observed that the following formula is true:
[TABLE]
It states that if agent is the only agent (different from ) familiar with the secret of , then agent is familiar with the secret of .
It is easy to see that assuming a sound and complete proof system for Boolean formulas (1) implies (3). To this end it suffices to note that (1) implies
[TABLE]
from which (3) follows.
A more ambitious problem is the following one.
Problem 2
Find an axiomatization of . Determine the complexity of the semantics and of truth in the language of .
Comments
In [6] and in the full version in [9], we showed that for the sublanguage of both the semantics and truth are decidable. In [5] we sharpened these results by showing that the first problem is -complete, while the complexity of determining the truth is in . It is not clear how to extend these results to larger fragments of . Recall that the complexity class , defined in [33], corresponds to the class of problems solvable by a deterministic polynomial-time Turing machine that has a parallel access to an NP oracle (i.e., no query to this oracle can depend on the outcome of any other). In [33, 31] many natural problems were shown to be complete for this class. One of them is checking for two Boolean formulas whether the maximum number of variables assigned true in a satisfying assignment is greater for than for . On the other hand, the complexity class , commonly denoted by , corresponds to a non-deterministic polynomial-time Turing machines with an access to an NP oracle that accepts a given input if and only if all its non-deterministic branches accept it. An example problem complete for this class is the satisfiability for quantified Boolean formulas with two alternations of quantifiers , where is a Boolean formula over the variables .
5 Open problems concerning common knowledge
In [7] an extension of the language was considered that involves the common knowledge operator. The resulting language is defined by the following grammar:
[TABLE]
where and and G\mbox{>\subseteq>}\mathsf{A}.
Recall that the semantics of the operator is defined as follows. Given a set let be the set of all finite sequences formed from the elements of . For t=a_{1},\mbox{\ldots},a_{k} let K_{t}=K_{a_{1}}\mbox{\ldots}K_{a_{k}}. Then we stipulate that
[TABLE]
Note that the formula on the right-hand side is an infinite conjunction.
When is a singleton, say , the formula has the same semantics as , since is equivalent to . So the language can be viewed as an extension of .
Problem 3
Determine whether common knowledge is equivalent to a nested knowledge. More precisely, determine whether for every and there exists such that the formulas and are equivalent.
If the answer to Problem 3 is positive, then it is natural to ask whether can be found independently of the formula , that is, whether for some the equivalence
[TABLE]
holds for all formulas in or in some fragment of it.
Problem 4
Find an axiomatization of . Determine the complexity of the semantics and of truth in the language of .
Comments
We do not know the answer to Problem 3 even for the formulas of the form , where . In [8] we succeeded to establish the following limited results.
Theorem
- (i)
Suppose that . Then for all call sequences and formulas
[TABLE]
*Consequently, the formulas and are equivalent. * 2. (ii)
For all call sequences that do not contain the call and all formulas that do not contain the symbol
[TABLE]
Part (i) states that the formulas commonly known by a group of at least three agents are precisely the true formulas. Part (ii) states that for a group of two agents common knowledge of negation-free formulas is equivalent to the 4th fold iterated knowledge w.r.t. a call sequence in which no calls between these two agents were made. Examples in [8] show that this claim does not hold for arbitrary formulas and that the restriction on the call sequence cannot be dropped.
In [8] we showed that both the semantics and truth in the sublanguage of that consists of the formulas with no nested modalities are decidable.
6 Distributed epistemic gossip protocols: a recall
In [4], as a follow up on [11], we studied distributed epistemic gossip protocols. Their goal is to reach a gossip situation in which each agent is an expert. In other words, their goal is to transform a gossip situation in which the formula is true into one in which the formula is true. As explained in the introduction, in [4] a different syntax of the gossip protocols than in [11] was used.
Let us recall the definition. The adopted syntax follows the syntax of the CSP language (Communicating Sequential Processes) of [24], in which ’’ denotes a repetition and ‘’ a nondeterministic choice. By a component program, in short a program, for an agent we mean a statement of the form
[TABLE]
where and each is such that
- •
is the caller in the call ,
- •
and all atomic formulas used in start with .
If , the program is empty.
We call each such construct a rule and refer in this context to as a guard. Intuitively, denotes a repeated execution of the rules, one at a time, where each time non-deterministically a rule is selected whose guard is true.
By a distributed epistemic gossip protocol, from now on just a gossip protocol, we mean a parallel composition of component programs, one for each agent. We call a gossip protocol propositional if all guards in it are propositional, i.e., are from the language .
We presuppose that in each gossip protocol the agents are the nodes of a directed graph (digraph) and that each call is allowed only if is an edge in the digraph. A minimal digraph that satisfies this assumption is uniquely determined by the syntax of the protocol. Given that the aim of each gossip protocol is that all agents become experts it is natural to assume that this digraph is connected.
Here are two examples of gossip protocols to which we shall return later.
Example 2
In [11] the following correct gossip protocol, called Learn New Secrets (LNS in short), for complete graphs was proposed. In the syntax of [4] used here it is propositional, as it has the following program for agent :
[TABLE]
Informally, agent calls agent if agent is not familiar with ’s secret.
Example 3
In [11] also the following correct gossip protocol, called Hear My Secret (HMS in short), for complete graphs was proposed. In the syntax of [4] it has the following program for agent :
[TABLE]
Informally, agent calls agent if agent does not know whether is familiar with his secret.
Consider a gossip protocol that is a parallel composition of the component programs , one for each agent .
The computation tree of is a directed tree defined inductively as follows. Its nodes are call sequences and its root is the empty call sequence . Further, if is a node and for some rule we have , then is a node that is a direct descendant of . Intuitively, the arc from to records the effect of the execution of the rule performed after the call sequence took place.
By a computation of a gossip protocol we mean a maximal rooted path in its computation tree. In what follows we identify each computation with the unique call sequence it generates. We say that the gossip protocol is partially correct if for all leafs of the computation tree of
[TABLE]
i.e., if each agent is an expert in the gossip situation .
We say furthermore that terminates if all its computations are finite and say that is correct if it is partially correct and terminates.
We also consider two variants of termination. To define them we need a subsidiary notion. We call a rule enabled after a call sequence if its guard is true after . Given a gossip protocol we say that an agent is enabled after a call sequence if one of the rules in its program is enabled.
We now stipulate that each finite computation is rule-fair and agent-fair. An infinite computation is rule-fair (resp. agent-fair) if all rules (resp. agents) that are enabled after infinitely many prefixes (in short, infinitely often) are selected infinitely often. We say that a gossip protocol rule-fairly terminates (resp. agent-fairly terminates) if all its rule-fair (resp. agent-fair computations) are finite. Agent-fairness was introduced in [4], where it was simply called fairness, while rule-fairness was introduced in [8] and further studied in [9].
7 Open problems about the gossip protocols
We begin with the following problem.
Problem 5
Characterize the class of graphs for which correct propositional gossip protocols exist.
Note that the LNS protocol from Example 2 shows that this class of graphs include all complete digraphs. However, as we will show in Theorem 7.3, star graphs do not belong to this class. We conjecture that any digraph whose complement of its set of edges contains a directed cycle does not have this property.
Comments
For further discussion it is useful to introduce some terminology. We say that a gossip protocol is for arbitrary connected digraphs if each agent can only call the agents from the set of its in-neighbours. In such gossip protocols the underlying digraph is a parameter that can be uncovered from the sets . If the underlying digraph is supposed to be complete, we say that the gossip protocol is parametric. So in both cases we actually deal with a ‘parametrized’ gossip protocol, which is a template for an infinite set of gossip protocols.
For example, in [8] and [9] a correct gossip protocol with the following program for agent was considered:
[TABLE]
Informally, agent calls a neighbour if is familiar with some secret (here ) and he does not know whether is familiar with it. This gossip protocol is for arbitrary connected digraphs. However, it is not propositional.
In Example 2 the LNS gossip protocol was introduced. It is parametric and is both correct and propositional. However, its counterpart for arbitrary connected digraphs, so with the program
[TABLE]
for agent , is obviously incorrect. Indeed, for the graph
i$$j$$k
it terminates after the calls , with the agent not being an expert.
In turn, a natural gossip protocol Exp for arbitrary connected digraphs, with the program
[TABLE]
for agent , is obviously partially correct but it does not terminate, as initially a fixed call , with , can be repeated indefinitely.
In [9] we proved that the Exp gossip protocol agent-fairly terminates in the case of rings. However, this is not the case in general. Indeed take the graph
i$$j$$k$$l
Then is an infinite agent-fair computation.
On the other hand, the following result holds. It generalizes the above result of [9] since for the case of rings the program for each agent has just one guard and consequently the notions of agent-fairness and rule-fairness coincide.
Theorem 1
The gossip protocol for arbitrary connected digraphs rule-fairly terminates.
Proof 7.2**.**
Suppose otherwise. Consider an infinite rule-fair computation . We say that an agent becomes an expert in if for some element of we have .
As some agent does not become an expert in , there is a secret that does not learn in . Let i=i_{1},i_{2},\mbox{\ldots},i_{h}=j be a path connecting agent with . By rule-fairness the call takes place infinitely often. Hence agent does not become an expert in and consequently by rule-fairness the call takes place infinitely often. Repeating this argument we conclude that each call , where g\in\{1,\mbox{\ldots},h-1\}, takes place infinitely often in . So the call sequence i_{h-1}i_{h},i_{h-2}i_{h-1},\mbox{\ldots},i_{1}i_{2}, possibly interspersed with other calls, exists in . After the last call agent learns the secret , which yields a contradiction.
We now show that for a natural class of connected graphs no correct propositional gossip protocol exists.
Theorem 7.3**.**
Suppose that the agents form a star graph, so a graph in which some agent, say , is present in all edges. Then no correct propositional gossip protocol exists.
Proof 7.4**.**
We begin by making two simple observations.
Claim 1**.**
Consider a propositional gossip protocol . Suppose that is a prefix of a computation of such that some agent
- •
is involved in the call ,
- •
is not involved in any call in , and
- •
is a caller in .
Then also is a prefix of a computation of .
Proof 7.5**.**
Consider the guard associated with the call . By assumption on , is a propositional formula built out of the atomic formulas of the form . By assumption on the truth of these atomic formulas is not affected by any call in . So the truth value of before and after the call sequence is the same. But is true just after this call sequence, so it is also true just before it. This shows that can be performed immediately after .
Claim 2**.**
Let be a computation of a terminating propositional gossip protocol. If an agent, say , becomes an expert after the call , then is not a caller in any call that follows in .
Proof 7.6**.**
Suppose otherwise. Let be such a call in and let be the corresponding guard. This call does not affect the set of gossips agent is familiar with since this set as of the call equals . By assumption is a propositional formula built out of the atomic formulas of the form , so after the call the formula remains true. Hence the call can be indefinitely repeated, which shows that the considered protocol does not terminate.
Let now be the considered star graph with an agent present in all edges. Suppose by contradiction that a correct propositional gossip protocol for exists. Let be a computation of . Then agent is involved in all calls in . Let be the call after which became an expert and let be the call that precedes in . By assumption the call concerns agent and some agent not involved in the call . After the call agent is not yet an expert, hence it is involved in in another call. Let be the first such call.
So for some call sequences and , we have that is a prefix of . Agent is not involved in any calls in and by Claim 2 it is also the caller in . So by Claim 1 also is a prefix of a computation, say , of . Since both and involve the same pair of agents, after the second call the set of gossips of agent does not change. Hence in the guard remains true after and consequently this call can be indefinitely repeated. So does not terminate.
One of the early results, see for instance [32], is that for agents at least phone calls are needed to reach a situation in which each agent is an expert. Further, it is easy and well-known that this final situation can be reached using calls. Indeed, assume that the set of agents is \{a,b,c,d,i_{1},\mbox{\ldots},i_{n-4}\}, where , (if then there are no agents) and take the following call sequence
[TABLE]
Problem 7.7**.**
Prove that the lower bound cannot be achieved for the gossip protocols. In other words, prove that every correct gossip protocol for agents generates computations of length .
Comments
We show that this problem can be solved for . To prove it we need the following observations.
Lemma 7.8**.**
For all agents and all call sequences and all formulas
[TABLE]
Consequently, the same equivalence holds for all formulas that are Boolean combinations of formulas of the form , so in particular for each guard used in a program for agent .
Proof 7.9**.**
By definition , which implies the claim.
This note states that the calls in which agent is not involved have no effect on the truth of the guards used in the programs for agent . This clarifies the syntax of the guards. If we allowed in guards for agent formulas of the form as conjuncts, this natural and desired property would not hold anymore. Indeed, for we have , while .
We also need the following observation that confirms the intuition that two calls involving different pairs of agents can be executed in an arbitrary order.
Lemma 7.10**.**
Consider a protocol . Let be four agents such that for some call sequences and we have that is a computation of . Then also is a computation of .
Proof 7.11**.**
Let be the guard that precedes the call in the program for agent and the guard that precedes the call in the program for agent . We have and . By Lemma 7.8
[TABLE]
and
[TABLE]
Hence and . This means that is a prefix of a computation of .
Further, by the definition of the relations, for all agents and all call sequences we have . Hence for all formulas of the form we have
[TABLE]
and consequently for all guards preceding the calls in we have
[TABLE]
This concludes the proof.
The above observation also holds for infinite computations but we shall not need it in the sequel.
Finally, we need to reason about the following notion. We call a computation of a gossip protocol bad if some agent is involved in the first two calls of it.
Lemma 7.12**.**
Every gossip protocol admits bad computations.
Proof 7.13**.**
Fix a gossip protocol and consider its computation that is not bad. By appropriate renaming we can assume that it begins with . Let be the third call in and the guard associated in with the call . By assumption we have . Four cases arise.
Case 1*. Agent is the caller in .*
We have , so by Lemma 7.10
[TABLE]
and hence . In other words, the call can be executed in directly after the call , that is, is a prefix of a computation of the protocol .
Case 2*. Agent is the caller in .*
We have , so, as in Case 1, . Hence the call can be executed in directly after the call , that is, is a prefix of a computation of the protocol .
Case 3*. Agent is the caller in .*
By Lemma 7.10 the calls and can be reversed in , hence a computation of exists that begins with . So . We have , so, as in Case 1, . Hence the call can be executed in directly after the call , that is, is a prefix of a computation of the protocol .
Case 4*. Agent is the caller in .*
As in Case 3 a computation of exists that begins with . We have and , so, as in Case 3, . Hence the call can be executed in directly after the call , that is, is a prefix of a computation of the protocol .
Theorem 7.14**.**
Every correct gossip protocol for 4 agents generates computations of length .
Proof 7.15**.**
Suppose that . Consider a correct protocol .
We first show that each bad computation is of length . There are 4 agents, so some agent, say , is involved neither in the first nor the second call of . So after these two calls none of the agents is familiar with the secret of agent . Each call increases the number of agents familiar with the secret of agent by at most 1. So at least three more calls are needed to obtain a situation which all agents are familiar with the secret of . We conclude that is of length at least 5.
The conclusion now follows by Lemma 7.12.
Problem 7.7 concerned the lower bound . It is useful to note that the lower bound can be achieved. So for the precise bound is 5.
Theorem 7.16**.**
Suppose that . There exists a correct gossip protocol for agents all computations of which are of length .
Proof 7.17**.**
Assume that \mathsf{A}=\{a_{1},\mbox{\ldots},a_{n}\}. We use the observation due to [10] that the following call sequence results in all agents being experts:
[TABLE]
In this call sequence first agent calls all other agents and subsequently calls them again except agent . But the exact order of the calls in each phase is not important. This allows us to use a gossip protocol with a simple structure.
We choose an arbitrary agent and select for it the following program:
[TABLE]
The programs for the other agents are empty.
Note that after each call the corresponding guard becomes false. Further, by the form of the above program in every computation of the protocol first calls of take place, each to a different agent. These calls correspond to the first set of guards and are executed in an arbitrary order.
After the last of these calls, say , agents and both become experts and agent knows it. So from this moment on the guard is false and the second call does not take place. Hence the remaining part of the computation consists of calls of agent , each to a different agent from . These calls correspond to the second set of guards and are executed in an arbitrary order, as well.
After these calls all agents become experts and the protocol terminates.
Problem 7.18**.**
Prove that the lower bound cannot be achieved by a correct propositional gossip protocol.
8 Open problems about verification of gossip protocols
We studied in [5] the computational complexity of partial correctness and termination of gossip protocols and showed that when in guards only formulas from the sublanguage are used both problems are in . This brings us naturally to the following problems.
Problem 8.19**.**
What is the exact computational complexity of checking whether a given gossip protocol
- •
is partially correct,
- •
terminates?
We conjecture that both problems are -complete. This problem can be generalized as follows. In generalized gossiping the aim is to reach a gossip situation in which some given formula is true, possibly other than . We say that a a gossip protocol is -partially correct if for all leafs of the computation tree of
[TABLE]
For example the HMS gossip protocol from Example 3 is -partially correct, since upon termination all the guards are false. In contrast, this protocol is not -partially correct. Indeed, assume three agents, , and the call sequence after which this gossip protocol terminates. However, does not hold.
Problem 8.20**.**
What is the complexity of checking whether for a given formula a given gossip protocol is -partially correct?
These questions can also be asked for parametrized gossip protocols.
Problem 8.21**.**
What is the complexity of checking whether a given gossip protocol for arbitrary connected digraphs
- •
is partially correct,
- •
terminates?
Next problem concerns relation between two gossip protocols. To define it we need to discuss the computation trees.
We say that two unordered trees are equal if they become identical after some possible rearrangement of the children of each node in these trees.111This rearrangement is allowed because computational trees are unordered. If we fix an order of children, e.g., subject to lexicographic order on the last call, then a computational tree for a given protocol is unique and this problem when checking for the equality of two trees no longer occurs. Given a tree , any removal of branches from yields a subtree of .
Consider now two gossip protocols and . We say that can simulate if the computational tree of is equal to some subtree of . If both can simulate and can simulate then we say that they are bisimilar. Clearly the computational trees of two bisimilar gossip protocols are equal.
Example 8.22**.**
Consider the LNS and HMS gossip protocols introduced in Examples 2 and 3.
Assume that there are only three agents, . There are only four maximal call sequences that can be generated by LNS beginning with the call , namely:
[TABLE]
For every other starting call , , , , or , there are analogous four such maximal call sequences. It is easy to check that all these call sequences can be generated by HMS. So for three agents HMS can simulate LNS.
However, HMS can also generate the call sequence that LNS cannot, so these two protocols are not bisimilar.
We actually conjecture that HMS can simulate LNS for any number of agents. This naturally suggests the following two problems.
Problem 8.23**.**
What is the exact complexity of checking for two given parametric protocols whether
- •
one simulates the other,
- •
they are bisimilar?
Problem 8.24**.**
What is the exact computational complexity of checking for two gossip protocols and whether
- •
* simulates ,*
- •
* and are bisimilar?*
Comments
The following result provides some insights into the last problem.
Theorem 8.25**.**
Checking whether a gossip protocol can simulate another protocol can be done in exponential time.
To prove it we need some preparatory results. We call the second call in a call sequence epistemically redundant if . In [5] we established the following result (as Lemma 6) showing that removing an epistemically redundant call does not affect the truth of any formula from .
Lemma 8.26**.**
If is a call sequence where the second call is epistemically redundant, then for any formula :
[TABLE]
We say that a call that appears in a call sequence is productive if , where for some call sequences and , .
Further, we call a subsequence of a call sequence stationary if
[TABLE]
where for some call sequences and , and for some , \bm{\mathsf{c}}_{2}=\mathsf{c}_{1}.\mathsf{c}_{2}\mbox{\ldots}\mathsf{c}_{k}.
Recall that is the number of agents.
Lemma 8.27**.**
Every call sequence contains at most productive calls.
Proof 8.28**.**
The minimal total number of secrets in a gossip situation is , which is achieved in the initial gossip situation . In turn, the maximal total number of secrets is , which is achieved in the gossip situation in which every agent is an expert. After each productive call at least one agent learns a new secret. So in a given call sequence there can be at most productive calls.
Lemma 8.29**.**
Every call sequence of length has a stationary subsequence of length .
Proof 8.30**.**
Split into a sequence of subsequences, each of length at least . Suppose none of these subsequences is stationary. Then each of them contains a productive call. So contains at least productive calls, which contradicts Lemma 8.27.
Corollary 8.31**.**
Every call sequence of length contains an epistemically redundant call.
Proof 8.32**.**
Take a stationary subsequence of guaranteed by Lemma 8.29. There are at most different calls, so some call appears in at least twice. Its second occurrence in is then epistemically redundant in .
Next lemma shows that lack of simulation entails existence of a specific call sequence of a bounded length.
Lemma 8.33**.**
If cannot simulate then there exist a call sequence of length that can be generated by , but not by .
Proof 8.34**.**
If cannot simulate then take a shortest rooted path in the computation tree of that does not exist in the computation tree of . This path corresponds to some call sequence .
Suppose by contradiction that the length of exceeds . By Corollary 8.31, can be partitioned into such that .
By Lemma 8.26 for any formula and a subsequence of we have
[TABLE]
By the definition of the call sequence can be generated by , while the call sequence cannot. So does not have a rule such that .
Further, by (5) the call sequence can be generated by , while, again by (5), the call sequence (so with the second indicated occurence of omitted) cannot.
On the other hand, by assumption can be generated by , so has a rule such that . Together with (5) this implies that also can be generated by . This yields a contradiction with the definition of .
Proof of Theorem 8.25. To show that can simulate it suffices by Lemma 8.33 to check that each call sequence of length which can be generated by can also be generated by .
We showed in [5] that checking for a given call sequence and a formula whether can be done in exponential time (actually in time). This implies that checking whether a given call sequence of length can be generated by a gossip protocol can be done in exponential time.
Consequently, checking whether can simulate can be done in exponential time, as well, since there are exponentially many call sequences of length .
Corollary 8.35**.**
Checking whether gossip protocols and are bisimilar can be done in exponential time.
As a side remark of independent interest we conclude the paper with the following consequence of Corollary 8.31.
Corollary 8.36**.**
If a gossip protocol terminates then all its computations are of length .
To prove we use the following result from [9] that for the case of formulas from is actually a special case of Lemma 8.26.
Lemma 8.37** (Stuttering).**
Suppose that and . Then for all formulas , iff .
Proof of Corollary 8.36. Consider a finite computation of length and the corresponding call sequence . By Corollary 8.31, begins with a call sequence , where .
Let be the rule used in the considered gossip protocol to generate the second occurrence of the call . Then and by Lemma 8.26 for we have .
Hence by the repeated use of the Stuttering Lemma 8.37 for and all , . Consequently, after the call sequence is generated, the rule can be repeatedly applied. Hence is an infinite sequence of calls that corresponds to an infinite computation.
Acknowledgements
We thank reviewers for useful suggestions concerning the presentation. The second author was partially supported by EPSRC grants EP/M027287/1 and EP/P020909/1.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1]
- 2[2] Carolyn Jane Anderson, Nate Foster, Arjun Guha, Jean-Baptiste Jeannin, Dexter Kozen, Cole Schlesinger & David Walker (2014): Net KAT: semantic foundations for networks . In: The 41st Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL ’14 , ACM, pp. 113–126, 10.1145/2535838.2535862 . · doi ↗
- 3[3] Krzysztof R. Apt, Davide Grossi & Wiebe van der Hoek (2018): When Are Two Gossips the Same? In Gilles Barthe, Geoff Sutcliffe & Margus Veanes, editors: LPAR-22. 22nd International Conference on Logic for Programming, Artificial Intelligence and Reasoning , E Pi C Series in Computing 57, Easy Chair, pp. 36–55, 10.29007/ww 65 . · doi ↗
- 4[4] Krzysztof R. Apt, Davide Grossi & Wiebe van der Hoek (2016): Epistemic Protocols for Distributed Gossiping . In: Proceedings of the 15th Conference on Theoretical Aspects of Rationality and Knowledge (TARK 2015) , EPTCS 215, pp. 51–66, 10.4204/EPTCS.215.5 . · doi ↗
- 5[5] Krzysztof R. Apt, Eryk Kopczyński & Dominik Wojtczak (2017): On the Computational Complexity of Gossip Protocols . In: Proceedings of the Twenty-Sixth International Joint Conference on Artificial Intelligence, IJCAI 2017 , pp. 765–771, 10.24963/ijcai.2017/106 . · doi ↗
- 6[6] Krzysztof R. Apt & Dominik Wojtczak (2016): On Decidability of a Logic of Gossips . In: Proceedings of the 15th European Conference, JELIA 2016 , Lecture Notes in Computer Science 10021, Springer, pp. 18–33, 10.1007/978-3-319-48758-8_2 . · doi ↗
- 7[7] Krzysztof R. Apt & Dominik Wojtczak (2017): Common Knowledge in a Logic of Gossips . In: Proc. of the 16th Conference on Theoretical Aspects of Rationality and Knowledge (TARK 2017) , EPTCS 251, pp. 10–27, 10.4204/EPTCS.251.2 . · doi ↗
- 8[8] Krzysztof R. Apt & Dominik Wojtczak (2017): Decidability of Fair Termination of Gossip Protocols . In: Proc. of the 21st International Conference on Logic for Programming, Artificial Intelligence and Reasoning (LPAR 21) , Kalpa Publications in Computing 1, pp. 73–85, 10.29007/62s 4 . · doi ↗
